About Diffie-Hellman Groups
Diffie-Hellman (DH) groups determine the strength of the key used in the key exchange process. Higher group numbers are more secure, but require additional time to compute the key.
Fireware supports these Diffie-Hellman groups:
- DH Group 1: 768-bit group
- DH Group 2: 1024-bit group
- DH Group 5: 1536-bit group
- DH Group 14: 2048-bit group
- DH Group 15: 3072-bit group
- DH Group 19: 256-bit elliptic curve group
- DH Group 20: 384-bit elliptic curve group
Both peers in a VPN exchange must use the same DH group, which is negotiated during Phase 1 of the IPSec negotiation process. When you define a manual BOVPN tunnel, you specify the Diffie-Hellman group as part of Phase creation of an IPSec connection. This is where the two peers make a secure, authenticated channel they can use to communicate.
DH groups and Perfect Forward Secrecy (PFS)
In addition to Phase 1, you can also specify the Diffie-Hellman group to use in Phase 2 of an IPSec connection. Phase 2 configuration includes settings for a security association (SA), or how data packets are secured when they are passed between two endpoints. You specify the Diffie-Hellman group in Phase 2 only when you select Perfect Forward Secrecy (PFS).
PFS makes keys more secure because new keys are not made from previous keys. If a key is compromised, new session keys are still secure. When you specify PFS during Phase 2, a Diffie-Hellman exchange occurs each time a new SA is negotiated.
The DH group you choose for Phase 2 does not need to match the group you choose for Phase 1.
How to Choose a Diffie-Hellman Group
For branch office VPN tunnels and BOVPN virtual interfaces, the default DH group for both Phase 1 and Phase 2 is Diffie-Hellman Group 2. This group provides basic security and good performance. If the speed for tunnel initialization and rekey is not a concern, use a higher DH group. Actual initialization and rekey speed depends on a number of factors. You might want to try one of the higher DH groups and decide whether the slower performance time is a problem for your network. If the performance is unacceptable, change to a lower DH group.