Change Default Encryption for SSLVPN
A new WG video recommends using an AES-GCM for encryption for improved performance for SSLVPN.
Please change the default encryption for SSLVPN to AES-GCM instead of 3DES.
Optimize Mobile VPN with SSL
https://watchguard.us13.list-manage.com/track/click?u=1bcb692e17a1463ca874e0ce2&id=17a9d1168a&e=cae878f58b
1
Sign In to comment.
Comments
Moving away from 3DES (to AES) should have previously been done for security reasons. Users can change from AES-128/192/256 to AES-GCM for performance reasons.
Brian, yes, users can change from AES-128/192/256 to AES-GCM for performance reasons, but Bruce is asking that this change be made the DEFAULT setting,
Gregg Hill
Hi Bruce,
SSLVPN's current default settings are currently
Authentication SHA256
Encrpytion AES256
AES-GCM isn't supported in all recent versions of Fireware, and isn't supported by all firebox models (some of the legacy devices can't use this) so the default won't be moved until those devices are end of life.
If your configuration was created before the standard was moved to SHA256/AES256, it won't be changed, and will stay at whatever it was when the configuration was made. This is to ensure that a working configuration isn't changed without your knowledge or broken.
-James Carson
WatchGuard Customer Support
Then perhaps the video info needs to be updated to reflect that some older firewall models or all recent XTM version don't support AES-GCM ....
My starting config goes back many years, probably to V9.x or 10.x.
Many version upgrades.
@Bruce_Briggs We do go over this in our docs
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/mobile_vpn_types_c.html
The goal of the videos are to keep them short. Adding every compatibility caveat will make them very long. I'll ask that they add some information regarding compatibility to the video, and see if they can add anything in the time the have alloted.
Thank you,
-James Carson
WatchGuard Customer Support