Cisco Systems CL-28826-01 Deciding Which Diffie-Hellman Modulus Group to Use

25-7

User Guide for Cisco Security Manager 4.4

OL-28826-01

Chapter25 Configuring IKE and IPsec Policies

Understanding IKE

The following options, which are even more secure, are available for IKEv2 configurations on ASA

8.4(2+) devices:

–

SHA512—A 512-bit key.

–

SHA384—A 384-bit key.

–

SHA256—A 256-bit key.

•MD5 (Message Digest 5) produces a 128-bit digest and uses less processing time for an overall

faster performance than SHA, but it is considered to be weaker than SHA.

Related Topics

•Understanding IKE, page 25-5

•Configuring an IKE Proposal, page 25-9

Deciding Which Diffie-Hellman Modulus Group to Use

Security Manager supports the following Diffie-Hellman key derivation algorithms to generate IPsec

security association (SA) keys. Each group has a different size modulus. A larger modulus provides

higher security, but requires more processing time. You must have a matching modulus group on both

peers.

Tip If you select AES encryption, to support the large key sizes required by AES, ISAKMP negotiation

should use Diffie-Hellman (DH) Group 5 or higher. For IKEv1, ASA devices support groups 2 and 5

only.

•Diffie-Hellman Group 1: 768-bit modulus. Use to generate IPsec SA keys where the prime and

generator numbers are 768 bits.

•Diffie-Hellman Group 2: 1024-bit modulus. Use to generate IPsec SA keys where the prime and

generator numbers are 1024 bits. Cisco VPN Client Version 3.x or higher requires a minimum of

Group 2.

•Diffie-Hellman Group 5: 1536-bit modulus. Use to generate IPsec SA keys where the prime and

generator numbers are 2048 bits. Considered good protection for 128-bit keys, but group 14 is better.

•Diffie-Hellman Group 7: Use to generate IPsec SA keys when the elliptical curve field size is 163

characters. Group 7 is not supported on a Catalyst 6500/7600 device with VPNSM or VPN SPA

configuration.

•Diffie-Hellman Group 14: 2048-bit modulus. Considered good protection for 128-bit keys. (ASA

9.0.1+ devices only).

•Diffie-Hellman Group 15: 3072-bit modulus. Considered good protection for 192-bit keys.

•Diffie-Hellman Group 16: 4096-bit modulus. Considered good protection for 256-bit keys.

•Diffie-Hellman Group 19: (256-bit elliptical curve field size). (ASA 9.0.1+ devices only).

•Diffie-Hellman Group 20: (384-bit elliptical curve field size). (ASA 9.0.1+ devices only).

•Diffie-Hellman Group 21: (521-bit elliptical curve field size). (ASA 9.0.1+ devices only).

•Diffie-Hellman Group 24: ( 2048-bit modulus and 256-bit prime order subgroup). (ASA 9.0.1+

devices only).