Dear Team,
Is the DH group is mandatory for VPN.
Regards
Ramesh M
Hi Ramesh,
Yes, it is mandatory.
To know why, please check this out:
Diffie Hellman Encryption Tutorial - Cryptography on Public keys
Thanks.
Portu.
Please rate any helpful posts
Message was edited by: Javier Portuguez
Ramesh,
Without DH in Phase I, you would not been able to set up an encrypted control channel [ aka IKE]. ====> Mandatory.
However, defining DH group in phase II is not mandatory [ aka PFS].
Without P2 PFS, then you derivate the P2 sessions keys from your P1 keeying material. That's the default behavior and it's secure enough IMHO.
With PFS, then you would do a new DH exchange while negotiating the P2. In other words, you dont derivate your P2 keys from the previous keys but instead you generate new ones from scratch.
Of course, adding PFS lowers the scalability of your system since DH costs a lot of ressources.
Essentially it's a tradeoff
Cheers
Olivier