topic Re: DH group24 (phase I)and set pfs group24 (phase II) in Network Security

DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Tue, 03 May 2022 20:57:05 GMT

Hi,

We still have some VPN site to site tunnels use group24. DH group24 (phase I)and set pfs group24 (phase II)

I know we should move to group14, but for some reasons we could change it right way,

I feel like using group24 cause a lot of unexpected issue between both ends of the tunnel. (We need to reset the tunnel to fix it)

Beside the security risk of using group24, will we have preferment issue ?

Thanks

Loc

Re: DH group24 (phase I)and set pfs group24 (phase II)

balaji.bandi — Tue, 03 May 2022 21:04:35 GMT

Not that aware you have issue, is both the side cisco ? what device is this ?

Re: DH group24 (phase I)and set pfs group24 (phase II)

Rob Ingram — Tue, 03 May 2022 21:07:14 GMT

@loc.nguyen not sure I fully understand your question.

You can specify multiple DH groups and specify an order, the peers will use the first mutual match.

DH group 24 has been depreciated in newer software versions, Cisco recommends DH group 19, 20.

Here is the Cisco Next Gen Encryption (NGE) guide for reference https://tools.cisco.com/security/center/resources/next_generation_cryptography

Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Tue, 03 May 2022 21:26:40 GMT

Do you know if DH group 24 cause performance issue ?

Or it is just a security concern to use it?

Re: DH group24 (phase I)and set pfs group24 (phase II)

Rob Ingram — Tue, 03 May 2022 21:46:03 GMT

@loc.nguyen it's definately weak and best avoided.

What performance issues do you experience?

Re: DH group24 (phase I)and set pfs group24 (phase II)

MHM Cisco World — Tue, 03 May 2022 21:47:53 GMT

I don't think the DH group make tunnel stuck there is something elsa,
can you share config of ASA ?

if am right and recording to your previous post, and as I mention to check it,
the remote is recently add NAT device in between, and this make tunnel stuck and need to reset after work for a hours.
contact the remote ask him the IP and adjust the config to add new remote-id.

Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Wed, 04 May 2022 01:26:33 GMT

The tunnel is freeze. It was stuck when it rekey or renegotiate the parameters I think. We need to reset it to make it works.

Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Wed, 04 May 2022 01:28:17 GMT

Thanks I don't think it is a NAT issue.

It happens with a lot tunnels of our vendors.

There some tunnels I control both ends still have the issue.

Re: DH group24 (phase I)and set pfs group24 (phase II)

MHM Cisco World — Wed, 04 May 2022 01:55:29 GMT

You Are right If you control both end then DH group mismatch in PhaseII rekey is make tunnel stuck.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POf1CAG

https://community.juniper.net/communities/community-home/digestviewer/viewthread?MID=72612

two vendor same issue with DH group.
recommend to match the DH group in Phase I and Phase II.

Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Wed, 04 May 2022 02:37:45 GMT

thanks

Re: DH group24 (phase I)and set pfs group24 (phase II)

Rob Ingram — Wed, 04 May 2022 15:20:30 GMT

@loc.nguyen which version, IKEv1 or IKEv2?

Which platform ASA, FTD or IOS?

If using IKEv1 check your lifetime timers are the same on both peers.

Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Thu, 05 May 2022 15:13:19 GMT

We use IKEv2 only.

It happens all platform ASA and FTD and Checkpoint.

Re: DH group24 (phase I)and set pfs group24 (phase II)

MHM Cisco World — Thu, 05 May 2022 15:47:37 GMT

you mean that the two peers is ASA or ASA-FTD or ASA/FTD-Checkpoint ?

Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen — Thu, 05 May 2022 16:00:11 GMT

All of them, but the issue happens the most on the pair FTD-Checkpoint

Re: DH group24 (phase I)and set pfs group24 (phase II)

MHM Cisco World — Thu, 05 May 2022 16:08:13 GMT

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122438