Virtual Dave
For When You Can't Have The Real Thing
[
start
|
index
|
login
]
start
>
FortiOS
> 5.6 > DH Selection For IPsec VPNs
DH Selection For IPsec VPNs
Created by
dave
. Last edited by
dave
, 222 days ago. Viewed 1,292 times. #5
[
diff
] [
history
]
[edit]
[
rdf
]
labels
attachments
(2019-03-13)
Problem
What are the recommended settings for IPSEC VPNs?
Updated 25 April 2023
IKE:
In general IKEv1 is still acceptable,
unless you're dealing with a Cisco ASA
which as of 2020 will only do SHA-1 in IKEv1
DH Group:
ideal is DH-19 or DH-20
minimum for reasonable security is DH-16, going below that is not recommended
groups 1, 2, 5, 22, 23, and 24 are considered notably (and perhaps unexpectedly) weak.
Algorithms:
use AES-256 (or higher) with SHA-384 (or higher)
Always avoid DES
Avoid 3DES and/or MD5 if at all possible
References
2023-04, pfSense firewall v2.6.0-RELEASE (Community Edition) ipsec config pages
2021-08, NSA recommendations 2020:
https://media.defense.gov/2020/Jul/02/2002355501/-1/-1/0/CONFIGURING_IPSEC_VIRTUAL_PRIVATE_NETWORKS_2020_07_01_FINAL_RELEASE.PDF
some reddit thread somewhere which I can't find any more, yeah possibly sketchy AF maybe, but it's backed up by other places on the web
2019-03, NCSC (UK) requirements for their tunnels:
https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data
2018-10, DH group:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk27054
also some reddit thread somewhere which I can't find any more, yeah possibly sketchy AF maybe, but it's backed up by other places on the web
no comments |
post comment
see also:
snipsnap-index
snipsnap-search
snipsnap-notfound
FortiOS
VPN Debug
snipsnap-help
list databases
FortiOS LLDP
fortios
FortiOS+LLDP
Creating Custom...
FortiClien...
vlan-id...
SSL Securi...
Disable+...
2003-12-26
Switch...
Multi-Use...
QOS Setup
2022
Virtual Dave
Megaplex:
Home Page
This wiki's
start
page
Send Feedback To Dave
(read this
note about local search
)
Logged in Users: (0)
… and 5 Guests.
Recently Changed
nmap
Seconds Since Epoch to Local Time
Link Monitor
DH group to OAKLEY_GROUP table
Fire Eater
start
FortiClient Error Codes
Scan For Newly Added Disk
dhparams Generation
SSL Certificate Bundles
ufw
Grow A LVM Partition
Creating Users
whoami
list databases
DH Selection For IPsec VPNs
2023
2022
2019
2018
2017
2011
2010
2008
2001
2000
1999
1991
Custom '77 Dodge Van
Bone Shaker
Editing:
snipsnap-help
,
Image Macro
(
Et auditum est, et idcirco ego nunc simulare
)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.
Useful:
snipsnap-help
snipsnap-macro-help
Google
snipsnap.org
| Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt