Deprecated hash algorithms, encryption algorithms, and Diffie-Hellman modulus groups
Update your VPN configuration to use supported DH and encryption algorithms before upgrading to Firewall Threat Defense 6.70 or later.
-
Update your IKE proposals and IPSec policies to match the ones supported in Firewall Threat Defense 6.70 or later.
-
Deploy the configuration changes after updating to supported algorithms.
Support has been removed for these less secure ciphers from Firewall Threat Defense Version 6.70:
-
Diffie-Hellman GROUP 5 is deprecated for IKEv1 and IKEv2.
-
Diffie-Hellman groups 2 and 24 have been removed.
-
Encryption algorithms: 3DES, AES-GMAC, AES-GMAC-192, and AES-GMAC-256 have been removed.
NoteDES continues to be supported in evaluation mode or for users who do not satisfy export controls for strong encryption.
NULL is removed in IKEv2 policy, but supported in both IKEv1 and IKEv2 IPsec transform-sets.