Support Center > Search Results > SecureKnowledge Details
Defining Advanced Diffie-Hellman Groups for IKE in Site-to-Site VPN
Solution

Notes:

  • This article applies to Site-to-Site VPN only (it does not apply to Remote Access VPN).
  • In R80.20 (and higher), advanced DH groups (defined by RFC 3526 and RFC 5114) are supported by default, although groups 15, 16, 17, 18 and 24 must be manually enabled (refer to the "Procedure" session).

 

Background

Diffie-Hellman is a protocol for creating a shared secret between two sides of a communication, whether IKE, TLS, SSH and some others.
Both sides first have to agree on a "group" (in the mathematical sense), usually a multiplicative group modulo a prime.

By default, Check Point Security Gateway supports Diffie-Hellman groups 1, 2, 5 and 14 (since NG with AI R55 HFA_10) and groups 19, 20 (since R71).

RFC 3526 defines new DH groups, numbered from 15 to 18.
RFC 5114 defines additional DH groups, numbered from 22 to 24.

Important Note: The elliptic curve Diffie-Hellman groups (numbered 19 and 20) provide better performance than any of the groups described here. Additionally, the groups described in RFC 5114 (Group 24 is described below) are NOT RECOMMENDED for use. The instructions are provided in this article only for completeness of information.

While Check Point Security Gateway is able to use these groups (15, 16, 17, 18, 24), these new groups are not yet defined in the management database.

Diffie-Hellman
Group Number
Diffie-Hellman
Group Name
RFC Predefined
Group 1 768-bit modulus MODP Group RFC 7296 Yes
Group 2 1024-bit modulus MODP Group RFC 7296 Yes
Group 5 1536-bit modulus MODP Group RFC 3526 Yes
Group 14 2048-bit modulus MODP Group RFC 3526 Yes
Group 15 3072-bit modulus MODP Group RFC 3526 No
Group 16 4096-bit modulus MODP Group RFC 3526 No
Group 17 6144-bit modulus MODP Group RFC 3526 No
Group 18 8192-bit modulus MODP Group RFC 3526 No
Group 19 256-bit random Elliptic Curve Group RFC 5903 Yes
Group 20 384-bit random Elliptic Curve Group RFC 5903 Yes
Group 24 2048-bit MODP Group with
256-bit Prime Order Subgroup
RFC 5114 No

 

Procedure

Follow these steps to add Diffie-Hellman groups 15, 16, 17, 18, and 24 for Site-to-Site VPN to the management database:

  1. For R7x Security Management, perform the below steps (starting from R80, revisions are created automatically without involving the user, and multiple users can work at the same time):
    1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

    2. Go to File menu - click on Database Revision Control... - create a revision snapshot.

      Note: Database Revision Control is not supported for VSX objects (sk65420).

      In addition, refer to:

    3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    4. Verify by running the "cpstat mg" command on Security Management Server / in the context of each Domain Management Server.

  2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

  3. In the upper left pane, go to Table - VPN - encryption.

  4. In the upper right pane, right-click on the empty space - click on New....

  5. In the Create Object window:

    1. In the Class: field, select IKE_Diffie_Hellman_parameters_object

    2. In the Object: field, enter the name of the desired Diffie-Hellman Group:

      Diffie-Hellman Group What to enter in the "Object:" field Screenshot
      Group 15 Group 15 (3072 bit)
      Group 16 Group 16 (4096 bit)
      Group 17 Group 17 (6144 bit)
      Group 18 Group 18 (8192 bit)
      Group 24 Group 24 (2048 bit)
    3. Click on OK button.

  6. In the upper right pane, click on the newly added Diffie-Hellman Group object.

  7. In the lower pane, right-click on the DH_group_number - select Edit... - enter the relevant Diffie-Hellman Group Number - click on OK button:

    Diffie-Hellman Group object What to enter in the "Value:" field
    Group 15 (3072 bit) 15
    Group 16 (4096 bit) 16
    Group 17 (6144 bit) 17
    Group 18 (8192 bit) 18
    Group 24 (2048 bit) 24
  8. In the lower pane, under the mod field name, right-click on the value - select Edit... - copy-and-paste the relevant Modular Exponential (MODP) hexadecimal value of the prime - click on OK button:

