Is it possible to use custom DH parameters for IKEv1 / IKEv2 /IPSEC?

Question

While researching how to deploy TLS for web servers most securely, I have learned that using custom DH parameters is one of the key aspects.

Now I am in the process of deploying IKE / IPSEC. As far as I have understood, IKEv1 as well as IKEv2 only support standard DH parameters which are denoted by standardized group names.

Does that mean that I cannot use my own custom DH parameters for IKEv1/2 (as generated by openssl dhparam)?

score 1 · Accepted Answer · answered Jul 15 '16 at 15:03

Does that mean that I cannot use my own custom DH parameters for IKEv1/2 (as generated by openssl dhparam)?

Yes, only predefined MODP and ECP DH groups may be used with IKE, the lists for IKEv2 and IKEv1 can be found at IANA.

If you don't care for interoperability you could, of course, define your own group and use an identifier from the private use range.

Is it possible to use custom DH parameters for IKEv1 / IKEv2 /IPSEC?

1 Answers1