< Home

dh

Function

The dh command specifies a Diffie-Hellman (DH) group used for IKE negotiation.

The undo dh command restores the default DH group for IKE negotiation.

By default, group14 is used for IKE negotiation.

Format

dh { group14 | group19 | group20 | group21 }

undo dh

Parameters

Parameter Description Value

group14

Uses the 2048-bit DH group in IKE negotiation phase 1.

-

group19

Uses the 256-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.

-

group20

Uses the 384-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.

-

group21

Uses the 521-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.

-

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The DH algorithm is a public key algorithm. Two communicating parties calculate a shared key based on data exchanged between them, without transmitting the key. A third party (such as a hacker) cannot calculate the actual key even if it obtains all exchanged data for key calculation.

Precautions

  • Both ends of an IPSec tunnel must be configured with the same DH group. Otherwise, the negotiation fails.

  • The security level order of the DH groups is: group21 > group20 > group19 > group14.

  • The system software does not support the group1, group2, and group5 parameters. To use these DH groups, you need to install the WEAKEA plug-in. For higher security purposes, you are advised to specify other DH groups.

Example

# Specify the 2048-bit DH group for the IPSec Efficient VPN policy. 
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] dh group14
Parent Topic: IPSec Configuration Commands (IPSec Efficient VPN)
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >