IPsec Site-to-Site
-
Is using a IPsec Site-to-Site VPN safe?
-
So long as you're using half decent encryption (128-bit AES or higher) there's not much that's more secure aside from having no connection at all
-
@manxam said in IPsec Site-to-Site:
So long as you're using half decent encryption (128-bit AES or higher) there's not much that's more secure aside from having no connection at all
How is 128-bit AES only "half decent"?
-
As mentioned - as long as you're using a known safe cypher, you're traffic shouldn't be sniffed while transversing the site to site.
-
These are the current Australian government cybersecurity guidelines on recommended cryptographic algorithms. Can be a good reference point to start from.EDIT: link - https://www.cyber.gov.au/ism/guidelines-for-using-cryptography
-
Can you define what do you mean by secure on this case?
-
@Obsolesce : Because, while 128-bit AES has not yet been cracked (that we're aware of), many "governing bodies" consider it the absolute minimum encryption level -- assuming that they approve its use at all.
Taurex' chart below is one such example. -
@manxam said in IPsec Site-to-Site:
@Obsolesce : Because, while 128-bit AES has not yet been cracked (that we're aware of), many "governing bodies" consider it the absolute minimum encryption level -- assuming that they approve its use at all.
Taurex' chart below is one such example.https://www.schneier.com/blog/archives/2009/07/another_new_aes.html
https://blog.1password.com/guess-why-were-moving-to-256-bit-aes-keys/
http://www.axantum.com/axcrypt/etc/seagate128vs256.pdf
There's an even better explanation that I seen a while back, but I can't find it now.
-
@VoIP_n00b said in IPsec Site-to-Site:
Is using a IPsec Site-to-Site VPN safe?
Using a site-to-site VPN is not safe in the first place. It completely bridges two disparate networks. Allowing an attacker on one network to attack the other network, without anything blocking it.
If you are fully prepared to trust everything on both networks, then sure, use it.
Yes, you need to use only known good ciphers. That is no different than any encrypted communications.
