04-12-2024 06:51 AM
Which Diffie-Hellman Groups can be choosen for IKE policies?
I found that are some dependencies on the the software version as well.
Have I right understood that for crypto ikev2 policy the following Diffie-Hellman group(s) for this policy index as 14, 15, 16, 19, 20, 21, or 31 can be choosen in version 9.12 on an ASA 5545-X.
Thanks for feedback
Solved! Go to Solution.
04-12-2024 07:22 AM
@seahorse on 9.12 currently DH group 14, 19, 2, 20, 21, 24 and 5 are available to use in the IKEv2 policy.
On newer ASA software versions, DH groups 2, 24 and 5 are depreciated (since version 9.13) and 14, 15, 16, 19, 20, 21, 31 are available to use.
I would recommend using 21,20 or 19 as you are running 9.12.
04-12-2024 07:10 AM
Hello seahorse ,
According to the Cisco documentation, Cisco recommends atleast 2048 bits i.e DH 14 or Higher is more better.
Diffie-Hellman group 1 - 768 bit modulus - AVOID
Diffie-Hellman group 2 - 1024 bit modulus - AVOID
Diffie-Hellman group 5 - 1536 bit modulus - AVOID
Diffie-Hellman group 14 - 2048 bit modulus – MINIMUM ACCEPTABLE
Diffie-Hellman group 19 - 256 bit elliptic curve – ACCEPTABLE
Diffie-Hellman group 20 - 384 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 21 - 521 bit elliptic curve – Next Generation Encryption
Diffie-Hellman group 24 - modular exponentiation group with a 2048-bit modulus and 256-bit prime order subgroup – Next Generation Encryption
For more details...please go through the following link:
https://community.cisco.com/t5/security-knowledge-base/diffie-hellman-groups/ta-p/3147010
Best regards
******* If This Helps, Please Rate *******
04-12-2024 07:11 AM - edited 04-12-2024 07:13 AM
The group is
1' 5' 14'19'20'21'24
There is no 15' 16 and 31
MHM
04-12-2024 07:22 AM
@seahorse on 9.12 currently DH group 14, 19, 2, 20, 21, 24 and 5 are available to use in the IKEv2 policy.
On newer ASA software versions, DH groups 2, 24 and 5 are depreciated (since version 9.13) and 14, 15, 16, 19, 20, 21, 31 are available to use.
I would recommend using 21,20 or 19 as you are running 9.12.
04-12-2024 07:39 AM
Many thanks for the fast recommendations
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide