For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.6 > DH Selection For IPsec VPNs

DH Selection For IPsec VPNs

Created by dave. Last edited by dave, 222 days ago. Viewed 1,292 times. #5
[diff] [history] [edit] [rdf]


What are the recommended settings for IPSEC VPNs?

Updated 25 April 2023


  • In general IKEv1 is still acceptable, unless you're dealing with a Cisco ASA which as of 2020 will only do SHA-1 in IKEv1
DH Group:
  • ideal is DH-19 or DH-20
  • minimum for reasonable security is DH-16, going below that is not recommended
  • groups 1, 2, 5, 22, 23, and 24 are considered notably (and perhaps unexpectedly) weak.
  • use AES-256 (or higher) with SHA-384 (or higher)
  • Always avoid DES
  • Avoid 3DES and/or MD5 if at all possible


no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt