cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
7110
Views
0
Helpful
2
Replies
Highlighted
Beginner

DH group in phase 1 and phase 2

Dear Team,

Is the DH group is mandatory for VPN.

Regards

Ramesh M

2 REPLIES 2
Highlighted

Hi Ramesh,

Yes, it is mandatory.

To know why, please check this out:

Diffie Hellman Encryption Tutorial - Cryptography on Public keys

About Diffie-Hellman Groups

Thanks.

Portu.

Please rate any helpful posts

Message was edited by: Javier Portuguez

Highlighted
Cisco Employee

Ramesh,

Without DH in Phase I, you would not been able to set up an encrypted control channel [ aka IKE]. ====> Mandatory.

However, defining DH group in phase II is not mandatory [ aka PFS].

Without P2 PFS, then you derivate the P2 sessions keys from your P1 keeying material. That's the default behavior and it's secure enough IMHO.

With PFS, then you would do a new DH exchange while negotiating the P2. In other words, you dont derivate your P2 keys from the previous keys but instead you generate new ones from scratch.

Of course, adding PFS lowers the scalability of your system since DH costs a lot of ressources.

Essentially it's a tradeoff

Cheers

Olivier

Content for Community-Ad