cloudflare · marciocloudflare · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025 · Jan 13, 2025
@@ -54,7 +54,7 @@ This tutorial provides information on how to connect Alibaba Cloud infrastructur
    2. **Negotiation Mode**: _main_
    3. **Encryption Algorithm**: _aes256_
    4. **Authentication Algorithm**: _sha256_
-   5. **DH Group**: _group14_
+   5. **DH Group**: _group20_
    6. **Localid**: This is the customer endpoint. These are generally IP addresses provided by your ISP. For example, `47.xxx.xxx.xxx`.
 
 ## Magic WAN

@@ -50,8 +50,8 @@ Additionally, you also need to configure the necessary route table entries for t
    - **Phase 2 encryption algorithms**: `AES256-GCM-16`
    - **Phase 1 integrity algorithms**: `SHA2-256`
    - **Phase 2 integrity algorithms**: `SHA2-256`
-   - **Phase 1 DH group numbers**: `14`
-   - **Phase 2 DH group numbers**: `14`
+   - **Phase 1 DH group numbers**: `20`
+   - **Phase 2 DH group numbers**: `20`
    - **IKE Version**: `ikev2`
    - **Startup action**: **Start**
    - **DPD timeout action**: `Restart`

@@ -100,13 +100,13 @@ Choose the following settings when creating your VPN Connection:
    1. **IKE Phase 1**
       1. **Encryption**: _GCMAES256_ or _AES256_
       2. **Integrity/PRF**: _SHA256_
-      3. **DH Group**: _DHGroup14_
+      3. **DH Group**: _DHGroup20_
    2. **IKE Phase 2(IPsec)**
       1. **IPsec Encryption**: _GCMAES256_ or _AES256_
       2. **IPsec Integrity**: _SHA256_
       3. **PFS Group**: _PFS2048_
    3. **IPsec SA lifetime in KiloBytes**: `0`
-   4. **IPsec SA lifetime in seconds**: `27000`
+   4. **IPsec SA lifetime in seconds**: `28800`
    5. **Use policy based traffic selector**: **Disable**
    6. **DPD timeout in seconds**: `45`
    7. **Connection mode**: **Default**

@@ -17,7 +17,7 @@ The following is a Cisco IOS XE configuration example:
 crypto ikev2 proposal CF_MAGIC_WAN_IKEV2_PROPOSAL
  encryption aes-cbc-256
  integrity sha512 sha384 sha256
- group 14
+ group 20
 !
 crypto ikev2 policy CF_MAGIC_WAN_IKEV2_POLICY
  match fvrf any
@@ -56,7 +56,7 @@ crypto ikev2 profile CF_MAGIC_WAN_02
 crypto ipsec profile CF_MAGIC_WAN_01
  set security-association lifetime kilobytes disable
  set security-association replay disable
- set pfs group14
+ set pfs group20
  set ikev2-profile CF_MAGIC_WAN_01
 !
 crypto ipsec profile CF_MAGIC_WAN_02

@@ -78,8 +78,8 @@ crypto isakmp policy ISAKMP_POLICY
  authentication pre-share
  encryption aes
  encryption-keysize aes 256 256 256
- group 14
- lifetime 14400
+ group 20
+ lifetime 86400
  hash sha sha-256
  initiate-mode aggressive
 exit
@@ -144,8 +144,8 @@ crypto isakmp policy ISAKMP_POLICY
  authentication pre-share
  encryption aes
  encryption-keysize aes 256 256 256
- group 14
- lifetime 14400
+ group 20
+ lifetime 86400
  hash sha sha-256
  initiate-mode aggressive
 exit
@@ -225,7 +225,7 @@ show crypto sa
     Remote Authentication method : Pre-shared key
     Encryption algorithm : aes256-cbc
     Hash algorithm : hmac-sha256-128
-    Diffie-Hellman group : 14 (2048 bits)
+    Diffie-Hellman group : 20
     Initiator Cookie : aaaaaaaa bbbbbbbb
     Responder Cookie : cccccccc dddddddd
     Life time : 6852/14400 sec

