Diffie-Hellman (DH) allows two devices to establish a shared secret over an unsecure network. In terms of VPN it is used in the in IKE or Phase1 part of setting up the VPN tunnel.
There are multiple Diffie-Hellman Groups that can be configured in an IKEv2 policy on a Cisco ASA running 9.1(3). In Nov 2016 ASA 9.6(x) is available and there are no new changes to the DH Groups.
Diffie-Hellman group 1 - 768 bit modulus - AVOID
Diffie-Hellman group 2 - 1024 bit modulus - AVOID
Diffie-Hellman group 5 - 1536 bit modulus - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption
Algorithms marked as AVOID do not provide an adequate security level against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.
Next Generation Encryption (NGE) is expected to meet the security and scalability requirements of the next two decades.
If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21 or 24.
Hello, I would like to know if it's possible to obtain the serial numbers of ASAs through Cisco CSM, I ask this because our office has 200 firewalls managed by CSM and this labor is complicated when accessing one by one.CSM version: 4.20.0 Thank...
Hi guys,I am replacing my ASR 1001 with ASR 1001-x, however the crypto isakmp command doesn't seem to work. When i type crypto ? i do not get isakmp in the options, therefore can't go ahead with the getvpn configurations, can anyone help me here? Tha...
Guys, this should be a simple problem, if I could just find the right documentation!I have a Meraki MX67, with a site-to-site VPN linking to a hub Meraki MX84 HA pair. I have client PCs successfully doing IEEE802.1x authentication on the MX67, using an IS...
I have a ISE environment witch is integrated with AD. I inherited this from 2 past engineers. This being said there are many sites that are attached and use different AD groups to add and remove permisions to different types of network appliances. Is ther...
I am having issues configuring dot1x/mab protocols for my DELL iDRACs. I was hoping to find some support for doing this. I currently have the idracs failing authentication in the RADIUS live logs, meaning that my policy set could be set incorrectly. I hav...