CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

Tim Hall has done it yet again - That's right, the 3rd edition is here!
You can read his announcement post here.
It's a massive upgrade focusing on current versions, and well worth checking out. -E


Results 1 to 2 of 2

Thread: VPN in Checkpoint R80.10

  1. #1
    Join Date
    Rep Power

    Default VPN in Checkpoint R80.10

    In checkpoint VPN setup, I only see the followings:

    in Diffie-Hellman group: Group 1, group 2 group 5, group 14, group 19 group 20

    In Data Integrity: AES-XCBC, MD5, SHA1, SHA256, SHA384

    However, I am seeing this in Cisco IOS router for Diffie-Hellman:

    router1(config-isakmp)#group ?
    1 Diffie-Hellman group 1 (768 bit)
    14 Diffie-Hellman group 14 (2048 bit)
    15 Diffie-Hellman group 15 (3072 bit)
    16 Diffie-Hellman group 16 (4096 bit)
    19 Diffie-Hellman group 19 (256 bit ecp)
    2 Diffie-Hellman group 2 (1024 bit)
    20 Diffie-Hellman group 20 (384 bit ecp)
    24 Diffie-Hellman group 24 (2048 bit, 256 bit subgroup)
    5 Diffie-Hellman group 5 (1536 bit)

    so you can see, I am not seeing DH group
    For Data Integrity:

    router1(config)#crypto ipsec transform-set aspect esp-aes 256 ?
    ah-md5-hmac AH-HMAC-MD5 transform
    ah-sha-hmac AH-HMAC-SHA transform
    ah-sha256-hmac AH-HMAC-SHA256 transform
    ah-sha384-hmac AH-HMAC-SHA384 transform
    ah-sha512-hmac AH-HMAC-SHA512 transform
    comp-lzs IP Compression using the LZS compression algorithm
    esp-md5-hmac ESP transform using HMAC-MD5 auth
    esp-sha-hmac ESP transform using HMAC-SHA auth
    esp-sha256-hmac ESP transform using HMAC-SHA256 auth
    esp-sha384-hmac ESP transform using HMAC-SHA384 auth
    esp-sha512-hmac ESP transform using HMAC-SHA512 auth

    So you can see, I am not seeing DH group 15, 16 and 24 in Checkpoint. I am not seeing SHA512 in Checkpoint either.


  2. #2
    Join Date
    DFW, TX
    Rep Power

    Default Re: VPN in Checkpoint R80.10

    I wouldn't be surprised if Check Point doesn't support SHA512 currently. Keep in mind that when used for HMAC, even MD5 is more than secure enough. HMAC works like H((K'^0x5c5c...) <> H((K'^0x3636...) <> message)) where K' is the negotiated private key for the traffic padded out to 64 bytes (512 bits). The negotiated key should be longer than or equal to the output length of the hash, as shorter keys can allow private key recovery from the HMAC.

    If you use AES-128 for phase 2, you should use HMAC-MD5. For AES-192, use HMAC-SHA1. For AES-256, use HMAC-SHA256. I know of no reason to use SHA384 or SHA512. I, personally, wouldn't use AES-192 or AES-256, as they take substantially more computing power to use, and have design weaknesses.

    For the DH groups, I would stick with 5 or 14. 19 and 20 are elliptic-curve groups, which are passably secure against attack by conventional computer, but substantially less secure against attack by quantum computer.

Similar Threads

  1. Checkpoint to checkpoint VPN and management server
    By carl_t in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 6
    Last Post: 2016-03-16, 08:14
  2. How to backup checkpoint through CLI in Nokia IP330 + Checkpoint NG FP1
    By stuart in forum Check Point Backup Procedures
    Replies: 0
    Last Post: 2007-04-05, 05:47
  3. Checkpoint to non-Checkpoint Config needed
    By lowfell in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2007-03-27, 12:25


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts