diff --git a/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase1.png b/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase1.png
deleted file mode 100644
index d465c1b65929060..000000000000000
Binary files a/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase1.png and /dev/null differ
diff --git a/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase1b.png b/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase1b.png
deleted file mode 100644
index a3728bd052b3bbb..000000000000000
Binary files a/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase1b.png and /dev/null differ
diff --git a/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase2.png b/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase2.png
deleted file mode 100644
index a32c9e94405cacc..000000000000000
Binary files a/src/assets/images/magic-wan/third-party/pfsense/ipsec-phase2.png and /dev/null differ
diff --git a/src/assets/images/magic-wan/third-party/sonicwall/4-vpn-policy-proposals.png b/src/assets/images/magic-wan/third-party/sonicwall/4-vpn-policy-proposals.png
deleted file mode 100644
index 193b001e33153d2..000000000000000
Binary files a/src/assets/images/magic-wan/third-party/sonicwall/4-vpn-policy-proposals.png and /dev/null differ
diff --git a/src/assets/images/magic-wan/third-party/sophos-firewall/1-ipsec-profile.png b/src/assets/images/magic-wan/third-party/sophos-firewall/1-ipsec-profile.png
deleted file mode 100644
index fb790cda2854414..000000000000000
Binary files a/src/assets/images/magic-wan/third-party/sophos-firewall/1-ipsec-profile.png and /dev/null differ
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/alibaba-cloud.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/alibaba-cloud.mdx
index 6dfb618ef559a46..1843ced848d8b2c 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/alibaba-cloud.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/alibaba-cloud.mdx
@@ -54,7 +54,7 @@ This tutorial provides information on how to connect Alibaba Cloud infrastructur
2. **Negotiation Mode**: _main_
3. **Encryption Algorithm**: _aes256_
4. **Authentication Algorithm**: _sha256_
- 5. **DH Group**: _group14_
+ 5. **DH Group**: _group20_
6. **Localid**: This is the customer endpoint. These are generally IP addresses provided by your ISP. For example, `47.xxx.xxx.xxx`.
## Magic WAN
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/aws.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/aws.mdx
index 8e0f62202c1f8ec..309194434632a9a 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/aws.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/aws.mdx
@@ -50,8 +50,8 @@ Additionally, you also need to configure the necessary route table entries for t
- **Phase 2 encryption algorithms**: `AES256-GCM-16`
- **Phase 1 integrity algorithms**: `SHA2-256`
- **Phase 2 integrity algorithms**: `SHA2-256`
- - **Phase 1 DH group numbers**: `14`
- - **Phase 2 DH group numbers**: `14`
+ - **Phase 1 DH group numbers**: `20`
+ - **Phase 2 DH group numbers**: `20`
- **IKE Version**: `ikev2`
- **Startup action**: **Start**
- **DPD timeout action**: `Restart`
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx
index 6e35f36f0545c6b..bf72ed89c695fca 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/azure.mdx
@@ -100,13 +100,13 @@ Choose the following settings when creating your VPN Connection:
1. **IKE Phase 1**
1. **Encryption**: _GCMAES256_ or _AES256_
2. **Integrity/PRF**: _SHA256_
- 3. **DH Group**: _DHGroup14_
+ 3. **DH Group**: _DHGroup20_
2. **IKE Phase 2(IPsec)**
1. **IPsec Encryption**: _GCMAES256_ or _AES256_
2. **IPsec Integrity**: _SHA256_
3. **PFS Group**: _PFS2048_
3. **IPsec SA lifetime in KiloBytes**: `0`
- 4. **IPsec SA lifetime in seconds**: `27000`
+ 4. **IPsec SA lifetime in seconds**: `28800`
5. **Use policy based traffic selector**: **Disable**
6. **DPD timeout in seconds**: `45`
7. **Connection mode**: **Default**
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/cisco-ios-xe.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/cisco-ios-xe.mdx
index 76e8591f6ff2507..f22e997fad2447f 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/cisco-ios-xe.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/cisco-ios-xe.mdx
@@ -17,7 +17,7 @@ The following is a Cisco IOS XE configuration example:
crypto ikev2 proposal CF_MAGIC_WAN_IKEV2_PROPOSAL
encryption aes-cbc-256
integrity sha512 sha384 sha256
- group 14
+ group 20
!
crypto ikev2 policy CF_MAGIC_WAN_IKEV2_POLICY
match fvrf any
@@ -56,7 +56,7 @@ crypto ikev2 profile CF_MAGIC_WAN_02
crypto ipsec profile CF_MAGIC_WAN_01
set security-association lifetime kilobytes disable
set security-association replay disable
- set pfs group14
+ set pfs group20
set ikev2-profile CF_MAGIC_WAN_01
!
crypto ipsec profile CF_MAGIC_WAN_02
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fitelnet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fitelnet.mdx
index 92fecbf297db4cc..7206411f9bcc2c3 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/fitelnet.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/fitelnet.mdx
@@ -78,8 +78,8 @@ crypto isakmp policy ISAKMP_POLICY
authentication pre-share
encryption aes
encryption-keysize aes 256 256 256
- group 14
- lifetime 14400
+ group 20
+ lifetime 86400
hash sha sha-256
initiate-mode aggressive
exit
@@ -144,8 +144,8 @@ crypto isakmp policy ISAKMP_POLICY
authentication pre-share
encryption aes
encryption-keysize aes 256 256 256
- group 14
- lifetime 14400
+ group 20
+ lifetime 86400
hash sha sha-256
initiate-mode aggressive
exit
@@ -225,7 +225,7 @@ show crypto sa
Remote Authentication method : Pre-shared key
Encryption algorithm : aes256-cbc
Hash algorithm : hmac-sha256-128
- Diffie-Hellman group : 14 (2048 bits)
+ Diffie-Hellman group : 20
Initiator Cookie : aaaaaaaa bbbbbbbb
Responder Cookie : cccccccc dddddddd
Life time : 6852/14400 sec
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx
index 8b99a37dba0b960..3e84404b100ccca 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/fortinet.mdx
@@ -106,12 +106,12 @@ fortigate # config vpn ipsec phase1-interface
edit "MWAN_IPsec_Tun1"
set interface "wan1"
set ike-version 2
- set keylife 28800
+ set keylife 86400
set peertype any
set net-device enable
set proposal aes256gcm-prfsha512 aes256gcm-prfsha384 aes256gcm-prfsha256
set localid "f1473dXXXXXXX72e33.49561179.ipsec.cloudflare.com"
- set dhgrp 14
+ set dhgrp 20
set nattraversal disable
set remote-gw 162.159.67.210
set add-gw-route enable
@@ -120,12 +120,12 @@ fortigate # config vpn ipsec phase1-interface
edit "MWAN_IPsec_Tun2"
set interface "wan1"
set ike-version 2
- set keylife 28800
+ set keylife 86400
set peertype any
set net-device enable
set proposal aes256gcm-prfsha512 aes256gcm-prfsha384 aes256gcm-prfsha256
set localid "de91565XXXXXXXfbbd6632.49561179.ipsec.cloudflare.com"
- set dhgrp 14
+ set dhgrp 20
set nattraversal disable
set remote-gw 172.XX.XX.210
set add-gw-route enable
@@ -143,18 +143,18 @@ fortigate # config vpn ipsec phase2-interface
edit "MWAN_IPsec_Tun1"
set phase1name "MWAN_IPsec_Tun1"
set proposal aes256gcm aes128gcm
- set dhgrp 14
+ set dhgrp 20
set replay disable
- set keylifeseconds 3600
+ set keylifeseconds 28800
set auto-negotiate enable
set keepalive enable
next
edit "MWAN_IPsec_Tun2"
set phase1name "MWAN_IPsec_Tun2"
set proposal aes256gcm aes128gcm
- set dhgrp 14
+ set dhgrp 20
set replay disable
- set keylifeseconds 3600
+ set keylifeseconds 28800
set auto-negotiate enable
set keepalive enable
next
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/google.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/google.mdx
index 5840a1499963490..3188fb585514645 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/google.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/google.mdx
@@ -73,7 +73,7 @@ After configuring the Cloud VPN gateway VPN and the tunnels as mentioned above,
- **Customer endpoint**: The IP address from GCP VPN tunnel outside IP address. For example, `35.xx.xx.xx`.
