Re: How old is the BR200

Grant_Aksys · ‎2020-09-21

I am in Canada. I was going to buy the BR500 from my distributor and they said that it was discontinued and replaced with the BR200.

Is the BR200 better then the BR500?

How long has the 200 been manufactured for? How old is it?

It seems like there isn't a lot out there on the Internet on the BR200 (reviews and such). Why is that? Is it because it is really new?

schumaku · ‎2020-09-21

Brand new product - it's first Insight Managed Business Router Data Sheet BR200 dates from 8-SEP-2020. Highly incomplete and not sufficient information provided there why ever. Reads to me like a BR500 stripped from the (not-so) fameous Insight Instant VPN feature.

BretD · ‎2020-09-22

Good morning @Grant_Aksys

BR200 is brand new released Sep 22, 2020

The pages were available on our site a few days before the release announcement.

Learn more about BR200 Business Router.

ZenC · ‎2020-09-29

According to data sheet, BR200 only supports MD5 and SHA1 for VPN message authentication, while BR500 supports SHA1, SHA256, SHA384 or SHA512. Of course those are more secure. It it true that the successor BR200 now only supports SHA1 ??

schumaku · ‎2020-09-30

@ZenC wrote:
According to data sheet, BR200 only supports MD5 and SHA1 for VPN message authentication, while BR500 supports SHA1, SHA256, SHA384 or SHA512.

According to the BR500 Data Sheet there are only MD5 and SHA1 listed, too. It's under-marketed in the data sheet (the now no longer promoted Instant VPN stuf took by far to much room!) and the data sheet requires a review @BretD please.

@ZenC wrote:
Of course those are more secure. It it true that the successor BR200 now only supports SHA1 ??

Still doubt these features are removed from the BR200 - here the relevant BR500 User Manual sections while the BR200 isn't avilable yet:

ZenC · ‎2020-10-24

You're right, the data sheets for both routers only list MD5 and SHA1.

I got the confirmation that advanced hash algorithms are not available for the BR200 on a site-to-site VPN. You cannot build a site-to-site VPN with advanced hash algorithms. This is not good practice, especially for a product named business router. Therefore, comparing the User Manual of BR500, this feature seems to be removed indeed from the BR200.

@BretD: Is this information correct?

There is OpenVPN available, but it can be only configured as VPN access point for clients, no site-to-site.

Will this be added in a later firmware release? Right now I wouldn't consider the BR200.

schumaku · ‎2020-10-24

@YeZ please

YeZ · ‎2020-10-25

BR200 is a lower price product versus BR500. BR200 OpenVPN supports the same way as BR500, only as an OpenVPN server, there is no site-2-site option with OpenVPN on either BR200 or BR500.

You can set up site-2-site on two BR200 routers with IPSec.

ZenC · ‎2020-12-03

Got it, but that's not my point. Speaking about IPSec site-2-site VPN, it's not possible to use an industry good practice hash algorithm with BR200. Corret me, if I'm wrong.

The strongest algorithm BR200 offers is SHA-1, but it's already discouraged to use this one.

See for example:

Guide to IPsec VPNs (nist.gov)

(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-77r1.pdf)

Page VII: SHA-1 is legacy. Page 34: When migrating from IKEv1 to IKEv2, an upgrade of the algorithms used is strongly recommended. 3DES, MD5, SHA-1, and DH Groups 2 and 5 should not be used. Instead, AES-CBC with HMAC-SHA-2 or AES-GCM with either DH group 14 or an ECDH group (19, 20, or 21) should be used.

Hence my question if there will be a firmware update for that business product?

YeZ · ‎2020-12-04

Thank you for reporting this, this is a local device GUI issue on BR200. A workaround is to use Insight to config IPsec and get access to all IKEv2 options including sha-256 and beyond.