What differance/impact does it make when we change dh-param value under config system global?

Forum|Forum|4 years ago
February 1, 2022
1 reply
1676 views

Hello Team,

Please help me to understand can it stop the working IPSec VPN tunnels with lower enc-proto when we increase the default value from 2048 to upper side?

Has anyone tested it real time?

FOS-703-CLI

https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/344487/global-commands-for-stronger-and-more-secure-encryption

https://docs.fortinet.com/document/fortigate/7.0.0/best-practices/555436/hardening

FortiGate

AlexC-FTNT

Staff

The resource usage certainly increases, and is especially visible in lower-end units.

But this is not caused by the key size, but the DH-group. Higher group = more secure = longer key size (default is group 14 with a key of 2048b).

Does it stop working IPSEC VPN tunnels? > The DH groups must match. So if you chose (only)DH group 5 in one device and (only) DH-14 in another, they will not work. But I think the key size can only be a problem if the remote device does not support longer keys (doesn't expect or can't process them)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded