Skip to main content

DH Selection for VPNs

(2019-03-13)

Problem

What are the recommended settings for IPSEC VPNs?

Updated 25 April 2023

IKE:

  • In general IKEv1 is still acceptable, unless you're dealing with a Cisco ASA which as of 2020 will only do SHA-1 in IKEv1

DH Group:

  • ideal is DH-19 or DH-20
  • minimum for reasonable security is DH-16, going below that is not recommended
  • groups 1, 2, 5, 22, 23, and 24 are considered notably (and perhaps unexpectedly) weak.

Algorithms:

  • use AES-256 (or higher) with SHA-384 (or higher)
  • Always avoid DES
  • Avoid 3DES and/or MD5 if at all possible

References