Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    IPSec Security

    IPsec
    3
    4
    801
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MilesDeep last edited by

      We've recently purchased several pfSense firewalls to deploy to our remote facilities.  Most of the new firewalls are model SG-2440.  Most of the facilities are small (10 users or less) with adequate bandwidth (3mb or better).

      The old, remote firewalls typically used:  3DES for encryption, SHA1 hash, PFS Key Group of 5.  Really, just basic security.

      I'd like to create a more secure tunnel but I have no real idea of how an increase in security may impact performance.  Any insight that might move me to a reasonable compromise would be much appreciated.

      I'm considering AES192 or 256 for encryption, AES-x to HASH, and I'm really not sure on the PFS Key.  Thanks in advance.

      Miles

      1 Reply Last reply Reply Quote 0
      • ?
        Guest last edited by

        I'm considering AES192 or 256 for encryption, AES-x to HASH, and I'm really not sure on the PFS Key.  Thanks in advance.

        IPSec with AES-GCM and then start first at AES128 and more if you will need it to see how great it works.

        1 Reply Last reply Reply Quote 0
        • M
          MilesDeep last edited by

          Guten Tag!

          Thanks for the help.  I have no support at the remote sites, so if I get this wrong and need to change it-it could be very difficult.

          You'd try AES128 for encryption to start?  I will consider that.  AES over blowfish?  HASH?  Any thoughts on PFS Key Group?  I really do not know how changes in these methods will effect speed in a LIVE environment.

          1 Reply Last reply Reply Quote 0
          • L
            lst_hoe last edited by

            PFS keygroup 2 (1024bit) is rumored to be possible to break with NSA like budget. The PFS keygroup 5 should be fine as of now, higher PFS groups get really slow. For the symetric ciphers like 3DES and AES128 there is no real world break known, but as AES128 should be faster than 3DES you should use AES. The hash does not matter as it is used for integrity check to my knowledge, at least if you are not using preshared key which you should not do.

            Regards

            Andreas

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy