Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 2347 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - changing cryptographic settings - will user cert/config regeneration take place

ChrisSoukup

We just found the problem for our daily VPN Client connection losses after 8 hors in the VPN SSL Advanced Cryprographic settings. The key lifetime is set by default to 28800 sec which corresponds to exactly 8 hours.

Now if we change the value to 16 hours and eventually change the key size to 2048 bit (which can be omitted) will the user certificates and/or the SSL VPN configuartion change in a way where users will be forced to download a new configuration updater from the User Portal to be able to connect again?

I'm asking because in that case I will have to prepare and educate our users before the change takes place.

BTW: does a increased keysize also needs a higher cpu performance on the router and on the endpoint?



This thread was automatically locked due to age.
  • FormerMember
    +1 FormerMember

    Hi ,

    Thanks for reaching out to the Community! 

    Changing the key life value and key size doesn't require a new configuration, and it won't re-generate the user certificate. 

    However, while I replicated these changes, a connected user got disconnected for a few seconds, then reconnected automatically. I would schedule a maintenance window to make these changes so it won't affect the production environment. 

    Yes, increasing the encryption key requires more resources. 

    Thanks,

  • 0

    Hallo Chris,

    You will also want to test throughput with compression disabled as throughput with slower CPUs is reduced, not increased, by compression.  

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thank you for pointing this out. While talking about cpu and performance is there a general rule of thumb when the appliance should be upgraded to a more powerful version or compression should be disabled in order to sacrifice bandwidth?


    We currently have a SG210 and the usual daily cpu usage peak is at about 25%, average 11%, rare peaks at 70%.
    We have 2 IPSec tunnels and about 30 concurrent VPN SSL sessions during the day.

  • +1 in reply to ChrisSoukup

    I rarely recommend compression with the SSL VPN - I think, with today's connection speeds, the only time compression makes sense is if your ISP charges by the number of bytes sent/received.  Upgrade decisions depend on at least a few more factors, so I would find a trustworthy Sophos reseller and lean heavily on them for advice.

    The 210 has a dual-core Celeron at 2.7GHz.  My lab UTM has a dual-core Pentium at 2.6GHz.  I experimented with SHA2 256 and a 2048-bit key.  I decided that slowed things down too much and so went back to SHA and 1024.  With GDPR, you might not have that option.  Please let us know your results.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML