dh_group

Use this command to configure the IKE Diffie?Hellman (DH) key exchange group for the IKE proposal .

Syntax

dh_group {1 | 2 | 14}
no dh_group {1 | 2 | 14}

Parameters

1 Specifies DH group 1 (modp768).
2 Specifies DH group 2 (modp1024).
14 Specifies DH group 14 (modp2048).

Defaults

None.

Mode

IKE proposal configuration.

Usage

IKE uses the Diffie-Hellman key derivation algorithm to generate IPsec SA keys. The difference between the DH 1, 2, and 14 algorithms is the size of the generated key:

  • 1 – 768 bit key
  • 2 – 1024 bit key
  • 14 – 2048 bit key

The larger the generated key, the greater the security, but also the greater the system overhead. This release does not support a default DH group. You must manually configure a DH group.

Use the “no” option for this command to remove the IKE proposal DH group configuration.

Example

This example shows how to configure the winRadius_main proposal for DH group 14:

System(su-config)->crypto ike-proposal winRadius_main
System(su-crypto-proposal)->dh_group 14
System(su-crypto-proposal)->