Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable old ciphers

    Scheduled Pinned Locked Moved IPsec
    2 Posts 2 Posters 546 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gsmithe
      last edited by

      Hey all,

      I just had a PCI scan and the scanner reports back that
      "Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device."

      I'm not using DES or 3DES, but am configured as such:
      P1 AES-128 / SHA256
      P2 AES / SHA1

      Does anyone know if there is a way of disabling the weak ciphers in ipsec (or otherwise keep the scanner from being able to negotiate them)?

      For those curious, the firewall had to be opened up to their scanner IP's to allow all access.

      Thanks,
      Gary

      1 Reply Last reply Reply Quote 0
      • bepoB
        bepo
        last edited by

        @gsmithe said in Disable old ciphers:

        SHA1

        Hey gsmithe,

        i don't now your PCI scanner. Sometimes a scanner alerts at SHA1 too.
        Check your Phase1/Phase2 config. If the configuration for DES/3DES is unchecked, this is not your problem.

        Kind regards

        Please use the thumbs up button if you received a helpful advice. Thank you!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.