@@ -106,12 +106,12 @@ fortigate # config vpn ipsec phase1-interface
     edit "MWAN_IPsec_Tun1"
         set interface "wan1"
         set ike-version 2
-        set keylife 28800
+        set keylife 86400
         set peertype any
         set net-device enable
         set proposal aes256gcm-prfsha512 aes256gcm-prfsha384 aes256gcm-prfsha256
         set localid "f1473dXXXXXXX72e33.49561179.ipsec.cloudflare.com"
-        set dhgrp 14
+        set dhgrp 20
         set nattraversal disable
         set remote-gw 162.159.67.210
         set add-gw-route enable
@@ -120,12 +120,12 @@ fortigate # config vpn ipsec phase1-interface
     edit "MWAN_IPsec_Tun2"
         set interface "wan1"
         set ike-version 2
-        set keylife 28800
+        set keylife 86400
         set peertype any
         set net-device enable
         set proposal aes256gcm-prfsha512 aes256gcm-prfsha384 aes256gcm-prfsha256
         set localid "de91565XXXXXXXfbbd6632.49561179.ipsec.cloudflare.com"
-        set dhgrp 14
+        set dhgrp 20
         set nattraversal disable
         set remote-gw 172.XX.XX.210
         set add-gw-route enable
@@ -143,18 +143,18 @@ fortigate # config vpn ipsec phase2-interface
     edit "MWAN_IPsec_Tun1"
         set phase1name "MWAN_IPsec_Tun1"
         set proposal aes256gcm aes128gcm
-        set dhgrp 14
+        set dhgrp 20
         set replay disable
-        set keylifeseconds 3600
+        set keylifeseconds 28800
         set auto-negotiate enable
         set keepalive enable
     next
     edit "MWAN_IPsec_Tun2"
         set phase1name "MWAN_IPsec_Tun2"
         set proposal aes256gcm aes128gcm
-        set dhgrp 14
+        set dhgrp 20
         set replay disable
-        set keylifeseconds 3600
+        set keylifeseconds 28800
         set auto-negotiate enable
         set keepalive enable
     next

@@ -73,7 +73,7 @@ After configuring the Cloud VPN gateway VPN and the tunnels as mentioned above,
    - **Customer endpoint**: The IP address from GCP VPN tunnel outside IP address. For example, `35.xx.xx.xx`.
    - **Cloudflare endpoint**: Enter the first of your two anycast IPs.
    - **Pre-shared key**: Choose **Use my own pre-shared key**, and enter the PSK you created for the GCP VPN tunnel.
-   - **Health check type**: Choose Reply
+   - **Health check type**: Choose **Reply**
    - **Health check destination**: Choose **custom** and set the IP corresponding to the interface address for the tunnel
    - **Health check direction**: Choose **Bidirectional**
    - **Replay protection**: Select **Enabled**.

@@ -197,21 +197,21 @@ Add an IKE proposal that specifies the [Phase 1 Configuration Parameters](/magic
 
 ```txt
 set security ike proposal cf_magic_wan_ike_prop authentication-method pre-shared-keys
-set security ike proposal cf_magic_wan_ike_prop dh-group group14
+set security ike proposal cf_magic_wan_ike_prop dh-group group20
 set security ike proposal cf_magic_wan_ike_prop authentication-algorithm sha-256
 set security ike proposal cf_magic_wan_ike_prop encryption-algorithm aes-256-cbc
-set security ike proposal cf_magic_wan_ike_prop lifetime-seconds 28800
+set security ike proposal cf_magic_wan_ike_prop lifetime-seconds 86400
 ```
 
 ```txt
 admin@srx300> show configuration security ike proposal cf_magic_wan_ike_prop
 ```
 ```txt output
 authentication-method pre-shared-keys;
-dh-group group14;
+dh-group group20;
 authentication-algorithm sha-256;
 encryption-algorithm aes-256-cbc;
-lifetime-seconds 28800;
+lifetime-seconds 86400;
 ```
 
 #### IKE policies

@@ -69,14 +69,14 @@ You can try this code in the [Workers playground](https://workers.cloudflare.com
             - Select **Set custom configurations**
             - **Custom encryption algorithm**: **AES_256_CBC**
             - **Custom authentication algorithm**: **SHA2_256**
-            - **Custom Diffie-Hellman group**: **GROUP14**
-            - **IKE session key lifetime in seconds**: **28800**
+            - **Custom Diffie-Hellman group**: **GROUP20**
+            - **IKE session key lifetime in seconds**: **86400**
          3. Select **Phase two (IPsec) configuration**
             - Select **Set custom configurations**
             - **Custom encryption algorithm**: **AES_256_CBC**
             - **HMAC_SHA2_256_128**: **HMAC_SHA2_256_128**
-            - **IPsec session key lifetime in seconds**: **14400**
-            - **Perfect forward secrecy Diffie-Hellman group**: **GROUP14**
+            - **IPsec session key lifetime in seconds**: **28800**
+            - **Perfect forward secrecy Diffie-Hellman group**: **GROUP20**
     - **Tunnel 2**
       - Repeat the above steps for Tunnel 2. Select the right IP for **IPv4 inside tunnel interface - CPE**: `10.200.2.0/31` and **IPv4 inside tunnel interface - Oracle**: `10.200.2.1/31`
 4. Select **Create IPsec connection**

@@ -513,10 +513,10 @@ Multiple DH groups and authentication settings are defined in the desired order.
 
 | Name                | Option                        | Value                                        |
 | ------------------- | ----------------------------- | -------------------------------------------- |
-| `CF_IKE_Crypto_CBC` | DH Group                      | **group14**                                  |
+| `CF_IKE_Crypto_CBC` | DH Group                      | **group20**                                  |
 |                     | Authentication                | **sha512** <br/> **sha384** <br/> **sha256** |
 |                     | Encryption                    | **aes-256-cbc**                              |
-|                     | Key Lifetime                  | 8 hours                                      |
+|                     | Key Lifetime                  | 24 hours                                      |
 |                     | IKEv2 Authentication Multiple | `0`                                          |
 
 ![IKE crypto profile you need to set up on your device for Phase 1](~/assets/images/magic-wan/third-party/palo-alto/panw_ipsec_tunnels/01_ike_crypto_profile.png)
@@ -527,9 +527,9 @@ You can also set up the crypto profile for Phase 1 via the command line:
 
 ```bash
 set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC hash [ sha512 sha384 sha256 ]
-set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC dh-group [ group14 ]
+set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC dh-group [ group20 ]
 set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC encryption aes-256-cbc
-set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC lifetime hours 8
+set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC lifetime hours 24
 set network ike crypto-profiles ike-crypto-profiles CF_IKE_Crypto_CBC authentication-multiple 0
 ```
 
@@ -545,8 +545,8 @@ Multiple Authentication settings are defined in the desired order. Palo Alto Net
 | --------------------- | -------------- | ------------------------- |
 | `CF_IPsec_Crypto_CBC` | Encryption     | **aes-256-cbc**           |
 |                       | Authentication | **sha256** <br/> **sha1** |
-|                       | DH Group       | **group14**               |
-|                       | Lifetime       | 1 hour                    |
+|                       | DH Group       | **group20**               |
+|                       | Lifetime       | 8 hours                   |
 
 ![IPsec crypto profile you need to set up on your device](~/assets/images/magic-wan/third-party/palo-alto/panw_ipsec_tunnels/02_ipsec_crypto_profile.png)
 
@@ -557,8 +557,8 @@ You can also set up the IPsec crypto profile for Phase 2 via the command line:
 ```bash
 set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC esp authentication [ sha256 sha1 ]
 set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC esp encryption aes-256-cbc
-set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC lifetime hours 1
-set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC dh-group group14
+set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC lifetime hours 8
+set network ike crypto-profiles ipsec-crypto-profiles CF_IPsec_Crypto_CBC dh-group group20
 ```
 
 ### IKE Gateways
@@ -751,7 +751,7 @@ Gateway ID      Peer-Address           Gateway Name           Role SN       Algo
 
 ----------      ------------           ------------           ---- --       ---------             -----------     ----------      -- -----  --
 
