12-06-2023 02:20 AM - edited 12-06-2023 02:22 AM
I need to migrate an old firewall to a PA-440 and came across an ancient IPsec where they have used DH group 15 for both phase 1 and 2. According to the docs for PanOS 10.2 DH 15 is now supported but the 440 whines about DH15 in phase 1 as I use IKE v1. DH15 in phase 2 seems OK. (Note: The cryptos are from the original setup, will change to more secure settings after migrating, also dependant on "the other side"...)
Message is:
Not support: group 15 is selected in [name of IKE crypto suite] which is attached to IKEv1 gateway [name of IKE GW](Module: ikemgr)
client ikemge phase 1 failure
Commit failed
Does anyone know why DH15 cannot be used and if there are plans to support it in IKE v1? It seems to me that the reason for adding DH15 etc. would be to have support for less secure algos during migration from older hardware and this often includes now obsolete setups like IKE v1.
Link to page stating support for DH15:
