Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

dh-group (Security IKE)

Syntax

Hierarchy Level

Description

Specify the IKE Diffie-Hellman group. The device does not delete existing IPsec SAs when you update the dh-group configuration in the IKE proposal.

Options

dh-group—Diffie-Hellman group for key establishment.

  • group1—768-bit Modular Exponential (MODP) algorithm.

  • group2—1024-bit MODP algorithm.

  • group5—1536-bit MODP algorithm.

  • group14—2048-bit MODP group.

  • group15—3072-bit MODP algorithm.

  • group16—4096-bit MODP algorithm.

  • group19—256-bit random Elliptic Curve Groups modulo a Prime (ECP groups) algorithm.

  • group20—384-bit random ECP groups algorithm.

  • group21—521-bit random ECP groups algorithm.

  • group24—2048-bit MODP Group with 256-bit prime order subgroup.

We recommend that you use group14, group15, group16, group19, group20, or group21 instead of group1, group2, or group5.

We support group15, group16, and group21 options only with iked process when junos-ike package is installed.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 8.5.

Support for the group14 option added in Junos OS Release 11.1.

Support for group19, group20, and group24 options added in Junos OS Release 12.1X45-D10.

Support for group19 and group20 options added in Junos OS Release 15.1X49-D70 for vSRX Virtual Firewall.

Support for group15, group16, and group21 options added in Junos OS Release 19.1R1 on SRX5000 line of devices with junos-ike package installed.

Starting in Junos OS Release 20.2R1, we’ve changed the help text description as NOT RECOMMENDED for the CLI options group1, group2, and group5 for devices running IKED with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 20.3R1 on vSRX Virtual Firewall instances with junos-ike package installed.

Support for group15, group16, and group21 options added in Junos OS Release 21.1R1 on vSRX Virtual Firewall 3.0 instances with junos-ike package installed.

Related Documentation