Encryption Protocols: DES, 3DES, AES for VPN 1

[ForumKid]

Ok Im learning about the different methods to connect via VPN.

This is my outcome. (from what I have gathered off the net)
1) DES is old and cracked
2) 3DES is much better than DES, but resource hog
3) AES can perform 300% better than 3DES
4) L2TP...well not sure if this fits in here.

Just looking for the fastest encryption that I could possibly get using a cisco concentrator, cisco client, and WinXP machines.

 

[LloydSev]

DES, 3DES, AES, SHA1, etc.. are hashing algorithms for security.

L2TP, PPTP and IPSec are VPN protocol types.

I've never noticed 3DES being a resource hog... my 506e works perfectly fine.

Computer/Network Technician
CCNA

 

[ChrisAC]

DES, 3DES and AES are VPN encryption protocols. SHA-1 and MD5 are hashing algorithms.

Generally I use 3DES for encryption and SHA-1 for hashing for phase 1 (IKE) and phase 2 (IPSEC)

AES is now considered to be a better choice than 3DES for performance (and maybe security but I can't back that up) but I do a lot of VPN's to different types of firewalls and so often have to use 3DES for compatability.

SHA-1 is preferred over MD5 for hashing.

PPTP should be considered insecure and not used. L2TP is better but IPSec would always be my first choice and for most firewalls is the de-facto standard when configuring VPNs. I've built hundreds of VPN's over the past few years and dealt with a lot of external firewall support people and we've never considered anything but IPSec, although I've had to convince a few IT managers that we should build an IPSec VPN rather than use LT2P to their Windows box. The firewall guys have always agreed with me ;-)

The Pix is great for VPN's but the king has to be Checkpoint Firewall-1/VPN-1. Makes managing multiple sites much easier and is far easier to troubleshoot. Having said that, once you get a Pix VPN up they do tend to be rock solid. I have a VPN into work from my Cisco 1721 to my Pix and I've never had any issues since the day it was configured. Truely remarkable!

Chris.





**********************
Chris A.C, CCNA, CCSA
**********************

 

[LloydSev]

Great explanation Chris. I oughta correct myself with my terminology of the hashing and encryption types.

Computer/Network Technician
CCNA

 

[ChrisAC]

Cheers. I do spend an awful lot of my time dealing with VPN's these days and less and less time playing daft flash games on the internet and drinking tea. Oh how the job has changed.



Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[flauret]

hi guys just to add some stuff to these good information

you can find aes with different bit style like AES-128, AES-192 and AES-256 and for sure more you add some bit to encrypt and slower it will be.
AES should only be 30% faster and not 300% than 3des...

l2tp is considered only in case of remote users nothing else and should not being considered for something else

I think aes-128 or 3des with sha1 is somting quite nice to give you security. choose certificate to establish the vpn if you can or a pretty big and complex pre-shared key .

fred

 

[ChrisAC]

Good points.

**********************
Chris A.C, CCNA, CCSA
**********************