Fortigate to Fortigate IPsec site to site VPN - Wont form with DH 19-21 Elliptic curve

Forum|Forum|10 years ago
October 29, 2015
2 replies
6215 views

Hello every one. I believe i found a bug. so setting up a site to site IPSEC VPN between 100D 5.2.1 and 60D 5.2.0.

When I tried using the below DH groups for the phase1 the devices kept giving me some weird errors..

DH Group 19: 256-bit random ECP Group DH Group 20: 384-bit random ECP Group DH Group 21: 521-bit random ECP Group

When I take the DH group down to DH18 its works right away.

Has anyone else ran across this? From what i've been reading ECC is going to be the wave of the future.

Regards,

Daniel

DH-debug.txt

emnoc

New Member

You might need to try with the newiest FortiOS version. I have seen the exact same thing with dhgrp-20 and Fortigate to PaloAlto. Can you upgrade to 5.2.3 or 5.2.4 for both devices and give it a try?

FWIW Also seen the same things with other firewall appliance and dhgrp 24.

howardsincAuthor

New Member

I just upgraded both Fortigates to 5.2.4 and it fixed the issue.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded