Someone, tell me - what encryption algo is better - ECP or MODP?
An all my SRX at now i used group20. group24 will be better encryption or not? thx
I want use group21, but this group as i understand only start from srx4200 or higher
group20—384-bit random ECP groups algorithm.
group21—521-bit random ECP groups algorithm.
group24—2048-bit MODP Group with 256-bit prime order subgroup.
As per my understanding we can decide on the better algorithm depending on the key size. I believe ECP outperforms the MODP algorithm. dh-group - group21 options introduced in Junos OS Release 19.1R1 on SRX Series devices and is supported on many SRX devices, the link below lists the devices and versions which support DH group 21.
Link : IPsec VPN security services support new authentication algorithm and Diffie-Hellman (DH) group values
but I recommend you to refer the below details:
DES and 3DES does not need as strong a DH group, however DES and 3DES should never be used unless you are under some encryption restriction based on country restriction. AES should use a stronger DH Group.
Refer the below links for more details:
1) What Diffie-Hellman (DH) Group Should I Use 2) Diffie-Hellman Groups for Use with IETF Standards
Hope this helps.
Please mark "Accept as solution" if this answers your query.
Kudos are appreciated too!
Hi, All my SRX work on 19.3R2 or 20.1R1-S1, and i cant find DH group21
It supports most SRX platforms, Just wanted to know what platform do you have in the SRX ?
Only the below seem to support this dh group 21:
Platform Supported Release
SRX300 Junos OS 19.1R1
SRX320 Junos OS 19.1R1
SRX340 Junos OS 19.1R1
SRX345 Junos OS 19.1R1
SRX380 Junos OS 20.1R1
SRX550 HM Junos OS 19.1R1
SRX1500 Junos OS 19.1R1
SRX4100 Junos OS 19.1R1
SRX4200 Junos OS 19.1R1
SRX4600 Junos OS 19.1R1
SRX5400 Junos OS 19.1R1
SRX5600 Junos OS 19.1R1
SRX5800 Junos OS 19.1R1
Ohhww, it is strange why 21 groups were left only in 19.1R1. As far as I understand in future versions 20.1-20.4 dh group 21 will not be available?
Yes, so those are the initial releases from which the support is available.
So if it's in 19.1R1 it would be supported in all the further releases. May I know which version of junos and what device platform on SRX are you referring to here ?
If your SRX is listed in the below and if you are running 19.1R1 and above, I don't see a reason why it's not working:
SRX300 , SRX320 , SRX340 , SRX345 , SRX380 , SRX550 H, SRX1500 , SRX4100 , SRX4200 , SRX4600 , SRX5400 , SRX5600 , SRX5800
Requested you to please raise a JTAC case if it's not supported as per the documentation shared earlier.
Please mark "Accept as solution" if this answers your query. Kudos are appreciated too!
I refer to versions 19.3 and 20.1-20.4Since I see that for the new SRX380, dh group 21 is available in version 20.1, and as I understand it, it is logical to assume that for the remaining SRX dh group21 will be available in future releases of 20 firmware.
Yes, you are totally right, For the SRX380 the support is to be provided starting Junos OS 20.1R1 and the future releases as shared earlier. If my answer solved your query please mark it as "Accept as solution".