Fortinet black logo

Admin Guide (Standalone)

Home FortiExtender 7.4.4 Admin Guide (Standalone)
7.4.4
7.4.4
7.4.1
7.4.0
7.2.3
7.2.2
7.2.0
7.0.3
7.0.2
7.0.1

IPsec VPN supports more DH groups

IPsec VPN supports more DH groups

Diffie-Hellman (DH) key exchange in phase1 is used to negotiate and exchange private keys for phase2. FortiExtender now provides more DH group options. New DH group options ("15", "16", "17", "18", "19", "20", "21", "27", "28", "29", "30", "31", "32") are added to the ipsec phase1-interface/phase2-interface config file.

Any DH groups less than 15 are not recommended due to their low security levels. And Elliptic Curve Groups ("19", "20", "21", "27", "28", "29", "30", "31", "32") offer better security compared to the MODP groups ("1", "2", "5", "14", "15", "16", "17", "18"). The DH groups in phase2 should be set to the same value as those for phase1, and PFS is recommended.

Previous
Next

IPsec VPN supports more DH groups

Diffie-Hellman (DH) key exchange in phase1 is used to negotiate and exchange private keys for phase2. FortiExtender now provides more DH group options. New DH group options ("15", "16", "17", "18", "19", "20", "21", "27", "28", "29", "30", "31", "32") are added to the ipsec phase1-interface/phase2-interface config file.

Any DH groups less than 15 are not recommended due to their low security levels. And Elliptic Curve Groups ("19", "20", "21", "27", "28", "29", "30", "31", "32") offer better security compared to the MODP groups ("1", "2", "5", "14", "15", "16", "17", "18"). The DH groups in phase2 should be set to the same value as those for phase1, and PFS is recommended.

Previous
Next