Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jaywant
New Contributor II

Created on ‎02-01-2022 06:20 AM Edited on ‎02-01-2022 06:21 AM

What differance/impact does it make when we change dh-param value under config system global?

Hello Team,

 

Please help me to understand can it stop the working IPSec VPN tunnels with lower enc-proto when we increase the default value from 2048 to upper side?

Has anyone tested it real time?

FOS-703-CLI

https://docs.fortinet.com/document/fortigate/6.2.0/hardening-your-fortigate/344487/global-commands-f...

https://docs.fortinet.com/document/fortigate/7.0.0/best-practices/555436/hardening

 

Thanks & Regards,
Jaywant

Thanks & Regards,Jaywant
Labels:
1174
0 Kudos
1 REPLY 1
AlexC-FTNT
Staff
Staff

Created on ‎02-03-2022 02:54 AM

The resource usage certainly increases, and is especially visible in lower-end units. 

But this is not caused by the key size, but the DH-group. Higher group = more secure = longer key size (default is group 14 with a key of 2048b).

Does it stop working IPSEC VPN tunnels? > The DH groups must match. So if you chose (only)DH group 5 in one device and (only) DH-14 in another, they will not work. But I think the key size can only be a problem if the remote device does not support longer keys (doesn't expect or can't process them)


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
1117
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.