-2               162.159.66.164         CF_Magic_WAN_IKE_01    Init 67       PSK/DH14/A256/SHA256  Jun.04 21:09:13 Jun.05 05:09:13 0  1      Established
+2               162.159.66.164         CF_Magic_WAN_IKE_01    Init 67       PSK/DH20/A256/SHA256  Jun.04 21:09:13 Jun.05 05:09:13 0  1      Established
 
 IKEv2 IPsec Child SAs
 Gateway Name           TnID     Tunnel                    ID       Parent   Role SPI(in)  SPI(out) MsgID    ST
@@ -777,7 +777,7 @@ Gateway ID      Peer-Address           Gateway Name           Role SN       Algo
 
 ----------      ------------           ------------           ---- --       ---------             -----------     ----------      -- -----  --
 
-3               172.64.242.164         CF_Magic_WAN_IKE_02    Init 66       PSK/DH14/A256/SHA256  Jun.04 20:37:42 Jun.05 04:37:42 0  2      Established
+3               172.64.242.164         CF_Magic_WAN_IKE_02    Init 66       PSK/DH20/A256/SHA256  Jun.04 20:37:42 Jun.05 04:37:42 0  2      Established
 
 IKEv2 IPsec Child SAs
 Gateway Name           TnID     Tunnel                    ID       Parent   Role SPI(in)  SPI(out) MsgID    ST

@@ -127,20 +127,9 @@ Add a new IPsec tunnel [Phase 1 entry](https://docs.netgate.com/pfsense/en/lates
   - **Encryption algorithm**: _AES 256 bits_
   - **Key length**: _256 bits_
   - **Hash algorithm**: _SHA256_
-  - **DH key group**: _14_
-  - **Lifetime**: `28800`
-
-<div class="full-img">
-
-![pfSense IPsec phase 1 settings](~/assets/images/magic-wan/third-party/pfsense/ipsec-phase1.png)
-
-</div>
-
-<div class="full-img">
+  - **DH key group**: _20_
+  - **Lifetime**: `86400`
 
-![pfSense IPsec phase 1 settings](~/assets/images/magic-wan/third-party/pfsense/ipsec-phase1b.png)
-
-</div>
 
 ### Configure IPsec Phase 2
 
@@ -156,14 +145,8 @@ Add a new IPsec tunnel [Phase 2 entry](https://docs.netgate.com/pfsense/en/lates
   - **Protocol**: _ESP_
   - **Encryption algorithm**: _AES 256 bits_
   - **Hash algorithm**: _SHA256_
-  - **DH key group**: _14_
-  - **Lifetime**: `3600`
-
-<div class="full-img">
-
-![pfSense IPsec phase 2 settings](~/assets/images/magic-wan/third-party/pfsense/ipsec-phase2.png)
-
-</div>
+  - **DH key group**: _20_
+  - **Lifetime**: `28800`
 
 When you are finished, apply your changes. If you go to **Status** > **IPsec**, you should be able to check that both Phase 1 and Phase 2 are connected.
 

@@ -76,24 +76,17 @@ Static routes are required for any networks that will be reached via the IPsec t
 5. Select **Proposals**. VPN Policy is somewhat flexible. Adjust these settings to match your organization's preferred security policy. As an example, you can use the settings in the examples below.
 6. In the **IKE (Phase 1) Proposal** group, select the following settings:
    - **Exchange**: _IKEv2 Mode_
-   - **DH Group**: _Group 14_
+   - **DH Group**: _Group 20_
    - **Encryption**: _AES-256_
    - **Authentication**: _SHA256_
-   - **Life Time (seconds)**: `28800`
+   - **Life Time (seconds)**: `86400`
 7. In the **IPsec (Phase 2) Proposal** group, add the following settings:
    - **Protocol**: _ESP_
    - **Encryption**: _AESGCM16-256_
    - **Authentication**: _None_
    - **Enable Perfect Forward Secrecy**: Enabled
-   - **DH Group**: _Group 14_
+   - **DH Group**: _Group 20_
    - **Life Time (seconds)**: `28800`
-
-<div class="large-img">
-
-![Configure a VPN policy on your SonicWall device](~/assets/images/magic-wan/third-party/sonicwall/4-vpn-policy-proposals.png)
-
-</div>
-
 8. Select **Advanced**.
 9. Enable **Disable IPsec Anti-Replay**.
 10. In **VPN Policy bound to** select your WAN interface from the dropdown menu, to bind it to your VPN.

