What are the recommended PFS settings in SANGFOR?

T0mmy Lv1Posted 16 Nov 2024 15:10

What are the recommended PFS settings in SANGFOR? I have NSF-7100A-I.
For phase 1 I picked AES256 for encryption, SHA-256 for Hashing, D-H Group 14. For phase 2 I picked ESP, AES256, SHA-256, and PFS Group 14. But the device is telling me "the selected PFS and the recommended PFS must be the same." So I want to know what the recommended PFS is. Thanks in anticipation.

Farina Ahmed has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

The error message you are facing is typically means that the selected PFS (Perfect Forward Secrecy) settings in Phase 2 do not match the recommended or required PFS settings for your SANGFOR NSF-7100A-I device. For most configurations, the recommended PFS group for Phase 2 is Group 14 (2048-bit). However, if the device specifies a different group or version, it might recommend Group 2 or Group 14 for both Phase 1 and Phase 2 to ensure consistency.
Is this answer helpful?
Enrico Vanzetto Lv4Posted 16 Nov 2024 23:22
  
Hi, as i konw, the pfs settings are based by the device you have on the other side of the vpn site-to-site. I don't remember any specific settings that are recommended abotu pfs on Sangfor NSF.
Vorad Lv1Posted 17 Nov 2024 13:13
  
The choice of PFS settings is certainly influenced by the characteristics of both the involved endpoints but there are certainly DH algorithms that are more secure than others.
The security of a Diffie-Hellman (DH) group depends on the size and type of the underlying prime numbers or elliptic curves used.

The most secure Diffie-Hellman group is currently considered to be Group 24 (2048-bit ECP) or higher, offering stronger encryption and resistance to attacks; the security of a Diffie-Hellman (DH) group depends on the size and type of the underlying prime numbers or elliptic curves used.

Group 24 (2048-bit ECP) uses elliptic curve cryptography (ECC), which provides high security with shorter key lengths, making it efficient and secure.

Group 14 (2048-bit MODP) > With a 2048-bit modulus, this group offers a solid balance between computational requirements and security, resisting most known types of cryptographic attacks.

Groups 15 and 16 (3072 and 4096-bit MODP) > These groups offer higher security levels due to their larger key sizes, making them more resistant to attacks but at the cost of increased computational overhead.

Group 18 (8192-bit MODP) > This group provides extremely high security levels, suitable for environments where protection against future quantum computer attacks is considered.

So make sure that the FPS settings of the involved VPN endpoints match and ensure a sufficient level of security, deprecating any obsolete DH groups.
Prosi Lv3Posted 18 Nov 2024 12:34
  
Hi,
The recommended PFS is group 14 (2048-bit) is widely considered a good balance between security and performance.
Farina Ahmed Lv5Posted 18 Nov 2024 13:52
  
The error message you are facing is typically means that the selected PFS (Perfect Forward Secrecy) settings in Phase 2 do not match the recommended or required PFS settings for your SANGFOR NSF-7100A-I device. For most configurations, the recommended PFS group for Phase 2 is Group 14 (2048-bit). However, if the device specifies a different group or version, it might recommend Group 2 or Group 14 for both Phase 1 and Phase 2 to ensure consistency.
Sheikh_Shani Lv2Posted 19 Nov 2024 14:23
  
The problem notice you are seeing usually indicates that the PFS (Perfect Forward Secrecy) settings you chose in Phase 2 do not correspond to the PFS parameters that your SANGFOR NSF-7100A-I device requires or recommends. Group 14 (2048-bit) is the suggested PFS group for Phase 2 for the majority of systems. To maintain consistency, the device may suggest Group 2 or Group 14 for both Phase 1 and Phase 2 if it specifies a different group or version.
Zonger Lv5Posted 20 Nov 2024 19:25
  
The error suggests a mismatch between the selected Perfect Forward Secrecy (PFS) parameters in Phase 2 and the PFS settings required for your SANGFOR NSF-7100A-I device. Typically, Group 14 (2048-bit) is the standard PFS group used in Phase 2, but the device may need either Group 2 or Group 14 for both Phase 1 and Phase 2 to maintain consistent cryptographic settings for the VPN tunnel.
T0mmy Lv1Posted 21 Nov 2024 19:36
  
Hi everyone. I appreciate all of your responses and I agree with what y'all have said. So this particular device had 6 entries by default for the phase 2 proposal. Initially I figured I just needed to add my own preferred proposal to that list and then because the opposite VPN endpoint had the parameter config previously agreed on, the devices would negotiate and settle for that. But I kept getting the error. So eventually, I basically deleted all the default entries, and then the device accepted the proposal I wanted for phase 2.

I Can Help:

Change

Moderator on This Board

11
7
5

Started Topics

Followers

Follow

1
3
5

Started Topics

Followers

Follow

0
4
5

Started Topics

Followers

Follow

67
20
3

Started Topics

Followers

Follow

3
14
3

Started Topics

Followers

Follow

1
137
3

Started Topics

Followers

Follow

Board Leaders