topic ASA does not have the ability in Network Security

Can Diffie-Hellman Group 14 be configured on ASA5520, v9.1(6)11

scottsassin — Tue, 12 Mar 2019 09:37:17 GMT

I am creating a VPN between an ASA and a Juniper SRX, using IKEv1. The owner of the Juniper SRX is asking for DH group 14. I only see how to configure DH group 5 using the ASA ASDM.

How does one configure DH group 14 on the ASA?

ASA does not have the ability

Rahul Govindan — Thu, 22 Jun 2017 17:46:09 GMT

ASA does not have the ability to do DH group 14 with IKEv1, you would need to use IKEv2 to do this. There is an open enhancement request for this capability:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv51888/?referring_site=bugquickviewredir

You would have to use the next best option: DH group 5, if you have to use IKEv1.

How does one configure ikev2

scottsassin — Thu, 22 Jun 2017 19:25:07 GMT

How does one configure ikev2 with DH14? I still only see 1,2,5 as choices.

You should use the ikev2

Rahul Govindan — Thu, 22 Jun 2017 19:44:14 GMT

You should use the ikev2 policy command:

crypto ikev2 policy 100
 encryption aes
 integrity sha
 group 14
 prf sha
 lifetime seconds 86400

According to the command reference, you should be able to add Group 14 from 9.0(1) onwards:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/gh.html

Can I also add DH-group 14

scottsassin — Thu, 22 Jun 2017 19:59:22 GMT

Can I also add DH-group 14 for Perfect Forward Secrecy?

Sure you can. Command is:

Rahul Govindan — Thu, 22 Jun 2017 20:08:46 GMT

Sure you can. Command is:

crypto map <map_name> <map_index> set pfs [group1 | group2 | group5 | group14 | group19 | group20 | group21 | group24]

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_ike.html