@@ -31,20 +31,18 @@ The following instructions show how to setup an IPsec connection on your Sophos
    - **Key exchange**: **IKEv2**
    - **Authentication mode**: **Main mode**
 4. In the **Phase 1** group, make sure you have the following settings:
-   - **DH group (key group)**: _14(DH2048)_
+   - **DH group (key group)**: _20_
    - **Encryption**: _AES256_
    - **Authentication**: _SHA2 256_
 5. In the **Phase 2** group, select the following:
    - **PFS group (DH group)**: _Same as phase-1_
-   - **Key life**: _3600_
+   - **Key life**: _28800_
    - **Encryption**: _AES256_
    - **Authentication**: _SHA2 256_
 6. Enable **Dead Peer Detection**.
 7. In **When peer unreachable**, select _Re-initiate_.
 8. Select **Save**.
 
-![Start by setting up an IPsec profile.](~/assets/images/magic-wan/third-party/sophos-firewall/1-ipsec-profile.png)
-
 ### 2. Create IPsec connection tunnel
 
 The next step involves configuring a site-to-site IPsec VPN connection on your Sophos Firewall device.

@@ -62,7 +62,7 @@ config setup
     uniqueids = yes
 
 conn %default
-    ikelifetime=4h
+    ikelifetime=24h
     rekey=yes
     reauth=no
     keyexchange=ikev2
@@ -86,8 +86,8 @@ conn cloudflare-ipsec
     rightid=<YOUR_CLOUDFLARE_ANYCAST_IP>
     rightsubnet=0.0.0.0/0
     rightauth=psk
-    ike=aes256-sha256-modp2048!
-    esp=aes256-sha256-modp2048!
+    ike=aes256-sha256-ecp384!
+    esp=aes256-sha256-ecp384!
     replay_window=0
     mark_in=42
     mark_out=42

@@ -35,15 +35,15 @@ This tutorial contains configuration information and a sample template for using
   - SHA512
 
 - **PFS group**
-  - DH group 14 (2048-bit MODP group)
+  - DH group 20 (348-bit random ECP group)
 
 ## Configuration template
 
 ```bash
 set interfaces vti <name of the vti interface> address
 '<PRIVATE_IP_ADDRESS_OF_IPSEC_TUNNEL_INTERFACE>'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> compression 'disable'
-set vpn ipsec esp-group <NAME_OF_ESP_GROUP> lifetime '14400'
+set vpn ipsec esp-group <NAME_OF_ESP_GROUP> lifetime '86400'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> mode 'tunnel'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> pfs 'enable'
 set vpn ipsec esp-group <NAME_OF_ESP_GROUP> proposal 1 encryption 'aes256gcm128'
@@ -54,9 +54,9 @@ set vpn ipsec ike-group <NAME_OF_IKE_GROUP> dead-peer-detection interval '30'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> dead-peer-detection timeout '120'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> ikev2-reauth 'no'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> key-exchange 'ikev2'
-set vpn ipsec ike-group <NAME_OF_IKE_GROUP> lifetime '14400'
+set vpn ipsec ike-group <NAME_OF_IKE_GROUP> lifetime '28800'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> mobike 'disable'
-set vpn ipsec ike-group <NAME_OF_IKE_GROUP> proposal 1 dh-group '14'
+set vpn ipsec ike-group <NAME_OF_IKE_GROUP> proposal 1 dh-group '20'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> proposal 1 encryption 'aes256gcm128'
 set vpn ipsec ike-group <NAME_OF_IKE_GROUP> proposal 1 hash 'sha512'
 set vpn ipsec ipsec-interfaces interface '<UPLINK_INTF_TO_INTERNET/WAN>'