Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
19518
Views
5
Helpful
2
Replies

Diffie-Hellman groups - ASA firewalls

Go to solution
Alex Sykes
Level 1
Level 1

‎04-30-2013 07:24 AM

Hi all,

A couple of questions I'm hoping you can help me with.

Please can you tell me where I'd change the Diffie-Hellman group for phase 1 on an ASA firewall and can this be done on the ASDM?

Also, do you have to enable PFS have to DH on phase 2?

Many thanks

Alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎04-30-2013 09:17 AM

Hello Alex,

You can change the Diffie-Hellman group for phase 1 on ASA by configuring the following command:

crypto isakmp policy

     group

To configure the same using ASDM, go to

Configuration>Site-to-Site VPN>Connection Profiles>Add/Edit

In IPsec Settings, you will find Encryption Algorithms .Click on "Manage" icon on the right  of "IKE Policy".Click OK.

Click on Add/Edit and there will be an option to change the DH Group.

And lastly in regard to the PFS query , you can enable PFS in  order to have DH in phase 2.Enabling PFS will force a new DH key  exchange for phase 2.

Note:It is not mandatory , its optional .If its configured on one side , then it needs to be done on the remote side as well.

Regards,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

2 Replies 2

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎04-30-2013 09:17 AM

Hello Alex,

You can change the Diffie-Hellman group for phase 1 on ASA by configuring the following command:

crypto isakmp policy

     group

To configure the same using ASDM, go to

Configuration>Site-to-Site VPN>Connection Profiles>Add/Edit

In IPsec Settings, you will find Encryption Algorithms .Click on "Manage" icon on the right  of "IKE Policy".Click OK.

Click on Add/Edit and there will be an option to change the DH Group.

And lastly in regard to the PFS query , you can enable PFS in  order to have DH in phase 2.Enabling PFS will force a new DH key  exchange for phase 2.

Note:It is not mandatory , its optional .If its configured on one side , then it needs to be done on the remote side as well.

Regards,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Go to solution
Alex Sykes
Level 1
Level 1
In response to Dinesh Moudgil

‎05-01-2013 01:27 AM

Hi Dinesh,

Many thanks for your quick answer.

This is exactly what I was after.

Kind regards

Alex

0 Helpful
Customers Also Viewed These Support Documents