Diffie-Hellman Groups.

Diffie-Hellman groups define the cryptographic strength used during key exchange. Larger group numbers offer higher security but may increase CPU load.

IKEv1 vs IKEv2 Comparison:

CLI Example: IKEv2 with DH Group 20:

config vpn ipsec phase1-interface
    edit "vpn-to-remote"
        set interface "wan1"
        set ike-version 2
        set dhgrp 20
        set proposal aes256-sha256
        set psksecret ENC xxxxxxxx
        set remote-gw 198.51.100.1
    next
end

CLI Example: IKEv1 with DH Group 5:

config vpn ipsec phase1-interface
    edit "vpn-legacy"
        set interface "wan1"
        set ike-version 1
        set dhgrp 5
        set proposal 3des-sha1
        set psksecret ENC xxxxxxxx
        set remote-gw 192.0.2.10
    next
end

Key notes:

• Groups 1, 2, 5 → Legacy, avoid unless absolutely required for backward compatibility.

• Group 14 (MODP 2048) → Baseline safe if elliptic curve groups are not available.

• Groups 19 & 20 (ECP) → Elliptic curve groups, efficient and recommended.

• Group 21 (MODP 3072) → Stronger than 14 but heavier; still considered acceptable if ECC is not usable.

• Group 31 (Curve25519) → Modern and highly recommended for both security and performance.

On FortiGate, when configuring IPsec Phase 1 or 2, it is best practice to select Groups 14, 19, 20, or 31, depending on the peer's compatibility.

Best practices:

• Use IKEv2 for all new deployments due to protocol efficiency, crash recovery, and better EAP and mobility support.
• Group 14 is the minimum recommended DH group. Group 19 or 31 is preferred for stronger security and performance.
• Verify compatibility with third-party vendors when changing DH groups.

GUI Configuration Path:

• Select 'VPN' -> 'IPsec Tunnels'.
• Select 'Create New' or edit an existing tunnel
• Under Phase 1 settings, select the appropriate IKE version and DH group under 'Advanced'.