Jim,
> We are looking at using Checkpoint VPN-1 in muliple locations globally and
> heard
> that if one module uses 3DES and another DES they can't "talk" to each
> other.
> Is this accurate and if so how do you work around it? Thanks in advance
> for your
> help.
>
What do you mean by 'one module uses 3DES and another DES'?
If you mean that the software and license on one end is DES rather than
3DES, then that is not true. A module with 3DES software CAN be configured
to use weaker algorithms to encrypt.
If you mean the configuration for encryption on the rules in the
corresponding rulebases, then you are correct, because both ends must agree
on the encryption parameters to be used, before an encrypted packet can be
correctly decrypted. Those parameters include:
- which protocol to use (IKE, Manual IPSEC, SKIP or FWZ)
- what encryption to use (3DES, DES, CAST, or 40bit) [remember that your
choice of protocol affects which encryption options are available]
- what data integrity to use
This means that you must choose parameters for the connection which are
acceptable to both ends. So you can't use 3DES to encrypt if the remote
doesn't have a license (and software) for strong encryption.
Tim
--
Timothy Frost mailto:[EMAIL PROTECTED]
EDS New Zealand Fax: +64-4-495-0473
8 Gilmer Terrace Phone: +64-4-495-0504
P O Box 3647
Wellington
New Zealand
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
