From Juniper SRX SG VPN Security Technical Implementation Guide
Part of SRG-NET-000062
Associated with: CCI-000068
Use of an approved DH algorithm ensures the Internet Key Exchange (IKE) (phase 1) proposal uses FIPS-validated key management techniques and processes in the production, storage, and control of private/secret cryptographic keys. The security of the DH key exchange is based on the difficulty of solving the discrete logarithm in which the key was derived from. Hence, the larger the modulus, the more secure the generated key is considered to be.
Verify all IKE proposals are set to use a FIPS-validated dh-group.
[edit]
show security ike
The following command is an example of how to configure the IKE (phase 1) proposals. The following groups are allowed for use in DoD:
DH Groups 14 (2048-bit MODP)
- 19 (256-bit Random ECP), 20 (384-bit Random ECP), 5 (1536-bit MODP), 24 (2048-bit MODP with 256-bit POS).
Example:
[edit]
set security ike proposal
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer