Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
5
Helpful
3
Replies

CSCuv51888 ENH: ASA IKEv1 policy should support DH group 14

dieterwanner
Level 1
Level 1

‎04-07-2016 02:41 AM

Hi,

we also want to use DH14 with ikev1.

Is this on the roadmap of any new ASA Version?

Thank you

Labels:
0 Helpful
3 Replies 3

Aditya Ganjoo
Cisco Employee
Cisco Employee

‎04-07-2016 07:52 AM

Hi,

As such there has been no official word from developers on this but if you want to push regarding this enhancement you can contact your account team.

Regards,

Aditya

Please rate helpful posts and mark correct answers.

0 Helpful

doug syer
Level 1
Level 1
In response to Aditya Ganjoo

‎09-09-2019 07:34 AM

It looks like on the ASA (even 55 X series) dont support anything higher than DH group 5 for key exchange?  but you can use transport layer of dh group 19?

 

I just got a request to peer with a checkpoint which apparently (but i havent tested this) does dh19 for phase I...at first i though maybe that wasnt part of the protocol specification or something and the documention below from Cisco says running group 5 is not not a good idea....

 

i looked in the latest 9.x release notes and so far i havent seen anything...is this really the case that 19 isnt supported for phase 1/key exchange?

 

doug

 

Use the following guidelines when configuring Internet Key Exchange (IKE) in VPN technologies:

  • Avoid IKE Groups 1, 2, and 5.
  • Use IKE Group 15 or 16 and employ 3072-bit and 4096-bit DH, respectively.
  • When possible, use IKE Group 19 or 20. They are the 256-bit and 384-bit ECDH groups, respectively.
  • Use AES for encryption.

https://tools.cisco.com/security/center/resources/next_generation_cryptography

john thoren
Level 1
Level 1

‎01-09-2023 08:25 PM

I have not tested group 14 with ikev1, but the asa now suggests it's allowable:

on asa version 9.14(3)15 and 9.16(3)
sco-asa-1/pri/act(config)# crypto map REMOTESITES 820 set pfs ?
group14 D-H Group 14 (2048-bit MODP Group)
group15 D-H Group 15 (3072-bit MODP Group) (Unsupported for IKEv1)
group16 D-H Group 16 (4096-bit MODP Group) (Unsupported for IKEv1)
group19 D-H Group 19 (NIST 256-bit ECP Group) (Unsupported for IKEv1)
group2 D-H Group 2 (1024-bit MODP Group) (DEPRECATED)
group20 D-H Group 20 (NIST 384-bit ECP Group) (Unsupported for IKEv1)
group21 D-H Group 21 (NIST 521-bit ECP Group) (Unsupported for IKEv1)
group24 D-H Group 24 (2048-bit MODP Group with 256-bit Prime Order Subgroup) (Unsupported for IKEv1) (DEPRECATED)
group5 D-H Group 5 (1536-bit MODP Group) (DEPRECATED)
<cr>

used to be ( I cannot remember which verstion this was. Probably 9.12.x):
sco-asa-1/pri/act(config)# crypto map REMOTESITES 820 set pfs ?
group14 D-H Group 14 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1)
group5 D-H Group 5
<cr>

I hope this helps.

0 Helpful
Customers Also Viewed These Support Documents