As per my understanding we can decide on the better algorithm depending on the key size. I believe ECP outperforms the MODP algorithm. dh-group - group21 options introduced in Junos OS Release 19.1R1 on SRX Series devices and is supported on many SRX devices, the link below lists the devices and versions which support DH group 21.
DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction. AES should use a stronger DH Group.
If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20.
If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21.
The RFC 5114 Section 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.
It supports most SRX platforms, Just wanted to know what platform do you have in the SRX ?
Only the below seem to support this dh group 21:
Platform Supported Release
SRX300 Junos OS 19.1R1
SRX320 Junos OS 19.1R1
SRX340 Junos OS 19.1R1
SRX345 Junos OS 19.1R1
SRX380 Junos OS 20.1R1
SRX550 HM Junos OS 19.1R1
SRX1500 Junos OS 19.1R1
SRX4100 Junos OS 19.1R1
SRX4200 Junos OS 19.1R1
SRX4600 Junos OS 19.1R1
SRX5400 Junos OS 19.1R1
SRX5600 Junos OS 19.1R1
SRX5800 Junos OS 19.1R1
Hope this helps.
Please mark "Accept as solution" if this answers your query.
I refer to versions 19.3 and 20.1-20.4 Since I see that for the new SRX380, dh group 21 is available in version 20.1, and as I understand it, it is logical to assume that for the remaining SRX dh group21 will be available in future releases of 20 firmware.
Yes, you are totally right, For the SRX380 the support is to be provided starting Junos OS 20.1R1 and the future releases as shared earlier. If my answer solved your query please mark it as "Accept as solution".