dh

Use dh to specify the DH group to be used for key negotiation in IKE phase 1.

Use undo dh to restore the default.

Syntax

In non-FIPS mode:

dh { group1 | group14 | group2 | group24 | group5 }

undo dh

In FIPS mode:

dh group14

undo dh

Default

In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used.

In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

group1: Uses the 768-bit Diffie-Hellman group.

group14: Uses the 2048-bit Diffie-Hellman group.

group2: Uses the 1024-bit Diffie-Hellman group.

group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

group5: Uses the 1536-bit Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network.

Examples

# Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in IKE proposal 1.

<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] dh group14

Related commands

display ike proposal