Hi,
I am setting up vpn tunnels between a FortiGate and Check Point firewalls and following a guide there they recommend for Phase1, Encryption AES256 and Authentcation SHA1.
Phase2, Encryption AES128 and Authentcation SHA1.
This guide was written a few years ago. Is it still appropriate to use today?
Sha1 is dead. I always do aes256 sha256 as a min. More if I can without pushing the CPU.
Run the highest allowed by your NP Accelerator. View “FortiView, All Sessions, SPU” to verify that the traffic is offloaded.
My Fortigate 60D and NP4Lite
Phase 1: IKEv2 AES256-SHA256 DH20
Phase 2: AES256-SHA1 DH14 PFS
Phase 1 is not accelerated so can have higher settings.
I always ask the other side what the highest level they can do. I like to shoot for aes256 sha512 and same with phase 2 with pfs on
Minimum recommended:
Phase 1:
Diffie-Hellman Group: 16
Encryption: AES-256
Hash: SHA-384
Phase 2:
Encryption: AES-256
Hash: SHA-384
Block Cipher Mode: CBC
Configuring IPsec Virtual Private Networks - Defense.gov
IKEv2, AES256/SHA256 is my go to.
IKEv1, AES256/SHA1 if for some reason the two firewalls cannot make IKEv2 work together.
I am not a cryptographer, this is based on the input of cryptographers. Sources: https://en.wikipedia.org/wiki/HMAC https://security.stackexchange.com/questions/20129/how-and-when-do-i-use-hmac
IPsec doesn’t use straight SHA1 - it uses SHA1 for the hash function in an HMAC (Hashed Message Authentication Code) subroutine.
EDIT: Based on this: https://www.ciscopress.com/articles/article.asp?p=25473 they key material used in the HMAC function is based on the DH exchange in the phase 1
HMAC-SHA1 is fine and - to my knowledge - has no known weaknesses.
Straight MD5 and SHA1 should not be used. We are talking about things like file hashes or certificate fingerprints. They are both broken.
Similarly, HMAC-MD5 is also fine. This is by OSPFv2 for authentication as well as IPsec.
SHA1 is not recommended: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
SHA256 is fine, as well as SHA512.
AES128 is fine, though there’s usually no good reason to use it as AES256 is much stronger and usually available. DES/3DES is also something I wouldn’t recommend, DES has been easily crackable for a long time now, not sure about 3DES, but the thing with AES is that it’s built to be easily hardware accelerated, so not only is it more secure it’s also faster. So 3DES is only for when you have no other choice.
DH group, as high as you can go. Anything <=5 should be avoided.
IKEv2 recommended over IKEv1. If you have to go with IKEv1 don’t use aggressive mode (I’m too lazy to google a link now but that’s also broken).
Also Checkpoint has a nasty habit of summarizing P2 proposals (e.g. say you have 10.0.0.0/24 and 10.0.1.0/24 , CP will summarize that to 10.0.0.0/23, which is fine (even a small optimization), but if you don’t have a CP on the other end it won’t work, and you’ll have to manually summarize on the other end). FFS CP, why can’t you do as you are told?
I personally use AES256/SHA512 on IKEv2 and DH groups 20/21 as this combination is most likely to meet or exceed compliance checkpoints in most countries we operate in.
Most people have already mentioned about the security. To add on to that, go higher than what is safe. Most people don’t reevaluate their IPSEC proposals regularly, so if you just go with a minimum now, you’ll likely end up running something not recommended soon. I’ve seen several tunnels running DES, because they never updated it Just because the guide uses sha1 doesn’t mean you have to, as long as both sides are the same. Pick something higher on the security scale to future proof… Hopefully.
Usually it’s a minimum of 1 and a max of 3 proposals you select for phase 1. Choose the strongest method available to both devices and that should be fine. I’ve been using Chacha20 of late. Phase 2 is usually network selectors.
Thank you all for all answers, a lot of valuable info 
Will try go higher and at least AES256/SHA256. Will see what my boxes can handle.
NSA knows it the best.
HMAC SHA1 is still OK, if I remember correctly. (corrections welcome!)
Good points about using what the device can offload. And using hmac sha1 is not an issue, the chance of finding a collision during the key life is pretty much impossible still, and can’t be used to retrospectively to decrypt anything as that’s protected by AES.
In real life, AES256-SHA1 DH14 PFS, the DH group is still the weakest link here. And DH 14 is still considered secure enough. So meh about hmac sha1.
SHA1 is not recommended: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
SHA1 is dead but IPsec doesn’t use SHA1, it uses SHA1 for the hash algo of an HMAC function.
Everything I have read is the HMAC variants of SHA1 and MD5 don’t suffer the collision problems of “plain” SHA1 and MD5.
However, that makes it very very important to have strong keying material to feed into your HMAC function!
DH group, as high as you can go. Anything <=5 should be avoided.
Technically, anything under DH14 should be avoided. DH Group is equivalent of 2048-bit RSA.
Hi, I read that aggressive mode is less secure than main mode, but I have a few ipsec tunnels that need to be setup as dialup interfaces in the FortiGAte (remote ends using dynamic public ip, and a few doesn’t have a public ip) and then I think aggressive mode is required.
What’s recommended here?
No correction needed.
The IKEv1 aggressive mode key exchange can be brute forced to recover the PSK.
IKEv2 is more secure in that regard