SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  VPN IPSEC - ECP or MODP encryption?

    Posted 06-25-2020 23:48

    Someone, tell me - what encryption algo is better - ECP or MODP?

    An all my SRX at now i used group20. group24 will be better encryption or not? thx

    I want use group21, but this group as i understand only start from srx4200 or higher

     

     

    • group20—384-bit random ECP groups algorithm.

    • group21—521-bit random ECP groups algorithm.

    • group24—2048-bit MODP Group with 256-bit prime order subgroup.

     



  • 2.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 06-26-2020 02:13

    Hi dmisan


    Greetings,

     

    As per my understanding we can decide on the better algorithm depending on the key size. I believe ECP outperforms the MODP algorithm. dh-group - group21 options introduced in Junos OS Release 19.1R1 on SRX Series devices and is supported on many SRX devices, the link below lists the devices and versions which support DH group 21.

    Link : IPsec VPN security services support new authentication algorithm and Diffie-Hellman (DH) group values 

     

    but I recommend you to refer the below details: 

    DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction.  AES should use a stronger DH Group.  

    • If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20.
    • If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21.
    • The RFC 5114 Section 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.

     

    Refer the below links for more details:  

    1)    What Diffie-Hellman (DH) Group Should I Use 
    2)    Diffie-Hellman Groups for Use with IETF Standards 

     

    Hope this helps. Smiley Happy

     

    Please mark "Accept as solution" if this answers your query. 

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 3.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 06-29-2020 23:56

    Hi,  All my SRX work on 19.3R2 or 20.1R1-S1, and i cant find DH group21

    123.PNG


    #dh-group21


  • 4.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 06-30-2020 02:06

    Hi dmisan

     

    Greetings,

     

    It supports most SRX platforms, Just wanted to know what platform do you have in the SRX ?

    Only the below seem to support this dh group 21:

    Platform   Supported Release
SRX300     Junos OS 19.1R1
SRX320     Junos OS 19.1R1
SRX340     Junos OS 19.1R1
SRX345     Junos OS 19.1R1
SRX380     Junos OS 20.1R1
SRX550 HM  Junos OS 19.1R1
SRX1500    Junos OS 19.1R1
SRX4100    Junos OS 19.1R1
SRX4200    Junos OS 19.1R1
SRX4600    Junos OS 19.1R1
SRX5400    Junos OS 19.1R1
SRX5600    Junos OS 19.1R1
SRX5800    Junos OS 19.1R1

    Hope this helps. Smiley Happy

     

    Please mark "Accept as solution" if this answers your query. 

    Kudos are appreciated too! 

     

     

    Regards, 

    Sharat Ainapur



  • 5.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 06-30-2020 02:34

    Ohhww, it is strange why 21 groups were left only in 19.1R1. As far as I understand in future versions 20.1-20.4 dh group 21 will not be available?

     



  • 6.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 06-30-2020 02:55

    Hi dmisan, 

     

    Yes, so those are the initial releases from which the support is available.

    So if it's in 19.1R1 it would be supported in all the further releases. May I know which  version of junos and what device platform on SRX are you referring to here ?

     

    If your SRX is listed in the below and if you are running 19.1R1 and above, I don't see a reason why it's not working: 

    SRX300 , SRX320 , SRX340 , SRX345 , SRX380 , SRX550 H, SRX1500 , SRX4100 , SRX4200 , SRX4600 , SRX5400 , SRX5600 , SRX5800

     

    Requested you to please raise a JTAC case if it's not supported as per the documentation shared earlier.

     

    Hope this helps. Smiley Happy

     

    Please mark "Accept as solution" if this answers your query.  Kudos are appreciated too! 

      

    Regards, 

    Sharat Ainapur



  • 7.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 06-30-2020 03:12

    I refer to versions 19.3 and 20.1-20.4
    Since I see that for the new SRX380, dh group 21 is available in version 20.1, and as I understand it, it is logical to assume that for the remaining SRX dh group21 will be available in future releases of 20 firmware.



  • 8.  RE: VPN IPSEC - ECP or MODP encryption?
    Best Answer

    Posted 06-30-2020 03:35

    Hello dmisan

     

    Yes, you are totally right, For the SRX380 the support is to be provided starting Junos OS 20.1R1 and the future releases as shared earlier. If my answer solved your query please mark it as "Accept as solution". 

    Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 9.  RE: VPN IPSEC - ECP or MODP encryption?

    Posted 04-26-2021 08:36
    Hi,

    I can see the same issue on SRX1500 with 19.4+.
    Apparently there is no support even if their own web sites says there should be.
    As referenced before; 
    https://www.juniper.net/documentation/us/en/software/junos/vpn-ipsec/topics/ref/statement/security-edit-dh-group.html (States support for 19.R1+).

    https://apps.juniper.net/feature-explorer/feature-info.html?fKey=8823&fn=IPsec%20VPN%20security%20services%20support%20new%20authentication%20algorithm%20and%20Diffie-Hellman%0A(DH)%20group%20values (And this one shows that it should be supported on all SRX)


    The SRX380 box is a bit special I guess since recommended JunOS is way newer than for the others.
    Semi-confirmed information from Juniper is that it is only supported on vSRX and 5k devices. Have no clue what they are doing here, just know that they are doing something wrong for the customers at least. - Unhappy!
    Original Message