Site to Site VPN IPsec

What is the best IPsec encryption/authentication to use? I am putting in a new branch router. It looks like the router that are in place now are using MD5/3DES. Should I stay with this?
JenniferIT DirectorAsked:
Who is Participating?
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
Definitely no. AES 192 and SHA-1 should be used, together with DH of at least 2. Both 3DES and MD5 are claimed to be unsecure because decryptable in real-time.
0
 
RafaelCommented:
"All things being equal, choose the more secure option that is available to you." If there is not a huge difference in performance between MD5 and SHA-1 or SHA-2 then you should chose the stronger option.

If its easy for you to set up and configure a point-to-point VPN link with 3DES and AES-256; then you should chose the stronger option. Also, if you can configure Diffie-Hellman group 2 or 5 or 14 equally, then you should chose the stronger option.

I'm sure you've reviewed the encryption and authentication algorithms that you are currently using. With that said, and Keeping in mind my first statement above, you should always run the strongest algorithms and key strengths possible for your secured communications.

-HTH

-Rafael
0
 
JenniferIT DirectorAuthor Commented:
Thank you both.

Qlemo, I have considered both of these but what are your thoughts on AES-256 and SHA-2. I had request recently from GoDaddy to change all of my SSL certs SHA-2. Yes I know my router configuration is different than my SSL certificates but I am wondering if this is something that I should consider for the future. Or just stay with the current since it is not too difficult to change should I need/want to tell at a later time.

Rafael, thank you for your post however you really don't answer the question. 'Choosing the strong option' and 'running the strongest option' are only telling me what I already know. I am looking more for what the current 'norm' or user thoughts are for the current standard.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
JenniferIT DirectorAuthor Commented:
Qlemo, by current I mean AES-192 and SHA-1.
0
 
RafaelCommented:
Jennifer,

Current norm is AES 256 and SHA-2.  That is what many  in corporate america as well as other agencies use.
0
 
QlemoConnect With a Mentor Batchelor, Developer and EE Topic AdvisorCommented:
AES 256 needs more resources than AES 192. Hardware won't bother about that,  though. What I told you is the minimum you should set up. No issues with AES 256 and SHA-2, if all partners can cope with it. But I would not claim that to be "standard".
0
 
JenniferIT DirectorAuthor Commented:
I went with AES192 and SHA-2 configuration. I will see how it goes once it is hooked up at our branch location.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.