06-22-2017 10:37 AM - edited 03-12-2019 02:37 AM
I am creating a VPN between an ASA and a Juniper SRX, using IKEv1. The owner of the Juniper SRX is asking for DH group 14. I only see how to configure DH group 5 using the ASA ASDM.
How does one configure DH group 14 on the ASA?
Solved! Go to Solution.
06-22-2017 12:44 PM
You should use the ikev2 policy command:
crypto ikev2 policy 100
encryption aes
integrity sha
group 14
prf sha
lifetime seconds 86400
According to the command reference, you should be able to add Group 14 from 9.0(1) onwards:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/gh.html
06-22-2017 10:46 AM
ASA does not have the ability to do DH group 14 with IKEv1, you would need to use IKEv2 to do this. There is an open enhancement request for this capability:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuv51888/?referring_site=bugquickviewredir
You would have to use the next best option: DH group 5, if you have to use IKEv1.
06-22-2017 12:25 PM
How does one configure ikev2 with DH14? I still only see 1,2,5 as choices.
06-22-2017 12:44 PM
You should use the ikev2 policy command:
crypto ikev2 policy 100
encryption aes
integrity sha
group 14
prf sha
lifetime seconds 86400
According to the command reference, you should be able to add Group 14 from 9.0(1) onwards:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/gh.html
06-22-2017 12:59 PM
Can I also add DH-group 14 for Perfect Forward Secrecy?
06-22-2017 01:08 PM
Sure you can. Command is:
crypto map <map_name> <map_index> set pfs [group1 | group2 | group5 | group14 | group19 | group20 | group21 | group24]
Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_ike.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide