For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.6 > DH Selection For IPsec VPNs

DH Selection For IPsec VPNs

Created by dave. Last edited by dave, 72 days ago. Viewed 107 times. #1
[edit] [rdf]
labels
attachments
(2019-03-13)

Problem

What DH value should I use for my IPsec tunnels?

As of March 2019

IKE:

  • IKEv1 is still acceptable, there's no burning reason to choose IKEv2 over v1
DH Group:
  • ideal is DH-19 or DH-20
  • minimum for reasonable security is DH-14, going below that is not recommended
Algorithms:
  • use AES-128 (or higher) with SHA-128 (or higher)
  • Always avoid DES
  • Avoid 3DES and/or MD5 if at all possible

References

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt