Change Default Encryption for SSLVPN

A new WG video recommends using an AES-GCM for encryption for improved performance for SSLVPN.
Please change the default encryption for SSLVPN to AES-GCM instead of 3DES.

Optimize Mobile VPN with SSL


  • Moving away from 3DES (to AES) should have previously been done for security reasons. Users can change from AES-128/192/256 to AES-GCM for performance reasons.

  • Brian, yes, users can change from AES-128/192/256 to AES-GCM for performance reasons, but Bruce is asking that this change be made the DEFAULT setting,

    Gregg Hill

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi Bruce,

    SSLVPN's current default settings are currently
    Authentication SHA256
    Encrpytion AES256

    AES-GCM isn't supported in all recent versions of Fireware, and isn't supported by all firebox models (some of the legacy devices can't use this) so the default won't be moved until those devices are end of life.

    If your configuration was created before the standard was moved to SHA256/AES256, it won't be changed, and will stay at whatever it was when the configuration was made. This is to ensure that a working configuration isn't changed without your knowledge or broken.

    -James Carson
    WatchGuard Customer Support

  • edited April 2020

    Then perhaps the video info needs to be updated to reflect that some older firewall models or all recent XTM version don't support AES-GCM ....

    My starting config goes back many years, probably to V9.x or 10.x.
    Many version upgrades.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @Bruce_Briggs We do go over this in our docs

    The goal of the videos are to keep them short. Adding every compatibility caveat will make them very long. I'll ask that they add some information regarding compatibility to the video, and see if they can add anything in the time the have alloted.

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.