SRX Services Gateway
Highlighted
SRX Services Gateway

VPN IPSEC - ECP or MODP encryption?

[ Edited ]
‎06-25-2020 11:47 PM

Someone, tell me - what encryption algo is better - ECP or MODP?

An all my SRX at now i used group20. group24 will be better encryption or not? thx

I want use group21, but this group as i understand only start from srx4200 or higher

 

 

  • group20—384-bit random ECP groups algorithm.

  • group21—521-bit random ECP groups algorithm.

  • group24—2048-bit MODP Group with 256-bit prime order subgroup.

 

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: VPN IPSEC - ECP or MODP encryption?

[ Edited ]
‎06-26-2020 02:12 AM

Hi dmisan


Greetings,

 

As per my understanding we can decide on the better algorithm depending on the key size. I believe ECP outperforms the MODP algorithm. dh-group - group21 options introduced in Junos OS Release 19.1R1 on SRX Series devices and is supported on many SRX devices, the link below lists the devices and versions which support DH group 21.

Link : IPsec VPN security services support new authentication algorithm and Diffie-Hellman (DH) group value... 

 

but I recommend you to refer the below details: 

DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction.  AES should use a stronger DH Group.  

  • If you are using encryption or authentication algorithms with a 128-bit key, use Diffie-Hellman groups 19, 20.
  • If you are using encryption or authentication algorithms with a 256-bit key or higher, use Diffie-Hellman group 21.
  • The RFC 5114 Section 4 states DH Group 24 strength is about equal to a modular key that is 2048-bits long, that is not strong enough to protect 128 or 256-bit AES, you should stay away from 24.

 

Refer the below links for more details:  

1)    What Diffie-Hellman (DH) Group Should I Use 
2)    Diffie-Hellman Groups for Use with IETF Standards 

 

Hope this helps. Smiley Happy

 

Please mark "Accept as solution" if this answers your query. 

Kudos are appreciated too! 

 

Regards, 

Sharat Ainapur

Highlighted
SRX Services Gateway

Re: VPN IPSEC - ECP or MODP encryption?

[ Edited ]
‎06-29-2020 11:55 PM

Hi,  All my SRX work on 19.3R2 or 20.1R1-S1, and i cant find DH group21

123.PNG

Highlighted
SRX Services Gateway

Re: VPN IPSEC - ECP or MODP encryption?

‎06-30-2020 02:05 AM

Hi dmisan

 

Greetings,

 

It supports most SRX platforms, Just wanted to know what platform do you have in the SRX ?

Only the below seem to support this dh group 21:

Platform   Supported Release
SRX300     Junos OS 19.1R1
SRX320     Junos OS 19.1R1
SRX340     Junos OS 19.1R1
SRX345     Junos OS 19.1R1
SRX380     Junos OS 20.1R1
SRX550 HM  Junos OS 19.1R1
SRX1500    Junos OS 19.1R1
SRX4100    Junos OS 19.1R1
SRX4200    Junos OS 19.1R1
SRX4600    Junos OS 19.1R1
SRX5400    Junos OS 19.1R1
SRX5600    Junos OS 19.1R1
SRX5800    Junos OS 19.1R1

Hope this helps. Smiley Happy

 

Please mark "Accept as solution" if this answers your query. 

Kudos are appreciated too! 

 

 

Regards, 

Sharat Ainapur

Highlighted
SRX Services Gateway

Re: VPN IPSEC - ECP or MODP encryption?

‎06-30-2020 02:33 AM

Ohhww, it is strange why 21 groups were left only in 19.1R1. As far as I understand in future versions 20.1-20.4 dh group 21 will not be available?

 

Highlighted
SRX Services Gateway

Re: VPN IPSEC - ECP or MODP encryption?

[ Edited ]
‎06-30-2020 02:54 AM

Hi dmisan, 

 

Yes, so those are the initial releases from which the support is available.

So if it's in 19.1R1 it would be supported in all the further releases. May I know which  version of junos and what device platform on SRX are you referring to here ?

 

If your SRX is listed in the below and if you are running 19.1R1 and above, I don't see a reason why it's not working: 

SRX300 , SRX320 , SRX340 , SRX345 , SRX380 , SRX550 H, SRX1500 , SRX4100 , SRX4200 , SRX4600 , SRX5400 , SRX5600 , SRX5800

 

Requested you to please raise a JTAC case if it's not supported as per the documentation shared earlier.

 

Hope this helps. Smiley Happy

 

Please mark "Accept as solution" if this answers your query.  Kudos are appreciated too! 

  

Regards, 

Sharat Ainapur

Highlighted
SRX Services Gateway

Re: VPN IPSEC - ECP or MODP encryption?

‎06-30-2020 03:12 AM

I refer to versions 19.3 and 20.1-20.4
Since I see that for the new SRX380, dh group 21 is available in version 20.1, and as I understand it, it is logical to assume that for the remaining SRX dh group21 will be available in future releases of 20 firmware.

Highlighted
SRX Services Gateway
Solution
Accepted by topic author dmisan
‎06-30-2020 03:45 AM

Re: VPN IPSEC - ECP or MODP encryption?

‎06-30-2020 03:35 AM

Hello dmisan

 

Yes, you are totally right, For the SRX380 the support is to be provided starting Junos OS 20.1R1 and the future releases as shared earlier. If my answer solved your query please mark it as "Accept as solution". 

Kudos are appreciated too! 

 

Regards, 

Sharat Ainapur

Feedback