- **Cloudflare endpoint**: Enter the first of your two anycast IPs.
- **Pre-shared key**: Choose **Use my own pre-shared key**, and enter the PSK you created for the GCP VPN tunnel.
- - **Health check type**: Choose Reply
+ - **Health check type**: Choose **Reply**
- **Health check destination**: Choose **custom** and set the IP corresponding to the interface address for the tunnel
- **Health check direction**: Choose **Bidirectional**
- **Replay protection**: Select **Enabled**.
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx
index 288f8c0b4ad5b2e..5b166c3b9c5cf68 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/juniper.mdx
@@ -197,10 +197,10 @@ Add an IKE proposal that specifies the [Phase 1 Configuration Parameters](/magic
```txt
set security ike proposal cf_magic_wan_ike_prop authentication-method pre-shared-keys
-set security ike proposal cf_magic_wan_ike_prop dh-group group14
+set security ike proposal cf_magic_wan_ike_prop dh-group group20
set security ike proposal cf_magic_wan_ike_prop authentication-algorithm sha-256
set security ike proposal cf_magic_wan_ike_prop encryption-algorithm aes-256-cbc
-set security ike proposal cf_magic_wan_ike_prop lifetime-seconds 28800
+set security ike proposal cf_magic_wan_ike_prop lifetime-seconds 86400
```
```txt
@@ -208,10 +208,10 @@ admin@srx300> show configuration security ike proposal cf_magic_wan_ike_prop
```
```txt output
authentication-method pre-shared-keys;
-dh-group group14;
+dh-group group20;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
-lifetime-seconds 28800;
+lifetime-seconds 86400;
```
#### IKE policies
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/oracle.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/oracle.mdx
index bda8b6d49a16282..5b4b021580b2023 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/oracle.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/oracle.mdx
@@ -69,14 +69,14 @@ You can try this code in the [Workers playground](https://workers.cloudflare.com
- Select **Set custom configurations**
- **Custom encryption algorithm**: **AES_256_CBC**
- **Custom authentication algorithm**: **SHA2_256**
- - **Custom Diffie-Hellman group**: **GROUP14**
- - **IKE session key lifetime in seconds**: **28800**
+ - **Custom Diffie-Hellman group**: **GROUP20**
+ - **IKE session key lifetime in seconds**: **86400**
3. Select **Phase two (IPsec) configuration**
- Select **Set custom configurations**
- **Custom encryption algorithm**: **AES_256_CBC**
- **HMAC_SHA2_256_128**: **HMAC_SHA2_256_128**
- - **IPsec session key lifetime in seconds**: **14400**
- - **Perfect forward secrecy Diffie-Hellman group**: **GROUP14**
+ - **IPsec session key lifetime in seconds**: **28800**
+ - **Perfect forward secrecy Diffie-Hellman group**: **GROUP20**
- **Tunnel 2**
- Repeat the above steps for Tunnel 2. Select the right IP for **IPv4 inside tunnel interface - CPE**: `10.200.2.0/31` and **IPv4 inside tunnel interface - Oracle**: `10.200.2.1/31`
4. Select **Create IPsec connection**
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/palo-alto.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/palo-alto.mdx
index b0152e5b96ad256..c3b17404e2ef2d3 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/palo-alto.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/palo-alto.mdx
@@ -513,10 +513,10 @@ Multiple DH groups and authentication settings are defined in the desired order.
| Name | Option | Value |
| ------------------- | ----------------------------- | -------------------------------------------- |
-| `CF_IKE_Crypto_CBC` | DH Group | **group14** |
+| `CF_IKE_Crypto_CBC` | DH Group | **group20** |
| | Authentication | **sha512**
**sha384**
**sha256** |
| | Encryption | **aes-256-cbc** |
-| | Key Lifetime | 8 hours |
+| | Key Lifetime | 24 hours |
| | IKEv2 Authentication Multiple | `0` |
@@ -527,9 +527,9 @@ You can also set up the crypto profile for Phase 1 via the command line:
```bash
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC hash [ sha512 sha384 sha256 ]
-set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC dh-group [ group14 ]
+set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC dh-group [ group20 ]
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC encryption aes-256-cbc
-set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC lifetime hours 8
+set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC lifetime hours 24
set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC authentication-multiple 0
```
@@ -545,8 +545,8 @@ Multiple Authentication settings are defined in the desired order. Palo Alto Net
| --------------------- | -------------- | ------------------------- |
| `CF_IPsec_Crypto_CBC` | Encryption | **aes-256-cbc** |
| | Authentication | **sha256**
**sha1** |
-| | DH Group | **group14** |
-| | Lifetime | 1 hour |
+| | DH Group | **group20** |
+| | Lifetime | 8 hours |
@@ -557,8 +557,8 @@ You can also set up the IPsec crypto profile for Phase 2 via the command line:
```bash
set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC esp authentication [ sha256 sha1 ]
set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC esp encryption aes-256-cbc
-set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC lifetime hours 1
-set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC dh-group group14
+set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC lifetime hours 8
+set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC dh-group group20
```
### IKE Gateways
@@ -751,7 +751,7 @@ Gateway ID Peer-Address Gateway Name Role SN Algo
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
-2 162.159.66.164 CF_Magic_WAN_IKE_01 Init 67 PSK/DH14/A256/SHA256 Jun.04 21:09:13 Jun.05 05:09:13 0 1 Established
+2 162.159.66.164 CF_Magic_WAN_IKE_01 Init 67 PSK/DH20/A256/SHA256 Jun.04 21:09:13 Jun.05 05:09:13 0 1 Established
IKEv2 IPsec Child SAs
Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST
@@ -777,7 +777,7 @@ Gateway ID Peer-Address Gateway Name Role SN Algo
---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- --
-3 172.64.242.164 CF_Magic_WAN_IKE_02 Init 66 PSK/DH14/A256/SHA256 Jun.04 20:37:42 Jun.05 04:37:42 0 2 Established
+3 172.64.242.164 CF_Magic_WAN_IKE_02 Init 66 PSK/DH20/A256/SHA256 Jun.04 20:37:42 Jun.05 04:37:42 0 2 Established
IKEv2 IPsec Child SAs
Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/pfsense.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/pfsense.mdx
index 5c22b0cbe82c74a..9b6931ec688ff17 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/pfsense.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/pfsense.mdx
@@ -127,20 +127,9 @@ Add a new IPsec tunnel [Phase 1 entry](https://docs.netgate.com/pfsense/en/lates
- **Encryption algorithm**: _AES 256 bits_
- **Key length**: _256 bits_
- **Hash algorithm**: _SHA256_
- - **DH key group**: _14_
- - **Lifetime**: `28800`
-
-
-
-
-
-
-
-
+ - **DH key group**: _20_
+ - **Lifetime**: `86400`
-
-
-
### Configure IPsec Phase 2
@@ -156,14 +145,8 @@ Add a new IPsec tunnel [Phase 2 entry](https://docs.netgate.com/pfsense/en/lates
- **Protocol**: _ESP_
- **Encryption algorithm**: _AES 256 bits_
- **Hash algorithm**: _SHA256_
- - **DH key group**: _14_
- - **Lifetime**: `3600`
-
-
-
-
-
-
+ - **DH key group**: _20_
+ - **Lifetime**: `28800`
When you are finished, apply your changes. If you go to **Status** > **IPsec**, you should be able to check that both Phase 1 and Phase 2 are connected.
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/sonicwall.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/sonicwall.mdx
index c2a9e8c74153475..2f83249aa29814c 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/sonicwall.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/sonicwall.mdx
@@ -76,24 +76,17 @@ Static routes are required for any networks that will be reached via the IPsec t
5. Select **Proposals**. VPN Policy is somewhat flexible. Adjust these settings to match your organization's preferred security policy. As an example, you can use the settings in the examples below.
6. In the **IKE (Phase 1) Proposal** group, select the following settings:
- **Exchange**: _IKEv2 Mode_
- - **DH Group**: _Group 14_
+ - **DH Group**: _Group 20_
- **Encryption**: _AES-256_
- **Authentication**: _SHA256_
- - **Life Time (seconds)**: `28800`
+ - **Life Time (seconds)**: `86400`
7. In the **IPsec (Phase 2) Proposal** group, add the following settings:
- **Protocol**: _ESP_
- **Encryption**: _AESGCM16-256_
- **Authentication**: _None_
- **Enable Perfect Forward Secrecy**: Enabled
- - **DH Group**: _Group 14_
+ - **DH Group**: _Group 20_
- **Life Time (seconds)**: `28800`
-
-
-
-
-
-
-
8. Select **Advanced**.
9. Enable **Disable IPsec Anti-Replay**.
10. In **VPN Policy bound to** select your WAN interface from the dropdown menu, to bind it to your VPN.
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/sophos-firewall.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/sophos-firewall.mdx
index eb091e0471beb26..a25cf5f1a45b0f8 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/sophos-firewall.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/sophos-firewall.mdx
@@ -31,20 +31,18 @@ The following instructions show how to setup an IPsec connection on your Sophos
- **Key exchange**: **IKEv2**
- **Authentication mode**: **Main mode**
4. In the **Phase 1** group, make sure you have the following settings:
- - **DH group (key group)**: _14(DH2048)_
+ - **DH group (key group)**: _20_
- **Encryption**: _AES256_
- **Authentication**: _SHA2 256_
5. In the **Phase 2** group, select the following:
- **PFS group (DH group)**: _Same as phase-1_
- - **Key life**: _3600_
+ - **Key life**: _28800_
- **Encryption**: _AES256_
- **Authentication**: _SHA2 256_
6. Enable **Dead Peer Detection**.
7. In **When peer unreachable**, select _Re-initiate_.
8. Select **Save**.
-
-
### 2. Create IPsec connection tunnel
The next step involves configuring a site-to-site IPsec VPN connection on your Sophos Firewall device.
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/strongswan.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/strongswan.mdx
index 5c6906d97035b9b..83bf558f71353de 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/strongswan.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/strongswan.mdx
@@ -62,7 +62,7 @@ config setup
uniqueids = yes
conn %default
- ikelifetime=4h
+ ikelifetime=24h
rekey=yes
reauth=no
keyexchange=ikev2
@@ -86,8 +86,8 @@ conn cloudflare-ipsec
rightid=
rightsubnet=0.0.0.0/0
rightauth=psk
- ike=aes256-sha256-modp2048!
- esp=aes256-sha256-modp2048!
+ ike=aes256-sha256-ecp384!
+ esp=aes256-sha256-ecp384!
replay_window=0
mark_in=42
mark_out=42
diff --git a/src/content/docs/magic-wan/configuration/manually/third-party/vyos.mdx b/src/content/docs/magic-wan/configuration/manually/third-party/vyos.mdx
index 086b836f0915088..9a95c12232af55e 100644
--- a/src/content/docs/magic-wan/configuration/manually/third-party/vyos.mdx
+++ b/src/content/docs/magic-wan/configuration/manually/third-party/vyos.mdx
@@ -35,7 +35,7 @@ This tutorial contains configuration information and a sample template for using
- SHA512
- **PFS group**
- - DH group 14 (2048-bit MODP group)
+ - DH group 20 (348-bit random ECP group)
## Configuration template
@@ -43,7 +43,7 @@ This tutorial contains configuration information and a sample template for using
set interfaces vti address
''
set vpn ipsec esp-group compression 'disable'
-set vpn ipsec esp-group lifetime '14400'
+set vpn ipsec esp-group lifetime '86400'
set vpn ipsec esp-group mode 'tunnel'
set vpn ipsec esp-group pfs 'enable'
set vpn ipsec esp-group proposal 1 encryption 'aes256gcm128'
@@ -54,9 +54,9 @@ set vpn ipsec ike-group dead-peer-detection interval '30'
set vpn ipsec ike-group dead-peer-detection timeout '120'
set vpn ipsec ike-group ikev2-reauth 'no'
set vpn ipsec ike-group key-exchange 'ikev2'
-set vpn ipsec ike-group lifetime '14400'
+set vpn ipsec ike-group lifetime '28800'
set vpn ipsec ike-group mobike 'disable'
-set vpn ipsec ike-group proposal 1 dh-group '14'
+set vpn ipsec ike-group proposal 1 dh-group '20'
set vpn ipsec ike-group proposal 1 encryption 'aes256gcm128'
set vpn ipsec ike-group proposal 1 hash 'sha512'
set vpn ipsec ipsec-interfaces interface ''