https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226706#M65263 <P>Hi</P><P>I must build up an IPSEC tunel between PA and Watchguard XTM. The other Side gives me ike phase where DH Group is 15.</P><P>&nbsp;</P><P>On PA I only can choose Group 1—768 bits, Group 2—1024 bits (default), Group 5—1536 bits, Group 14—2048 bits, Group 19—256-bit elliptic curve group, and Group 20—384-bit elliptic curve group</P><P>&nbsp;</P><P>Is there a way to build up a "custom" DH Group or must the otherside set the DH Group to a value that my PA side can work with?</P><P>&nbsp;</P><P><A href="https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/bovpn/manual/diffie_hellman_c.html" target="_blank">https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/bovpn/manual/diffie_hellman_c.html</A></P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/ike-phase-1" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/ike-phase-1</A></P> Fri, 10 Aug 2018 11:51:09 GMT clonesheep 2018-08-10T11:51:09Z https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226706#M65263 <P>Hi</P><P>I must build up an IPSEC tunel between PA and Watchguard XTM. The other Side gives me ike phase where DH Group is 15.</P><P>&nbsp;</P><P>On PA I only can choose Group 1—768 bits, Group 2—1024 bits (default), Group 5—1536 bits, Group 14—2048 bits, Group 19—256-bit elliptic curve group, and Group 20—384-bit elliptic curve group</P><P>&nbsp;</P><P>Is there a way to build up a "custom" DH Group or must the otherside set the DH Group to a value that my PA side can work with?</P><P>&nbsp;</P><P><A href="https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/bovpn/manual/diffie_hellman_c.html" target="_blank">https://www.watchguard.com/help/docs/fireware/12/en-US/Content/en-US/bovpn/manual/diffie_hellman_c.html</A></P><P><A href="https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/ike-phase-1" target="_blank">https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/site-to-site-vpn-concepts/internet-key-exchange-ike-for-vpn/ike-phase-1</A></P> Fri, 10 Aug 2018 11:51:09 GMT https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226706#M65263 clonesheep 2018-08-10T11:51:09Z https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226716#M65266 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43193">@clonesheep</a></P><P>&nbsp;</P><P>You must set the watchguard to something that Paloalto firewalls support.</P><P>--&gt; <A href="https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-8-0/cipher-suites-supported-in-pan-os-8-0-ipsec" target="_blank">Supported Cipher suites for IPSec VPN</A></P> Fri, 10 Aug 2018 12:37:27 GMT https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226716#M65266 Remo 2018-08-10T12:37:27Z https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226853#M65304 <P>okay i was almost thinking. but i wanted to ask at least, not that there is a point for custom dh group somewhere.<BR />thank you</P> Mon, 13 Aug 2018 07:42:06 GMT https://live.paloaltonetworks.com/t5/general-topics/dh-group-15-ipsec-tunnel/m-p/226853#M65304 clonesheep 2018-08-13T07:42:06Z