Disable old ciphers
I just had a PCI scan and the scanner reports back that
"Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device."
I'm not using DES or 3DES, but am configured as such:
P1 AES-128 / SHA256
P2 AES / SHA1
Does anyone know if there is a way of disabling the weak ciphers in ipsec (or otherwise keep the scanner from being able to negotiate them)?
For those curious, the firewall had to be opened up to their scanner IP's to allow all access.
bepo last edited by
i don't now your PCI scanner. Sometimes a scanner alerts at SHA1 too.
Check your Phase1/Phase2 config. If the configuration for DES/3DES is unchecked, this is not your problem.