< Home

dh

Function

The dh command specifies a Diffie-Hellman (DH) group used for IKE negotiation.

The undo dh command restores the default DH group for IKE negotiation.

By default, group14 is used for IKE negotiation.

Format

dh { group1 | group2 | group5 | group14 | group15 | group16 | group18 | group19 | group20 | group21 | group24 } *

undo dh

Parameters

Parameter Description Value

group1

Uses the 768-bit DH group in IKE negotiation phase 1.

-

group2

Uses the 1024-bit DH group in IKE negotiation phase 1.

-

group5

Uses the 1536-bit DH group in IKE negotiation phase 1.

-

group14

Uses the 2048-bit DH group in IKE negotiation phase 1.

-

group15

Uses the 3072-bit DH group in IKE negotiation phase 1.

-

group16

Uses the 4096-bit DH group in IKE negotiation phase 1.

-

group18

Uses the 8192-bit DH group in IKE negotiation phase 1.

-

group19

Uses the 256-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.

-

group20

Uses the 384-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.

-

group21

Uses the 521-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.

-

group24

Uses the 2048-bit DH group that includes a 256-bit sub-group in IKE negotiation phase 1.

-

Views

IKE proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The DH algorithm is a public key algorithm. Two communicating parties calculate a shared key based on data exchanged between them, without transmitting the key. A third party (such as a hacker) cannot calculate the actual key even if it obtains all exchanged data for key calculation.

Precautions

  • Both ends of an IPSec tunnel must be configured with the same DH group. Otherwise, the negotiation fails.

  • The security level order of the DH groups is: group24 > group21 > group20 > group19 > group18 > group16 > group15 > group14 > group5 > group2 > group1.

  • To improve the IKE negotiation success rate, the device supports multiple DH groups. If multiple DH groups are configured, the device selects the groups in the following sequence: group14 > group5 > group2 > group1 > group21 > group20 > group19 > group18 > group16 > group15 > group24.

  • If the negotiation mode in IKEv1 phase 1 is aggressive, the device supports only one DH group. If multiple DH groups are configured on the device, the DH group configured first takes effect.

  • By default, the device does not support the group1, group2, and group5 parameters. To use these parameters, install the weak security algorithm component package (product_version_WEAKEA.mod). For details, see Dynamic Loading. The group1, group2, and group5 have potential security risks. The other DH groups are recommended.

Example

# Specify the 2048-bit DH group for IKE proposal 10. 
<sysname> system-view
[sysname] ike proposal 10
[sysname-ike-proposal-10] dh group14
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >