Disable old ciphers

  • Hey all,

    I just had a PCI scan and the scanner reports back that
    "Weak encryption ciphers, such as DES or 3DES, were identified as supported on this VPN device."

    I'm not using DES or 3DES, but am configured as such:
    P1 AES-128 / SHA256
    P2 AES / SHA1

    Does anyone know if there is a way of disabling the weak ciphers in ipsec (or otherwise keep the scanner from being able to negotiate them)?

    For those curious, the firewall had to be opened up to their scanner IP's to allow all access.


  • @gsmithe said in Disable old ciphers:


    Hey gsmithe,

    i don't now your PCI scanner. Sometimes a scanner alerts at SHA1 too.
    Check your Phase1/Phase2 config. If the configuration for DES/3DES is unchecked, this is not your problem.

    Kind regards

Log in to reply