Hi, I'm trying to make a fully redundant setup which includes sham links: 2x CE devices in HQ 2x PE mikrotiks in HQ 2x PE mikrotiks in a remote office: one connected via a DSL link, another one connected via a 4G link 2x CE devices in HQ I configured 4x VPN tunnels between those mikrotiks: HQ1 - rem...

+1 That's all tied to how IPsec works behind the scene. For L2L tunnels, policies are expected to come into the game first, and are used to find a proper SA. And only in case there's no established SA, a peer configuration is searched for, and then an ISAKMP or IKEv2 exchange is initiated based on t...

They are now officially supported! Kudos to the devs!

What's new in 6.41 (2017-Dec-22 11:55):
*) ipsec - added DH groups 19, 20 and 21 support for phase1 and phase2;

Although I'm not a cryptographic specialist (nor a programmer), I understand that Elliptic Curve Cryptography should be more efficient. (source: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html#9). The implementation of DH19-21 (which use ECC) could possibly impro...

Hello, Are there any plans to support Diffie Hellman Groups 19 to 21 (ecp256, ecp384, ecp521)? There is support for DH15-18, which - according to Cisco - offer acceptable and good security. (Source: http://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html) I understand ho...