Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1397
Views
0
Helpful
1
Replies

AES 256 which DH group?

Ruterford
Level 1
Level 1

‎01-08-2012 06:46 PM

Hi All,

I have been using aes 256 with dh group 2 and pfs group 2 for my site to site vpn tunnels.

Now I am considering modifying the dh groups both for p1 and pfs to group 5 or keep it group 2.

Is this a must to have dh group 5 with aes 256 or having dh group 2 with aes 256 is also common ?

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-08-2012 08:55 PM

Sure group 5 is theoretically more secure but I have not seen it actually being used in the VPNs I've worked with. Simply by using AES-256 uniformly you will be ahead of most folks.

Usually there are so many other less secure aspects of networks that the DH Group would be waaaaaay down on my list of things to improve upon.

However if all your site-site VPNs are under your exclusive configuration control, have at it by setting DH Group 5 at all sites.

Caveats - you will need to be running a high crypto image (K2 or K9) and please be aware of bug "CSCtg97145 - Interface overruns upon IPSEC rekey with PFS and DH5" (applies to ASA 8.0(4) and 8.2(2)).

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents