12-06-2023 02:20 AM - edited 12-06-2023 02:22 AM
I need to migrate an old firewall to a PA-440 and came across an ancient IPsec where they have used DH group 15 for both phase 1 and 2. According to the docs for PanOS 10.2 DH 15 is now supported but the 440 whines about DH15 in phase 1 as I use IKE v1. DH15 in phase 2 seems OK. (Note: The cryptos are from the original setup, will change to more secure settings after migrating, also dependant on "the other side"...)
Message is:
Not support: group 15 is selected in [name of IKE crypto suite] which is attached to IKEv1 gateway [name of IKE GW](Module: ikemgr)
client ikemge phase 1 failure
Commit failed
Does anyone know why DH15 cannot be used and if there are plans to support it in IKE v1? It seems to me that the reason for adding DH15 etc. would be to have support for less secure algos during migration from older hardware and this often includes now obsolete setups like IKE v1.
Link to page stating support for DH15:
12-12-2023 05:40 PM
Good Day
The LiveCommunity may not work for PANW itself, so we cannot comment about if a feature/version will be supported.
But, knowing that IKEv1 is about 20 years old, I am curious why wouldn't take the higher ground get both sides to work with IKEv2 which is a longer/stronger DH key pair size.
Again, just a suggestion.
What other questions can we answer?
12-13-2023 12:43 AM
Sure, the community is the community, not PaloAlto itself. On the other hand, I think lots of people here stumble upon quirks like this on a daily basis so my intention was to see if someone else had had the same experience and perhaps even had come up with an explanation. After all, the docs state that DH15 is supported, and no exemptions are mentioned. That's what annoys me 🙂
I do agree (as I wrote initially) that DH15 (and IKEv1) would only be used in the migration phase and moving to IKEv2 with more secure cryptos is the goal. As I indicated, the other side of the tunnel is not under my control, but I have already suggested that persons responsible for this firewall contact "the other side" to come up with a better config. As it is so simple in the PA to allow multiple cryptos, I can allow lots of them and the opposing side can choose whatever they like and are capable of. Customers are often hesitant to change too many things before a migration or firewall swap so the workflow tends to be "swap gear first, fix config later". That's why I was so happy when I saw DH15 being supported in 10.2, but...
Thank you for your reply! Let's continue keeping the bad guys out!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
