cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
215
Views
3
Helpful
4
Replies

ASA 5545-X Diffie-Hellman Group

seahorse
Level 1
Level 1

Which Diffie-Hellman Groups can be choosen for IKE policies?

I found that are some dependencies on the the software version as well.
Have I right understood that for crypto ikev2 policy the following Diffie-Hellman group(s) for this policy index as 14, 15, 16, 19, 20, 21, or 31 can be choosen in version 9.12 on an ASA 5545-X.

Thanks for feedback

 

 

1 Accepted Solution

Accepted Solutions

@seahorse on 9.12 currently DH group 14, 19, 2, 20, 21, 24 and 5 are available to use in the IKEv2 policy.

On newer ASA software versions, DH groups 2, 24 and 5 are depreciated (since version 9.13) and 14, 15, 16, 19, 20, 21, 31 are available to use.

I would recommend using 21,20 or 19 as you are running 9.12.

 

View solution in original post

4 Replies 4

Gopinath_Pigili
Spotlight
Spotlight

Hello seahorse ,

According to the Cisco documentation, Cisco recommends atleast 2048 bits i.e DH 14 or Higher is more better.

Diffie-Hellman group 1 - 768 bit modulus - AVOID
Diffie-Hellman group 2 - 1024 bit modulus - AVOID
Diffie-Hellman group 5 - 1536 bit modulus - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption

For more details...please go through the following link:

https://community.cisco.com/t5/security-knowledge-base/diffie-hellman-groups/ta-p/3147010

 Best regards
******* If This Helps, Please Rate *******

@seahorse on 9.12 currently DH group 14, 19, 2, 20, 21, 24 and 5 are available to use in the IKEv2 policy.

On newer ASA software versions, DH groups 2, 24 and 5 are depreciated (since version 9.13) and 14, 15, 16, 19, 20, 21, 31 are available to use.

I would recommend using 21,20 or 19 as you are running 9.12.

 

seahorse
Level 1
Level 1

Many thanks for the fast recommendations