Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11021
Views
0
Helpful
2
Replies

DH group in phase 1 and phase 2

ssocsupport
Level 1
Level 1

‎10-11-2012 11:14 AM

Dear Team,

Is the DH group is mandatory for VPN.

Regards

Ramesh M

Labels:
0 Helpful
2 Replies 2

Javier Portuguez
Level 9
Level 9

‎10-11-2012 05:22 PM

Hi Ramesh,

Yes, it is mandatory.

To know why, please check this out:

Diffie Hellman Encryption Tutorial - Cryptography on Public keys

About Diffie-Hellman Groups

Thanks.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez

0 Helpful

olpeleri
Cisco Employee
Cisco Employee

‎10-11-2012 11:19 PM

Ramesh,

Without DH in Phase I, you would not been able to set up an encrypted control channel [ aka IKE]. ====> Mandatory.

However, defining DH group in phase II is not mandatory [ aka PFS].

Without P2 PFS, then you derivate the P2 sessions keys from your P1 keeying material. That's the default behavior and it's secure enough IMHO.

With PFS, then you would do a new DH exchange while negotiating the P2. In other words, you dont derivate your P2 keys from the previous keys but instead you generate new ones from scratch.

Of course, adding PFS lowers the scalability of your system since DH costs a lot of ressources.

Essentially it's a tradeoff

Cheers

Olivier

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents