Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2032
Views
5
Helpful
2
Replies

Selection of DH group in IPsec VPN

Go to solution
VIrendraMourya6156
Level 1
Level 1

‎04-23-2020 07:56 AM

Dear Members,

i am looking for an answer to this query, if someone could help me.

We have an IPsec S-2-S vpn setup between two Firewall, at one end it is Cisco Firepower(5555-x) where as other end its Cisco ASA 5515.

We are running ikev2. Ikev2 policy is created where multiple DH values are used in the policy (DH 14,21,24 etc) and similar config present in the remote end. 

I would like to know how does the firewall decides which group to use for key exchange, is there any rule ? Please assist.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP

‎04-23-2020 08:05 AM - edited ‎04-23-2020 08:44 AM

in Ikev2 the values of DH 14,21,24 will go in a sequence for example 14 will check first if not match than go for 21 and so on.

 

https://tools.ietf.org/html/rfc5996#appendix-B

 

initiator sends its Diffie-Hellman value in the IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify
payload of type INVALID_KE_PAYLOAD indicating theselected group. In this case, the initiator MUST retry the IKE_SA_INIT with the corrected Diffie-Hellman group. The initiator MUST again propose its
full set of acceptable cryptographic suites becase the rejection message was unauthenticated and otherwise an active attacker couldtrick the endpoints into negotiating a weaker suite than a stronger one that they both prefer.
please do not forget to rate.

View solution in original post

2 Replies 2

Go to solution
Sheraz.Salim
VIP
VIP

‎04-23-2020 08:05 AM - edited ‎04-23-2020 08:44 AM

in Ikev2 the values of DH 14,21,24 will go in a sequence for example 14 will check first if not match than go for 21 and so on.

 

https://tools.ietf.org/html/rfc5996#appendix-B

 

initiator sends its Diffie-Hellman value in the IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify
payload of type INVALID_KE_PAYLOAD indicating theselected group. In this case, the initiator MUST retry the IKE_SA_INIT with the corrected Diffie-Hellman group. The initiator MUST again propose its
full set of acceptable cryptographic suites becase the rejection message was unauthenticated and otherwise an active attacker couldtrick the endpoints into negotiating a weaker suite than a stronger one that they both prefer.
please do not forget to rate.

Go to solution
VIrendraMourya6156
Level 1
Level 1
In response to Sheraz.Salim

‎04-24-2020 01:47 AM

Thank You. 

0 Helpful
Customers Also Viewed These Support Documents