Diffie-Hellman (DH) allows two devices to establish a shared secret over an unsecure network. In terms of VPN it is used in the in IKE or Phase1 part of setting up the VPN tunnel.
There are multiple Diffie-Hellman Groups that can be configured in an IKEv2 policy on a Cisco ASA running 9.1(3). In Nov 2016 ASA 9.6(x) is available and there are no new changes to the DH Groups.
Diffie-Hellman group 1 - 768 bit modulus - AVOID
Diffie-Hellman group 2 - 1024 bit modulus - AVOID
Diffie-Hellman group 5 - 1536 bit modulus - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption
Algorithms marked as AVOID do not provide an adequate security level against modern threats and should not be used to protect sensitive information. It is recommended that these algorithms be replaced with stronger algorithms.
Next Generation Encryption (NGE) is expected to meet the security and scalability requirements of the next two decades.
If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 5, 14, 19, 20 or 24. If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21 or 24.
Hello, I would like to protect our ASR router (connected to the ISP and the internal network) from Firewall session table flood attacks by configuring Firewall Session table protection. One of the restrictions I found here is https://conten...
Hi, I am looking for backup solution for FTD instance on Firepower device. we are deploying 2 instance of FTD on Firepower device. We are also deploying FTDv in our environment. We are using FMCv on KVM to manage these FTD devices. FMCv doe...
HiI'm facing issues because the users mostly forget to choose the SBL connection before they log into their windows 10 clients.This gives some issues with connections etc.Is it possible to have SBL to run automatically without the user having to enable th...
Guys,Need some help on ISE Authentication Policy, I have integrated ISE with AD and would like to authenticate UserGroup A with Authentication Server A, while UserGroup B with Authentication Server B , means two separate user groups using two different au...
We have about ~110 Cisco Anyconnect clients and management vpn configured + anyconnect cisco umbrella.Works fine for 99% of them.For some we see the randomly following happening: (especially on newer machines)- user tunnel connected.- user disconnects tun...