Showing results for 
Search instead for 
Did you mean: 

AES 256 which DH group?

Level 1
Level 1

Hi All,

I have been using aes 256 with dh group 2 and pfs group 2 for my site to site vpn tunnels.

Now I am considering modifying the dh groups both for p1 and pfs to group 5 or keep it group 2.

Is this a must to have dh group 5 with aes 256 or having dh group 2 with aes 256 is also common ?

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Sure group 5 is theoretically more secure but I have not seen it actually being used in the VPNs I've worked with. Simply by using AES-256 uniformly you will be ahead of most folks.

Usually there are so many other less secure aspects of networks that the DH Group would be waaaaaay down on my list of things to improve upon.

However if all your site-site VPNs are under your exclusive configuration control, have at it by setting DH Group 5 at all sites.

Caveats - you will need to be running a high crypto image (K2 or K9) and please be aware of bug "CSCtg97145 - Interface overruns upon IPSEC rekey with PFS and DH5" (applies to ASA 8.0(4) and 8.2(2)).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: