For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.6 > DH Selection For IPsec VPNs

DH Selection For IPsec VPNs

Created by dave. Last edited by dave, 36 days ago. Viewed 1,096 times. #5
[diff] [history] [edit] [rdf]
labels
attachments
(2019-03-13)

Problem

What are the recommended settings for IPSEC VPNs?

Updated 25 April 2023

IKE:

  • In general IKEv1 is still acceptable, unless you're dealing with a Cisco ASA which as of 2020 will only do SHA-1 in IKEv1
DH Group:
  • ideal is DH-19 or DH-20
  • minimum for reasonable security is DH-16, going below that is not recommended
  • groups 1, 2, 5, 22, 23, and 24 are considered notably (and perhaps unexpectedly) weak.
Algorithms:
  • use AES-256 (or higher) with SHA-384 (or higher)
  • Always avoid DES
  • Avoid 3DES and/or MD5 if at all possible

References

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt