Buy or Renew
Buy or Renew
Meraki Community is live! Welcome Meraki Members! Learn more here.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2147
Views
10
Helpful
5
Replies

FMC/FTD 6.5 IKEv2

Go to solution
benolyndav
Level 8
Level 8

‎09-02-2021 02:41 AM

Hi

I can see on our FMC/FTD that our tunnels use the default IKEv2 policy which includes DF 5,2  if I want to establish a new Tunnel but want to use DF 14 will this require creating another IKEv2 policy and selecting DF 14 or can I just simply select Group 14 when configuring the new Tunnel, also if I do need a new IKEv2 policy is it ok to use on just the new tunnel it wont affect the existing tunnels  I mean and the default IKEv2 policy the use.??

Thankyou

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-02-2021 02:50 AM - edited ‎09-02-2021 02:53 AM

@benolyndav 

I would create a new IKEv2 Policy without DH group 2 and 5, just include DH group 14. You can apply this IKEv2 policy to just the VPN topology you want. It will not apply to the existing tunnels, unless you modified the existing policy or specfically change the policy used.

 

FYI, If you upgrade to new FTD versions those DH algorithms have been depreciated as have some encryption/hashing algorithms as they are insecure.

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎09-02-2021 11:02 AM

@benolyndav it doesn't matter, when you create the VPN topology you select which IKEv2 policy from the list.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎09-02-2021 02:50 AM - edited ‎09-02-2021 02:53 AM

@benolyndav 

I would create a new IKEv2 Policy without DH group 2 and 5, just include DH group 14. You can apply this IKEv2 policy to just the VPN topology you want. It will not apply to the existing tunnels, unless you modified the existing policy or specfically change the policy used.

 

FYI, If you upgrade to new FTD versions those DH algorithms have been depreciated as have some encryption/hashing algorithms as they are insecure.

Go to solution
benolyndav
Level 8
Level 8

‎09-02-2021 02:55 AM

Thanks Rob

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎09-02-2021 02:58 AM - edited ‎09-02-2021 02:59 AM

@benolyndav 

To be exact from version 6.6 those algorithms have been depreciated, so consider changing your VPNs sooner rather than later.

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/relnotes/firepower-release-notes-660/features.html

 

Version 6.6.0 deprecates the following Firepower Threat Defense security features:

  • Diffie-Hellman groups: 2, 5, and 24.

  • Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

  • Hash algorithms: MD5.

Go to solution
benolyndav
Level 8
Level 8
In response to Rob Ingram

‎09-02-2021 10:55 AM

Hi Rob

Just another question please when I creat ethe new IKEv2 Policy what priority number should I add in the priority tab the default policy is number 1 ???

 

Thank you

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to benolyndav

‎09-02-2021 11:02 AM

@benolyndav it doesn't matter, when you create the VPN topology you select which IKEv2 policy from the list.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card