Site to Site VPN IPsec

Posted on 2014-12-10
Last Modified: 2014-12-17
What is the best IPsec encryption/authentication to use? I am putting in a new branch router. It looks like the router that are in place now are using MD5/3DES. Should I stay with this?
Question by:Jennifer
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 70

Accepted Solution

Qlemo earned 500 total points
ID: 40492782
Definitely no. AES 192 and SHA-1 should be used, together with DH of at least 2. Both 3DES and MD5 are claimed to be unsecure because decryptable in real-time.
LVL 10

Expert Comment

ID: 40493022
"All things being equal, choose the more secure option that is available to you." If there is not a huge difference in performance between MD5 and SHA-1 or SHA-2 then you should chose the stronger option.

If its easy for you to set up and configure a point-to-point VPN link with 3DES and AES-256; then you should chose the stronger option. Also, if you can configure Diffie-Hellman group 2 or 5 or 14 equally, then you should chose the stronger option.

I'm sure you've reviewed the encryption and authentication algorithms that you are currently using. With that said, and Keeping in mind my first statement above, you should always run the strongest algorithms and key strengths possible for your secured communications.



Author Comment

ID: 40496492
Thank you both.

Qlemo, I have considered both of these but what are your thoughts on AES-256 and SHA-2. I had request recently from GoDaddy to change all of my SSL certs SHA-2. Yes I know my router configuration is different than my SSL certificates but I am wondering if this is something that I should consider for the future. Or just stay with the current since it is not too difficult to change should I need/want to tell at a later time.

Rafael, thank you for your post however you really don't answer the question. 'Choosing the strong option' and 'running the strongest option' are only telling me what I already know. I am looking more for what the current 'norm' or user thoughts are for the current standard.
Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!


Author Comment

ID: 40496496
Qlemo, by current I mean AES-192 and SHA-1.
LVL 10

Expert Comment

ID: 40496822

Current norm is AES 256 and SHA-2.  That is what many  in corporate america as well as other agencies use.
LVL 70

Assisted Solution

Qlemo earned 500 total points
ID: 40497479
AES 256 needs more resources than AES 192. Hardware won't bother about that,  though. What I told you is the minimum you should set up. No issues with AES 256 and SHA-2, if all partners can cope with it. But I would not claim that to be "standard".

Author Closing Comment

ID: 40505421
I went with AES192 and SHA-2 configuration. I will see how it goes once it is hooked up at our branch location.

Featured Post

Webinar June 1st - Attacking Ransomware  

The global cyberattack that corrupted hundreds of thousands of computer systems on May 12th had a face, name, & price tag that we’ve seen all too often in recent years: Ransomware. With the stakes – and costs – of a ransomware attack higher than ever, is your business prepared ?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Bandwidth throughput in Fortigate 100D 1 46
PGP software 3 75
New CLI Commands Needed for Cisco ASA 5506 5 64
Data encryption options between SQL DBs 3 67
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question