Solved: Re: DH group24 (phase I)and set pfs group24 (phase II)

loc.nguyen · ‎05-03-2022

Hi,

We still have some VPN site to site tunnels use group24. DH group24 (phase I)and set pfs group24 (phase II)

I know we should move to group14, but for some reasons we could change it right way,

I feel like using group24 cause a lot of unexpected issue between both ends of the tunnel. (We need to reset the tunnel to fix it)

Beside the security risk of using group24, will we have preferment issue ?

Thanks

Loc

MHM Cisco World · ‎05-03-2022

You Are right If you control both end then DH group mismatch in PhaseII rekey is make tunnel stuck.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POf1CAG

https://community.juniper.net/communities/community-home/digestviewer/viewthread?MID=72612

two vendor same issue with DH group.
recommend to match the DH group in Phase I and Phase II.

View solution in original post

balaji.bandi · ‎05-03-2022

Not that aware you have issue, is both the side cisco ? what device is this ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎05-03-2022

@loc.nguyen not sure I fully understand your question.

You can specify multiple DH groups and specify an order, the peers will use the first mutual match.

DH group 24 has been depreciated in newer software versions, Cisco recommends DH group 19, 20.

Here is the Cisco Next Gen Encryption (NGE) guide for reference https://tools.cisco.com/security/center/resources/next_generation_cryptography

loc.nguyen · ‎05-03-2022

Do you know if DH group 24 cause performance issue ?

Or it is just a security concern to use it?

Rob Ingram · ‎05-03-2022

@loc.nguyen it's definately weak and best avoided.

What performance issues do you experience?

loc.nguyen · ‎05-03-2022

The tunnel is freeze. It was stuck when it rekey or renegotiate the parameters I think. We need to reset it to make it works.

Rob Ingram · ‎05-04-2022

@loc.nguyen which version, IKEv1 or IKEv2?

Which platform ASA, FTD or IOS?

If using IKEv1 check your lifetime timers are the same on both peers.

loc.nguyen · ‎05-05-2022

We use IKEv2 only.

It happens all platform ASA and FTD and Checkpoint.

MHM Cisco World · ‎05-05-2022

you mean that the two peers is ASA or ASA-FTD or ASA/FTD-Checkpoint ?

loc.nguyen · ‎05-05-2022

All of them, but the issue happens the most on the pair FTD-Checkpoint

MHM Cisco World · ‎05-05-2022

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122438

MHM Cisco World · ‎05-03-2022

I don't think the DH group make tunnel stuck there is something elsa,
can you share config of ASA ?

if am right and recording to your previous post, and as I mention to check it,
the remote is recently add NAT device in between, and this make tunnel stuck and need to reset after work for a hours.
contact the remote ask him the IP and adjust the config to add new remote-id.

loc.nguyen · ‎05-03-2022

Thanks I don't think it is a NAT issue.

It happens with a lot tunnels of our vendors.

There some tunnels I control both ends still have the issue.

MHM Cisco World · ‎05-03-2022

You Are right If you control both end then DH group mismatch in PhaseII rekey is make tunnel stuck.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POf1CAG

https://community.juniper.net/communities/community-home/digestviewer/viewthread?MID=72612

two vendor same issue with DH group.
recommend to match the DH group in Phase I and Phase II.

loc.nguyen · ‎05-03-2022

thanks