Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

dh-group (Security IKE)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 8.5.

Support for the group14 option added in Junos OS Release 11.1.

Support for group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

Support for group19 and group20 options added in Junos OS Release 15.1X49-D70 for vSRX.

group15, group16, and group21 options introduced in Junos OS Release 19.1R1 on SRX5000 line of devices with SRX5K-SPC3 card.

Description

Specify the IKE Diffie-Hellman group.

Note

The device does not delete existing IPsec SAs when you update the dh-group configuration in the IKE proposal.

Options

dh-group—Diffie-Hellman group for key establishment.

  • group1—768-bit Modular Exponential (MODP) algorithm.

  • group2—1024-bit MODP algorithm.

  • group5—1536-bit MODP algorithm.

  • group14—2048-bit MODP group.

  • group15—3072-bit MODP algorithm.

  • group16—4096-bit MODP algorithm.

  • group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.

  • group20—384-bit random ECP groups algorithm.

  • group21—521-bit random ECP groups algorithm.

  • group24—2048-bit MODP Group with 256-bit prime order subgroup.

Note

We recommend that you use group14, group15, group16, group19, group20, or group21 instead of group1, group2, or group5.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.