AES-GCM Encryption
I have a M270 running version 12.7.2. I configure Mobile VPN IKEv2 accepting the defaults during configuration.
The following article says that "In Fireware v12.2 or higher, the Firebox supports AES-GCM encryption."
Is AES-GCM a better security encryption? If so, how do I change my IKEv2 (where is this settings at)?
0
Sign In to comment.
Comments
In Policy Manager (not the web UI) go to VPN > Mobile VPN > IKEv2 > in the Security Tab click Edit for the IKEv2 Shared Settings box > Click Add > then choose the configuration settings you want in the drop down menus provided.
GCM tends to be a little faster from my understanding, your results may differ.
Careful in the Diffie Hellman Group as too high a Group number and Windows doesn't support it. When you try and create a Client Profile for IKEv2 you won't get the .bat installation file from the firebox.
I learned this lesson when I moved from DHG 14 to 19.
It's usually something simple.
Thanks. I suppose the following takes me to the same place?
Policy Manager - VPN - IKEv2 Shared Settings...
This is the default settings:
SHA2-256-AES (256-bit) | D-H Group14
SHA1-AES (256-bit) | D-H Group5
SHA1-AES (256-bit) | D-H Group2
SHA1-3DES | D-H Group2
Can I just edit the first entry and change it to AES-GCM? Do I need to change anything else on Phase 2 (tab)?
> Thanks. I suppose the following takes me to the same place?
> Policy Manager - VPN - IKEv2 Shared Settings...
>
> This is the default settings:
> SHA2-256-AES (256-bit) | D-H Group14
> SHA1-AES (256-bit) | D-H Group5
> SHA1-AES (256-bit) | D-H Group2
> SHA1-3DES | D-H Group2
>
> Can I just edit the first entry and change it to AES-GCM?
Yes
Do I need to change anything else on Phase 2 (tab)?
No
AES-GCM is more efficient in /some/ situations. For an M270 which has a cryptographic accelerator, the difference will likely not be discernable. The difference will generally come down to which algorithm the client PC is more efficient at sending with, which will vary by processor type and work load.
Best advice would be to try it and see if you get any type of performance boost.
Note that for IKEv2, you're bound by what cypher suite the VPN client on the OS tries to use first -- Windows in particular will use its preferred settings.
-James Carson
WatchGuard Customer Support