I've said this a few times before, but..
If people are using IKE with shared secrets then they almost certainly don't need 3DES for their transport cipher. Likewise, MD5 should probably now be considered "too weak" to match with 3DES. For "strong" VPNs I recommend SHA-1, 3DES and RSA encrypted nonces using certs on the devices. (NB: This needs N(n-1) total certs and (n-1) certs in each device, which can be awful). For "fairly strong" SHA-1, 3DES and Certs using a CA (yes, I rate this as weaker than manually entering the certs in each device, but it's MUCH easier to manage). For "normal" then I have no problem with MD5, DES and shared secrets of at least 64-bits worth of entropy (usually about 16 random characters, depending on your paranoia level. You could always md5sum /dev/urandom...). That bit is important - I've seen way too many implementations with really crappy shared secrets. This, IMO, keeps your various bits and pieces in balance. If you're using shared secrets and MD5 then you're probably just giving up speed by running 3DES as your cipher. -- Ben Nagy Network Security Specialist Mb: TBA PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Allix Primus > Sent: Wednesday, June 12, 2002 11:52 PM > To: [EMAIL PROTECTED] > Subject: Netscreen 25 VPN Slowdown > > > Hi, > > Our organization has just updated their firewall to the > NetScreen 25. Installation was fairly simple to implement and > things appear to be working. > > The only problem we have noticed is a noticeable slowdown > with the VPN. It currently uses 3DES encryption and MD5 > authentication using manual IKE. > > Any suggestions or comments about the NetScreen 25 would be > greatly appreciated. > > Al > [EMAIL PROTECTED] Get more from the Web. FREE MSN Explorer > download : http://explorer.msn.com -- Firewalls mailing list - [ [EMAIL PROTECTED] ] To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
