Use dh to specify DH groups to be used in IKEv2 key negotiation.

Use undo group to restore the default.


In non-FIPS mode:

dh { group1 | group14 | group2 | group24 | group5 | group19 | group20 } *

undo dh

In FIPS mode:

dh { group14 | group19 | group20 } *

undo dh


No DH group is specified for an IKEv2 proposal.


IKEv2 proposal view

Predefined user roles




group1: Uses the 768-bit Diffie-Hellman group.

group2: Uses the 1024-bit Diffie-Hellman group.

group5: Uses the 1536-bit Diffie-Hellman group.

group14: Uses the 2048-bit Diffie-Hellman group.

group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

group19: Uses the 256-bit ECP Diffie-Hellman group.

group20: Uses the 384-bit ECP Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose proper DH groups for your network.

You must specify a minimum of one DH group for an IKEv2 proposal. Otherwise, the proposal is incomplete and useless.

You can specify multiple DH groups for an IKEv2 proposal. A group specified earlier has a higher priority.


# Specify DH group 1 for IKEv2 proposal 1.

<Sysname> system-view
[Sysname] ikev2 proposal 1
[Sysname-ikev2-proposal-1] dh group1

Related commands

ikev2 proposal