Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1199
Views
0
Helpful
3
Replies

FPR 1120 with IKEv1 and DH5 supported?

Jh96
Level 1
Level 1

‎06-21-2023 10:42 AM

Hi!

We need change our firewalls. Does FPR1120 support IKEv1 with Diffie Hellman Group 5 or we must change our S2S VPN to IKEv2 with DH14? 

Labels:
0 Helpful
3 Replies 3

MHM Cisco World
VIP
VIP

‎06-21-2023 10:47 AM - edited ‎06-21-2023 10:52 AM

According to cisco ftd 6.70 the dh group 5 is deprecated for ikev1 and ikev2

Ikev2 support 14'15'16'19'20'21'31

You can select group which match what other peer have.

0 Helpful

Rob Ingram
VIP
VIP

‎06-21-2023 10:48 AM - edited ‎06-21-2023 10:50 AM

@Jh96 It really depends on what image you are using ASA or FTD?

DH group 5 was depreciated in ASA 9.13 and the minimum version supported by the FPR1120 is ASA 9.14, so no you cannot using DH group 5 if using ASA image.

DH group is support in FTD 6.4 https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/vpn_overview.html but also depreciated in newer versions.

You wouldn't want to run an old FTD OS image just to use a weak crypto algorithm, so use IKEv2 and stronger crypto.

0 Helpful

JP Miranda Z
Cisco Employee
Cisco Employee

‎06-21-2023 02:00 PM

Hi Jh96,

MHM and Rob are correct when saying dh group 5 was deprecated for some time already but this is still not removed from the ASA or FTD configuration yet even on the latest available version as of today (FTD 7.3/ASA 9.19), so if you really need to use IKEv1 with dh group5 for now you should be able to do it, for a long term solution I will definitely recommend you to move to ikev2 with at least dh group 14.

Hope this helps!

-JP-

0 Helpful
Customers Also Viewed These Support Documents