Jump to content


Photo

VPN S2S IPsec DH-Groups

ipsec vpn security

7 replies to this topic

#1 Gerhard Ehrenmüller

Gerhard Ehrenmüller
  • Members
  • 30 posts

Posted 01 June 2015 - 11:25 AM

We would like to see support for higher DH-Groups, for Groups lower than 14 are not considered save anymore.

 

Since we work with bussinespartners, turning to TINA-Tunnel is no option.

 

Diffie-Hellman group 1  -  768 bit modulus  - AVOID
Diffie-Hellman group 2  - 1024 bit modulus  - AVOID
Diffie-Hellman group 5  - 1536 bit modulus  - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

Algorithms marked as AVOID do not provide an adequate security level against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.
 



#2 Markus Lang

Markus Lang
  • Moderators
  • 389 posts

Posted 12 August 2015 - 08:35 AM

Dear All,

 

we are already working on implementing elliptic curve encryption in our VPN engine for both TINA and IPSec.


Director, Product Management


#3 Gerhard Ehrenmüller

Gerhard Ehrenmüller
  • Members
  • 30 posts

Posted 18 August 2015 - 05:10 AM

Dear Mr. Lang,

 

good to hear - do you have a rough estimation about a possible releasedate?

 

will it be a matter of months, years?

 

thanks you.



#4 Gerhard Ehrenmüller

Gerhard Ehrenmüller
  • Members
  • 30 posts

Posted 27 November 2015 - 05:16 AM

any estimations?



#5 Gerhard Ehrenmüller

Gerhard Ehrenmüller
  • Members
  • 30 posts

Posted 26 January 2016 - 07:24 AM

nothing?

 

it seems to me that there might be some consideration that a too good encryption is not in the interest of barracuda. might be cause of demands of the us gov?

 

ok, i get my tinfoil hat!



#6 Bernhard Neuner

Bernhard Neuner
  • Members
  • 18 posts
  • LocationTirol, Austria

Posted 26 January 2016 - 11:55 AM

With the version 6.2 you can also choose DH Group 14 to 18 on IKEv1 Tunnels and DH Group 14 to 24 in IKEv2.



#7 Gerhard Ehrenmüller

Gerhard Ehrenmüller
  • Members
  • 30 posts

Posted 29 January 2016 - 03:31 AM

hey! wow, but sad to hear nothing until asked for...

this is not even mentioned in the firmware-announcments...



#8 Matthias Maschler

Matthias Maschler
  • Barracuda Team Members
  • 105 posts
  • LocationInnsbruck

Posted 29 January 2016 - 04:40 AM

Hi Gerhard,

 

And thanks for your feedback.

 

A detailed list of firmware improvements, new features, and bug fixes can be found in the Release Notes for the respective firmware version.

The Release Notes for NextGen F version 6.2 can be found here: https://techlib.barr...62/ReleaseNotes

 

We recommend to have a look at the Release Notes before applying updates to your firewall, to avoid update/migration issues that may arise in certain situations.

 

Thanks and Kind Regards,

Matthias 





Reply to this topic