Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4166
Views
0
Helpful
5
Replies

IKev2 dh group 27

Go to solution
Ramesh Babu
Level 1
Level 1

‎02-05-2021 07:56 AM

Dear Team,

 

I need to establish a VPN tunnel between Cisco and Fortigate. Here request was DH group - 27 need to configure in between the site. I am having cisco ISR 1001-X.

Hence could you please suggest to me.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-05-2021 11:51 PM

@Ramesh Babu 

Well you'll need to agree a DH group supported by both the Fortinet and Cisco devices, otherwise a VPN will not be established.

 

It looks like DH groups 27 - 31 are not available for use in modern IKE implementations, reference here. Groups 19-21 should be adequate.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎02-05-2021 08:06 AM

Hi @Ramesh Babu 

I don't believe DH group 27 exists. Cisco recommends group 19 or 20

https://tools.cisco.com/security/center/resources/next_generation_cryptography

 

0 Helpful

Go to solution
Ramesh Babu
Level 1
Level 1
In response to Rob Ingram

‎02-05-2021 07:00 PM

Hi Rob,

 

Thanks for your reply. As per the present cisco setting, i can not use DH group 27 correct ?. Then i will ask my customer for another range.

 

Note:

Fortigate DH group range is till 31, so that our customer has chosen 27.

0 Helpful

Go to solution
Ramesh Babu
Level 1
Level 1
In response to Ramesh Babu

‎02-06-2021 12:30 AM

Hi Rob,

 

I agree, Really thanks for your info.

 

I will check with our customer.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎02-05-2021 11:51 PM

@Ramesh Babu 

Well you'll need to agree a DH group supported by both the Fortinet and Cisco devices, otherwise a VPN will not be established.

 

It looks like DH groups 27 - 31 are not available for use in modern IKE implementations, reference here. Groups 19-21 should be adequate.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-06-2021 06:20 AM

Assuming your distant end supports it, here are the most secure choices when configuring an IPsec VPN terminated on a Cisco device:

 

CISCO IOS ROUTERS
ISAKMP:
IKEv1:
no crypto isakmp default policy
crypto isakmp policy 1
encryption aes 256
group [16|20]
hash [sha384|sha512]
IKEv2:
crypto ikev2 proposal <proposal name>
encryption aes-cbc-256
integrity [sha384|sha512]
group [16|20]
IPsec:
crypto ipsec transform-set <transform name> esp-256-aes [esp-sha-hmac|esp-sha384-hmac|esp-sha512-hmac]

 

CISCO ASA
ISAKMP:
For Cisco ASA devices, NSA recommends IKEv2, since the IKEv1 implementation only supports SHA1.
IKEv2:
crypto ikev2 policy 1
encryption [aes-256|aes-gcm-256]
integrity [sha384|sha512]
group [16|20]
IPsec: crypto ipsec ikev2 ipsec-proposal <proposal name>
protocol esp encryption [aes-256|aes-gcm-256]
protocol esp integrity [sha-384|sha512]

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card