If you use PFS remember to set the DHgroup options in your ipsec phase2 proposals
Keep in mind the DHgroup proposal is used during the key-exchange, and determine the strength of the key used in the key exchange process. The higher DHgroup#s are more secure, but require additional time to compute the key during the key exchange.
Which DHgroup you use will be determine by numerous factors such as;
- the far end device compatibility
- your company defined security policy ( various banks and gov business like to set minimal support levels & hows committees when they need exemptions )
- and how paranoid you are !
William S. Burroughs
Elliptic curve DiffieHellman is always better not support in a lot of devices
During the IKE key-exchange the Diffiehellman is used to secure the key over the unsecured network suchs as the internet.
NSE ( Network Security Expert) and Route/Switching Engineer.
kfelix -----a----t---- socpuppets ---dot---com
=( * * )=