NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Grant_Aksys's avatar
Grant_Aksys
Follower
Sep 21, 2020

How old is the BR200

I am in Canada.  I was going to buy the BR500 from my distributor and they said that it was discontinued and replaced with the BR200. Is the BR200 better then the BR500? How long has the 200 been m...
ZenC's avatar
ZenC
Tutor
Sep 29, 2020

According to data sheet, BR200 only supports MD5 and SHA1 for VPN message authentication, while BR500 supports SHA1, SHA256, SHA384 or SHA512. Of course those are more secure. It it true that the successor BR200 now only supports SHA1 ??

schumaku's avatar
schumaku
Guru - Experienced User
Sep 30, 2020
ZenC wrote:

According to data sheet, BR200 only supports MD5 and SHA1 for VPN message authentication, while BR500 supports SHA1, SHA256, SHA384 or SHA512.

According to the BR500 Data Sheet there are only MD5 and SHA1 listed, too. It's under-marketed in the data sheet (the now no longer promoted Instant VPN stuf took by far to much room!) and the data sheet requires a review BretD please. 

 

ZenC wrote:

Of course those are more secure. It it true that the successor BR200 now only supports SHA1 ??

 

Still doubt these features are removed from the BR200 - here the relevant BR500 User Manual sections while the BR200 isn't avilable yet:

 

 

 

  • ZenC's avatar
    ZenC
    Tutor
    Oct 24, 2020

    You're right, the data sheets for both routers only list MD5 and SHA1.

     

    I got the confirmation that advanced hash algorithms are not available for the BR200 on a site-to-site VPN. You cannot build a site-to-site VPN with advanced hash algorithms. This is not good practice, especially for a product named business router. Therefore, comparing the User Manual of BR500, this feature seems to be removed indeed from the BR200.

    BretD: Is this information correct?

    There is OpenVPN available, but it can be only configured as VPN access point for clients, no site-to-site.

     

    Will this be added in a later firmware release? Right now I wouldn't consider the BR200.

     

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      Oct 24, 2020

      YeZ please

    • YeZ's avatar
      YeZ
      NETGEAR Expert
      Oct 26, 2020

      BR200 is a lower price product versus BR500. BR200 OpenVPN supports the same way as BR500, only as an OpenVPN server, there is no site-2-site option with OpenVPN on either BR200 or BR500. 

       

      You can set up site-2-site on two BR200 routers with IPSec. 

      • ZenC's avatar
        ZenC
        Tutor
        Dec 03, 2020

        Got it, but that's not my point. Speaking about IPSec site-2-site VPN, it's not possible to use an industry good practice hash algorithm with BR200. Corret me, if I'm wrong.

         

        The strongest algorithm BR200 offers is SHA-1, but it's already discouraged to use this one.  

        See for example:

        Guide to IPsec VPNs (nist.gov)

        (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)

        Page VII: SHA-1 is legacy. Page 34: When migrating from IKEv1 to IKEv2, an upgrade of the algorithms used is strongly recommended. 3DES, MD5, SHA-1, and DH Groups 2 and 5 should not be used. Instead, AES-CBC with HMAC-SHA-2 or AES-GCM with either DH group 14 or an ECDH group (19, 20, or 21) should be used.

         

        Hence my question if there will be a firmware update for that business product?

         

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More