https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939909#M1105019 <P>I had another customer's peer claim this as well. Often they are Just Wrong. ASA has supported IKEv2 with DH Group 14 since version 9.0 which is available even on the log-past-end-of-life ASA 5500 series (5505/5510/5520/5540/5550/5585).</P> <P><A href="https://community.cisco.com/t5/network-security/can-diffie-hellman-group-14-be-configured-on-asa5520-v9-1-6-11/td-p/3010274" target="_blank" rel="noopener">https://community.cisco.com/t5/network-security/can-diffie-hellman-group-14-be-configured-on-asa5520-v9-1-6-11/td-p/3010274</A></P> Fri, 13 Oct 2023 13:36:27 GMT Marvin Rhoads 2023-10-13T13:36:27Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939860#M1105008 <P>Hi guys,<BR />I am asking you for help in activating my DH group 5</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dhgroup.PNG" style="width: 207px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/199620i0FEF35591BEF9156/image-size/large?v=v2&amp;px=999" role="button" title="dhgroup.PNG" alt="dhgroup.PNG" /></span></P> Fri, 13 Oct 2023 12:20:15 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939860#M1105008 Diallo 2023-10-13T12:20:15Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939872#M1105011 <P>its been deprecated 6.7 onwards :</P> <TABLE border="1" width="100%"><CAPTION><SPAN class="table--title-label tabletitle">Table 2. </SPAN><SPAN class="tabletitle">Version 6.7.0 Deprecated Features</SPAN></CAPTION></TABLE> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html#id_110361" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html#id_110361</A></P> <P>&nbsp;</P> Fri, 13 Oct 2023 12:42:23 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939872#M1105011 balaji.bandi 2023-10-13T12:42:23Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939873#M1105012 <P>&nbsp;</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; - Its been flagged as<U> <FONT color="#FF6600">depreciated&nbsp;</FONT></U> ,<EM> hence can no longer be activated ,&nbsp;</EM></P> <P>M.</P> Fri, 13 Oct 2023 12:43:55 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939873#M1105012 Mark Elsen 2023-10-13T12:43:55Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939875#M1105013 <P>So there is no way to activate it???</P> Fri, 13 Oct 2023 12:51:53 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939875#M1105013 Diallo 2023-10-13T12:51:53Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939876#M1105014 <P>So also there is no other possibility of using version 1 or 2</P> Fri, 13 Oct 2023 12:54:51 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939876#M1105014 Diallo 2023-10-13T12:54:51Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939880#M1105016 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/831623">@Diallo</a> even on 7.3 you can still select DH group 5 to use in an IKEv2 policy. Although I would strongly recommend not doing so, as it's likely this will shortly be removed from FTD altogether (it has already been removed from ASA). I recommend you reconfigure the peer configuration to use a stronger DH group&nbsp; (19,20 or 21 etc).</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RobIngram_0-1697201780367.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/199622i67B5B7D8E34D5E5B/image-size/medium?v=v2&amp;px=400" role="button" title="RobIngram_0-1697201780367.png" alt="RobIngram_0-1697201780367.png" /></span></P> <P>&nbsp;</P> Fri, 13 Oct 2023 12:58:33 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939880#M1105016 Rob Ingram 2023-10-13T12:58:33Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939895#M1105017 <P>I just have to use it in the creation of a VPN with a partner who uses ASA and tells me that he only uses versions 1,2 and 5.</P><P>With its status there can it work???</P> Fri, 13 Oct 2023 13:17:53 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939895#M1105017 Diallo 2023-10-13T13:17:53Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939899#M1105018 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/831623">@Diallo</a> yes, but if you use DH group 5 (whilst it's still available to deploy) you will not be able to upgrade your FTD in future, as I already stated the weaker ciphers (including DH group 5) will be removed in upcoming releases. I would suggest the partner upgrades their software to support stronger crypto, the DH groups their software supports is weak and insecure.</P> Fri, 13 Oct 2023 13:21:45 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939899#M1105018 Rob Ingram 2023-10-13T13:21:45Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939909#M1105019 <P>I had another customer's peer claim this as well. Often they are Just Wrong. ASA has supported IKEv2 with DH Group 14 since version 9.0 which is available even on the log-past-end-of-life ASA 5500 series (5505/5510/5520/5540/5550/5585).</P> <P><A href="https://community.cisco.com/t5/network-security/can-diffie-hellman-group-14-be-configured-on-asa5520-v9-1-6-11/td-p/3010274" target="_blank" rel="noopener">https://community.cisco.com/t5/network-security/can-diffie-hellman-group-14-be-configured-on-asa5520-v9-1-6-11/td-p/3010274</A></P> Fri, 13 Oct 2023 13:36:27 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939909#M1105019 Marvin Rhoads 2023-10-13T13:36:27Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939912#M1105020 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp;thank you very much for your suggestions.<BR />You are absolutely right, I will talk to the partner about updating their ASA if possible.</P><P>But in the meantime we are going to use group 5 there with its status like that.</P> Fri, 13 Oct 2023 13:46:33 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939912#M1105020 Diallo 2023-10-13T13:46:33Z https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939919#M1105021 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a>&nbsp;thank you very much for your solution I see that this is possible with ASA5520 for group 14</P> Fri, 13 Oct 2023 13:53:07 GMT https://community.cisco.com/t5/network-security/cisco-secure-firewall-threat-defense-v7/m-p/4939919#M1105021 Diallo 2023-10-13T13:53:07Z