Cisco Support Community
Community Member

AES 256 which DH group?

Hi All,

I have been using aes 256 with dh group 2 and pfs group 2 for my site to site vpn tunnels.

Now I am considering modifying the dh groups both for p1 and pfs to group 5 or keep it group 2.

Is this a must to have dh group 5 with aes 256 or having dh group 2 with aes 256 is also common ?

Hall of Fame Super Silver

AES 256 which DH group?

Sure group 5 is theoretically more secure but I have not seen it actually being used in the VPNs I've worked with. Simply by using AES-256 uniformly you will be ahead of most folks.

Usually there are so many other less secure aspects of networks that the DH Group would be waaaaaay down on my list of things to improve upon.

However if all your site-site VPNs are under your exclusive configuration control, have at it by setting DH Group 5 at all sites.

Caveats - you will need to be running a high crypto image (K2 or K9) and please be aware of bug "CSCtg97145 - Interface overruns upon IPSEC rekey with PFS and DH5" (applies to ASA 8.0(4) and 8.2(2)).

CreatePlease to create content