    Diffie-Hellman Group object What to enter in the "Value:" field
    Group 15 (3072 bit) FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A93AD2CAFFFFFFFFFFFFFFFF
    Group 16 (4096 bit) FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF
    Group 17 (6144 bit) FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DCC4024FFFFFFFFFFFFFFFF
    Group 18 (8192 bit) FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C93402849236C3FAB4D27C7026C1D4DCB2602646DEC9751E763DBA37BDF8FF9406AD9E530EE5DB382F413001AEB06A53ED9027D831179727B0865A8918DA3EDBEBCF9B14ED44CE6CBACED4BB1BDB7F1447E6CC254B332051512BD7AF426FB8F401378CD2BF5983CA01C64B92ECF032EA15D1721D03F482D7CE6E74FEF6D55E702F46980C82B5A84031900B1C9E59E7C97FBEC7E8F323A97A7E36CC88BE0F1D45B7FF585AC54BD407B22B4154AACC8F6D7EBF48E1D814CC5ED20F8037E0A79715EEF29BE32806A1D58BB7C5DA76F550AA3D8A1FBFF0EB19CCB1A313D55CDA56C9EC2EF29632387FE8D76E3C0468043E8F663F4860EE12BF2D5B0B7474D6E694F91E6DBE115974A3926F12FEE5E438777CB6A932DF8CD8BEC4D073B931BA3BC832B68D9DD300741FA7BF8AFC47ED2576F6936BA424663AAB639C5AE4F5683423B4742BF1C978238F16CBE39D652DE3FDB8BEFC848AD922222E04A4037C0713EB57A81A23F0C73473FC646CEA306B4BCBC8862F8385DDFA9D4B7FA2C087E879683303ED5BDD3A062B3CF5B3A278A66D2A13F83F44F82DDF310EE074AB6A364597E899A0255DC164F31CC50846851DF9AB48195DED7EA1B1D510BD7EE74D73FAF36BC31ECFA268359046F4EB879F924009438B481C6CD7889A002ED5EE382BC9190DA6FC026E479558E4475677E9AA9E3050E2765694DFC81F56E880B96E7160C980DD98EDD3DFFFFFFFFFFFFFFFFF
    Group 24 (2048 bit) 87A8E61DB4B6663CFFBBD19C651959998CEEF608660DD0F25D2CEED4435E3B00E00DF8F1D61957D4FAF7DF4561B2AA3016C3D91134096FAA3BF4296D830E9A7C209E0C6497517ABD5A8A9D306BCF67ED91F9E6725B4758C022E0B1EF4275BF7B6C5BFC11D45F9088B941F54EB1E59BB8BC39A0BF12307F5C4FDB70C581B23F76B63ACAE1CAA6B7902D52526735488A0EF13C6D9A51BFA4AB3AD8347796524D8EF6A167B5A41825D967E144E5140564251CCACB83E6B486F6B3CA3F7971506026C0B857F689962856DED4010ABD0BE621C3A3960A54E710C375F26375D7014103A4B54330C198AF126116D2276E11715F693877FAD7EF09CADB094AE91E1A1597
  9. In the lower pane, right-click on the modsize - select Edit... - enter the relevant number of bits - click on OK button:

    Diffie-Hellman Group object What to enter in the "Value:" field
    Group 15 (3072 bit) 3072
    Group 16 (4096 bit) 4096
    Group 17 (6144 bit) 6144
    Group 18 (8192 bit) 8192
    Group 24 (2048 bit) 2048
  10. In the lower pane, right-click on the private_key_length - select Edit... - enter the value 256 - click on OK button.

    Note: The same value of 256 should be used for all the Diffie-Hellman Group objects.

  11. In the lower pane, under the root field name, right-click on the value - select Edit... - copy-and-paste the relevant hexadecimal value of the generator - click on OK button:

    Diffie-Hellman Group object What to enter in the "Value:" field
    Group 15 (3072 bit) 02
    Group 16 (4096 bit) 02
    Group 17 (6144 bit) 02
    Group 18 (8192 bit) 02
    Group 24 (2048 bit) 3FB32C9B73134D0B2E77506660EDBD484CA7B18F21EF205407F4793A1A0BA12510DBC15077BE463FFF4FED4AAC0BB555BE3A6C1B0C6B47B1BC3773BF7E8C6F62901228F8C28CBB18A55AE31341000A650196F931C77A57F2DDF463E5E9EC144B777DE62AAAB8A8628AC376D282D6ED3864E67982428EBC831D14348F6F2F9193B5045AF2767164E1DFC967C1FB3F2E55A4BD1BFFE83B9C80D052B985D182EA0ADB2A3B7313D3FE14C8484B1E052588B9B7D2BBD2DF016199ECD06E1557CD0915B3353BBB64E0EC377FD028370DF92B52C7891428CDC67EB6184B523D1DB246C32F63078490F00EF8D647D148D47954515E2327CFEF98C582664B4C0F6CC41659
  12. In the lower pane, right-click on the rootsize - select Edit... - copy-and-paste the relevant value - click on OK button:

    Diffie-Hellman Group object What to enter in the "Value:" field
    Group 15 (3072 bit) 2
    Group 16 (4096 bit) 2
    Group 17 (6144 bit) 2
    Group 18 (8192 bit) 2
    Group 24 (2048 bit) 2046
  13. In the lower pane, right-click on the type - select Edit... - copy-and-paste the value IKE_DH_parameters - click on OK button.

    Note: The same value of IKE_DH_parameters should be used for all the Diffie-Hellman Group objects.

  14. Example for Group 24:

  15. Save the changes: go to File menu - click on Save All.

  16. Close the GuiDBedit Tool.

  17. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  18. Install the policy onto the relevant Security Gateway / Cluster object.

  19. The new Diffie-Hellman Group will now be available in the SmartDashboard.

 

Notes

  • In TLS communication, Check Point software does not support MODP groups at all (for better security).

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment