[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] Multiple VPN Modules & DES
Jim, > We are looking at using Checkpoint VPN-1 in muliple locations globally and > heard > that if one module uses 3DES and another DES they can't "talk" to each > other. > Is this accurate and if so how do you work around it? Thanks in advance > for your > help. > What do you mean by 'one module uses 3DES and another DES'? If you mean that the software and license on one end is DES rather than 3DES, then that is not true. A module with 3DES software CAN be configured to use weaker algorithms to encrypt. If you mean the configuration for encryption on the rules in the corresponding rulebases, then you are correct, because both ends must agree on the encryption parameters to be used, before an encrypted packet can be correctly decrypted. Those parameters include: - which protocol to use (IKE, Manual IPSEC, SKIP or FWZ) - what encryption to use (3DES, DES, CAST, or 40bit) [remember that your choice of protocol affects which encryption options are available] - what data integrity to use This means that you must choose parameters for the connection which are acceptable to both ends. So you can't use 3DES to encrypt if the remote doesn't have a license (and software) for strong encryption. Tim -- Timothy Frost mailto:[email protected] EDS New Zealand Fax: +64-4-495-0473 8 Gilmer Terrace Phone: +64-4-495-0504 P O Box 3647 Wellington New Zealand ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|