Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
170
Views
3
Helpful
4
Replies

ASA 5545-X Diffie-Hellman Group

Go to solution
seahorse
Level 1
Level 1

‎04-12-2024 06:51 AM

Which Diffie-Hellman Groups can be choosen for IKE policies?

I found that are some dependencies on the the software version as well.
Have I right understood that for crypto ikev2 policy the following Diffie-Hellman group(s) for this policy index as 14, 15, 16, 19, 20, 21, or 31 can be choosen in version 9.12 on an ASA 5545-X.

Thanks for feedback

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-12-2024 07:22 AM

@seahorse on 9.12 currently DH group 14, 19, 2, 20, 21, 24 and 5 are available to use in the IKEv2 policy.

On newer ASA software versions, DH groups 2, 24 and 5 are depreciated (since version 9.13) and 14, 15, 16, 19, 20, 21, 31 are available to use.

I would recommend using 21,20 or 19 as you are running 9.12.

 

View solution in original post

4 Replies 4

Go to solution
Gopinath_Pigili
Spotlight
Spotlight

‎04-12-2024 07:10 AM

Hello seahorse ,

According to the Cisco documentation, Cisco recommends atleast 2048 bits i.e DH 14 or Higher is more better.

Diffie-Hellman group 1 - 768 bit modulus - AVOID
Diffie-Hellman group 2 - 1024 bit modulus - AVOID
Diffie-Hellman group 5 - 1536 bit modulus - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

For more details...please go through the following link:

https://community.cisco.com/t5/security-knowledge-base/diffie-hellman-groups/ta-p/3147010

 Best regards
******* If This Helps, Please Rate *******

Go to solution
MHM Cisco World
VIP
VIP

‎04-12-2024 07:11 AM - edited ‎04-12-2024 07:13 AM

https://www.cisco.com/c/en/us/td/docs/security/asa/asa912/configuration/vpn/asa-912-vpn-config/vpn-ike.html

The group is 

1' 5' 14'19'20'21'24

There is no 15' 16 and 31 

MHM

Go to solution
Rob Ingram
VIP
VIP

‎04-12-2024 07:22 AM

@seahorse on 9.12 currently DH group 14, 19, 2, 20, 21, 24 and 5 are available to use in the IKEv2 policy.

On newer ASA software versions, DH groups 2, 24 and 5 are depreciated (since version 9.13) and 14, 15, 16, 19, 20, 21, 31 are available to use.

I would recommend using 21,20 or 19 as you are running 9.12.

 

Go to solution
seahorse
Level 1
Level 1

‎04-12-2024 07:39 AM

Many thanks for the fast recommendations

 

0 Helpful
Customers Also Viewed These Support Documents