Which of the Diffie-Hellman group are support by cisco VPN Product? (Choose all that apply)
A. Group1
B. Group2
C. Group3
D. Group5
E. Group7
F. Group8
G. Group9
Which of the Diffie-Hellman group are support by cisco VPN Product? (Choose all that apply)
A. Group1
B. Group2
C. Group3
D. Group5
E. Group7
F. Group8
G. Group9
Cisco DH supported are Group 1,2,5, 14, and higher. 1 to 5 are not recommended …
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-mt/sec-ike-for-ipsec-vpns-15-mt-book/sec-key-exch-ipsec.html
Specifies the Diffie-Hellman (DH) group identifier.
By default, DH group 1 is used.
1—768-bit DH (No longer recommended.)
2—1024-bit DH (No longer recommended)
5—1536-bit DH (No longer recommended)
14—Specifies the 2048-bit DH group.
15—Specifies the 3072-bit DH group.
16—Specifies the 4096-bit DH group.
19—Specifies the 256-bit elliptic curve DH (ECDH) group.
20—Specifies the 384-bit ECDH group.
24—Specifies the 2048-bit DH/DSA group.
The group chosen must be strong enough (have enough bits) to protect the IPsec keys during negotiation. A generally accepted guideline recommends the use of a 2048-bit group after 2013 (until 2030). Group 14 or higher (where possible) can be selected to meet this guideline. Even if a longer-lived security method is needed, the use of Elliptic Curve Cryptography is recommended, but group 15 and group 16 can also be considered.
SUMMARY STEPS
1. enable
2. configure terminal
3. crypto isakmp policy priority
4. encryption {des | 3des | aes | aes 192 | aes 256}
5. hash {sha | sha256 | sha384 | md5}
6. authentication {rsa-sig | rsa-encr | pre-share}
7. group {1 | 2 | 5 | 14 | 15 | 16 | 19 | 20 | 24}
8. lifetime seconds
9. exit
10. exit
Answers A, B, D, and E are correct. Cisco VPN products can support groups 1, 2, and 7. Diffie-Hellman group 1 is 768-bit and Diffie-Hellman 2 is 1024-bit. Diffie-Hellman 5 was supported starting with software version 3.6 and is 1536-bit. Diffie-Hellman group 7 is used for mobile devices such as PDAs and IP phones. Answers C, F, and G are not supported by Cisco.
https://flylib.com/books/en/2.958.1.48/1/
This should’ve been expressed different, because how will I pick 7 if it’s deprecated in 8.0(4)?
The group 7 command option was deprecated in ASA version 8.0(4). Attempts to configure group 7 will generate an error message and use group 5 instead.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/glossary.html