DH Selection For IPsec VPNs
(2019-03-13)
Problem
What DH value should I use for my IPsec tunnels?As of March 2019
IKE:- IKEv1 is still acceptable, there's no burning reason to choose IKEv2 over v1
- ideal is DH-19 or DH-20
- minimum for reasonable security is DH-14, going below that is not recommended
- use AES-128 (or higher) with SHA-128 (or higher)
- Always avoid DES
- Avoid 3DES and/or MD5 if at all possible
References
- some reddit thread somewhere which I can't find any more, yeah possibly sketchy AF maybe, but it's backed up by other places on the web
- DH group, October 2018:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk27054 - NCSC (UK) requirements for their tunnels, March 2019 https://www.ncsc.gov.uk/guidance/using-ipsec-protect-data
no comments |
post comment
Virtual Dave Megaplex:
- Home Page
- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Port Vlan Mirror Analyzer- tls
- systemd
- Bluetooth Mouse Stops Working
- pcap to netflow
- Useful nfdump examples
- Samba Winbind
- key type ssh-rsa not in PubkeyAcceptedAlgorithms
- Linux
- Show POE Utilization
- Read-Only Admin Profile
- Grow Linux Filesystem
- LDAP lookup account considerations
- Fedora Upgrade Procedure
- Installing From The Vault
- Associating From Addresses To Inbound IP Addresses
- Test SMTP-AUTH using Telnet
- SSH Key Exchange Login Fails
- IPSA self test failed, disable IPSA!
- Missing HTTPOnly Cookie Attribute
- Disable TCP Timestamps
- 2021
- 2020
- 2019
- 2018
- 2017
- 2016
- 2015
- 2014
- 2013
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.