Hi,
I am checking the documents for security best practices and found that we can use the command set dh-params 8192 to force the second entity to use the stronger group for encryption, I want to know what is the overall impact of this command and specifically impact of this command on existing IPSEC configurations. For example if I have installed IPSEC tunnels in my environment with group 4 or group then how this command will impact me and secondly if tomorrow another client comes and say that he does not support 8192 in its system or for any reason he doesn't want to use the same group can we use other groups for that particular IPSEC ?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
DH param 8192 is DH bit modulus group 18, which will make the encryption keys a lot longer. That means more computation power is required for the IPsec decryption. For more details, You can check the RFC 3526. So, if the other side doesn't support this then you won't be able to use it
Hi Amrti,
Thanks alot for your response, if I wont be able to use it then do i have to configure back again to 2048 or FGT will automatically select the suitable algorithm
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.