Options

AES-GCM Encryption

morpheus27morpheus27
in Firebox - VPN Mobile User

I have a M270 running version 12.7.2. I configure Mobile VPN IKEv2 accepting the defaults during configuration.

The following article says that "In Fireware v12.2 or higher, the Firebox supports AES-GCM encryption."

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/mvpn/general/mobile_vpn_types_c.html

Is AES-GCM a better security encryption? If so, how do I change my IKEv2 (where is this settings at)?

Comments

  • Options
    shaazaminatorshaazaminator

    In Policy Manager (not the web UI) go to VPN > Mobile VPN > IKEv2 > in the Security Tab click Edit for the IKEv2 Shared Settings box > Click Add > then choose the configuration settings you want in the drop down menus provided.

    GCM tends to be a little faster from my understanding, your results may differ.
    Careful in the Diffie Hellman Group as too high a Group number and Windows doesn't support it. When you try and create a Client Profile for IKEv2 you won't get the .bat installation file from the firebox.

    I learned this lesson when I moved from DHG 14 to 19.

    It's usually something simple.

  • Options
    morpheus27morpheus27

    Thanks. I suppose the following takes me to the same place?
    Policy Manager - VPN - IKEv2 Shared Settings...

    This is the default settings:
    SHA2-256-AES (256-bit) | D-H Group14
    SHA1-AES (256-bit) | D-H Group5
    SHA1-AES (256-bit) | D-H Group2
    SHA1-3DES | D-H Group2

    Can I just edit the first entry and change it to AES-GCM? Do I need to change anything else on Phase 2 (tab)?

  • Options
    rv@kaufmann.dkrv@kaufmann.dk
    > @morpheus27 said:
    > Thanks. I suppose the following takes me to the same place?
    > Policy Manager - VPN - IKEv2 Shared Settings...
    >
    > This is the default settings:
    > SHA2-256-AES (256-bit) | D-H Group14
    > SHA1-AES (256-bit) | D-H Group5
    > SHA1-AES (256-bit) | D-H Group2
    > SHA1-3DES | D-H Group2
    >
    > Can I just edit the first entry and change it to AES-GCM?
    Yes

    Do I need to change anything else on Phase 2 (tab)?
    No
  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    AES-GCM is more efficient in /some/ situations. For an M270 which has a cryptographic accelerator, the difference will likely not be discernable. The difference will generally come down to which algorithm the client PC is more efficient at sending with, which will vary by processor type and work load.

    Best advice would be to try it and see if you get any type of performance boost.

    Note that for IKEv2, you're bound by what cypher suite the VPN client on the OS tries to use first -- Windows in particular will use its preferred settings.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.