For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.6 > DH Selection For IPsec VPNs

DH Selection For IPsec VPNs

Created by dave. Last edited by dave, 109 days ago. Viewed 1,553 times. #6
[diff] [history] [edit] [rdf]


What are the recommended settings for IPSEC VPNs?

Updated 25 April 2023


  • In general IKEv1 is still acceptable, unless you're dealing with a Cisco ASA which as of 2020 will only do SHA-1 in IKEv1
DH Group:
  • ideal is DH-19 or DH-20
  • minimum for reasonable security is DH-16, going below that is not recommended
  • groups 1, 2, 5, 22, 23, and 24 are considered notably (and perhaps unexpectedly) weak
  • as of 9.15.x, ASAs explicitly do not do group24 any more, and restrict availability of other groups to IKEv2 only. This is a problem because the default "work with Azure" VPN setup recipe picks group 24.
  • use AES-256 (or higher) with SHA-384 (or higher)
  • Always avoid DES
  • Avoid 3DES and/or MD5 if at all possible


no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt