Diffie-Hellman (DH) allows two devices to establish a shared secret over an unsecure network. In terms of VPN it is used in the in IKE or Phase1 part of setting up the VPN tunnel.
There are multiple Diffie-Hellman Groups that can be configured in an IKEv2 policy on a Cisco ASA running 9.1(3). In Nov 2016 ASA 9.6(x) is available and there are no new changes to the DH Groups.
Diffie-Hellman group 1 - 768 bit modulus - AVOID
Diffie-Hellman group 2 - 1024 bit modulus - AVOID
Diffie-Hellman group 5 - 1536 bit modulus - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption
Algorithms marked as AVOID do not provide an adequate security level against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.
Next Generation Encryption (NGE) is expected to meet the security and scalability requirements of the next two decades.
If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21 or 24.
Hi, I noticed that when I setup the SFR module for FirePower, I get the option to configure and ipv4 address on the management interface, my question is can I choose a different interface, can I use another unused physical port on the firewall?
Hi All, I have a 5515-x Cisco asa and want to setup vpn connection for an application that will be used on Android Phones. I got an idea of Anyconnect. What is needed to setup this VPNand how to set it.Is there any tool to use in order to set a ...
Hi security experts,Im new to real exposure for security implementation.Do we need to NAT exempt for site 2 site vpn traffic between asa firewall with new implementation on iOS 9.6 version of asa code. In site 2 site communication which addresses wil...
My trooble is that i want to import some users on ACS.
For exemple i downloaded the template show on file operations.
the first line is:
I have some questions from my customer, Could you help on it? I wrote some responses but I need to check if there is more accurate responses
We did the PoC by FTD2110 v6.2.3
1- if 2 user edit the config then deploy done by one the second admin stil...