Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2916
Views
1
Helpful
2
Replies

Deprecated DH groups in IKEv1 - Are they still supported in FTD 7.2.5?

Go to solution
Chess Norris
Level 4
Level 4

‎10-31-2023 03:20 AM

Hello,

I've been asked to upgrade a FTD 2130 appliance from version 7.1.0.1 to 7.2.5.

Before starting the upgrade, I did a deploy and received this warning for some of the IKEv1 L2L tunnels that are configured.

"DH Groups 5 is considered insecure and are deprecated in Firewall Threat Defense running 6.7 and will be removed in a later version"

It's the "will be removed in a later version" part that's worried me a little bit. I couldn't find anything in the release notes for 7.2 that say support for DH5 has been removed, but does anyone know in which version of FTD it will be removed?

Thanks

/Chess

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-31-2023 03:32 AM

@Chess Norris

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html the 7.2 release notes do not indicate DH group 5 is completely removed from IKEv1.

"Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2, as per the 7.20 guide" - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html so you should be ok for IKEv1 tunnels on 7.2...but any future upgrade would likely cause a problem.

 

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎10-31-2023 03:32 AM

@Chess Norris

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/720/threat-defense-release-notes-72/features.html the 7.2 release notes do not indicate DH group 5 is completely removed from IKEv1.

"Diffie-Hellman GROUP 5 is deprecated for IKEv1 and removed for IKEv2, as per the 7.20 guide" - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html so you should be ok for IKEv1 tunnels on 7.2...but any future upgrade would likely cause a problem.

 

Go to solution
Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎10-31-2023 03:52 AM

Thanks, thats good to know.

I have informed the customer about the importance of changing the weak DH groups as soon as possible, so hopefully they will listen and fix it.

Thanks

/Chess

0 Helpful
Customers Also Viewed These Support Documents