This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable DH768(MODP768), Diffie-Hellman Key Exchange

Hi,

I would like to disable the following weak IPSEC encryption DH768.

Are there any issues disabling this intraday, we are operating under covid restrictions and the firewall is managing all our remote user connectivity.

Setup is highly available in a master/slave configuration, what is the process involved with making this change.

Thank you.

This thread was automatically locked due to age.

Parents

0 FormerMember over 3 years ago

Hi @Ro By,

Thank you for reaching out to the Community!

Did you configure the IPSec policy with DH group 768 that is currently being used by an active IPsec connection? Did the network scan detect these DH group?

Please provide some more information.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 Ro By over 3 years ago in reply to FormerMember

Hi, yes a qualys network scan detected this being used.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to Ro By

Hi Ro By,

Thank you for the update.

If the external scan has detected this, you probably have the policy in use with an IPsec connection that needs to be updated.

Please check the configured IPsec policies and find the one with DH group 768 and update it.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Ro By

Can you show us the IPSEC policy used?

Do you use IPSEC for RAS and/or S2S VPN?

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel
0 Ro By over 3 years ago in reply to dirkkotte

Thanks, how do I find this on the software.
Cancel
Vote Up 0 Vote Down

Cancel
0 dirkkotte over 3 years ago in reply to Ro By

you configure that with S2S- and RAS-IPSec under Policy at the UTM and use the configured policy within "connections"

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 dirkkotte over 3 years ago in reply to Ro By

you configure that with S2S- and RAS-IPSec under Policy at the UTM and use the configured policy within "connections"

Dirk

Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum Partner
Sophos Solution Partner since 2003
If a post solves your question, click the 'Verify Answer' link at this post.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data