Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jaywant
New Contributor II

What differance/impact does it make when we change dh-param value under config system global?

Hello Team,

 

Please help me to understand can it stop the working IPSec VPN tunnels with lower enc-proto when we increase the default value from 2048 to upper side?

Has anyone tested it real time?

FOS-703-CLI

https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/344487/global-commands-f...

https://docs.fortinet.com/document/fortigate/7.0.0/best-practices/555436/hardening

 

Thanks & Regards,
Jaywant

Thanks & Regards,Jaywant
1 REPLY 1
AlexC-FTNT
Staff
Staff

The resource usage certainly increases, and is especially visible in lower-end units. 

But this is not caused by the key size, but the DH-group. Higher group = more secure = longer key size (default is group 14 with a key of 2048b).

Does it stop working IPSEC VPN tunnels? > The DH groups must match. So if you chose (only)DH group 5 in one device and (only) DH-14 in another, they will not work. But I think the key size can only be a problem if the remote device does not support longer keys (doesn't expect or can't process them)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
Top Kudoed Authors