Hello,

the feature "multiple DH groups for phase 1" introduced with version 6.34 is still missing in the Winbox configuration. i can select only one through the GUI. But you can set multiple DH Groups through the console.

i spend an hour to figure it out

best regards,
dave

Probably an experimental option. Not sure if it is a good experiment, other implementations I know do not support this
so I presume there is a protocol standards issue.

Probably an experimental option. Not sure if it is a good experiment, other implementations I know do not support this
so I presume there is a protocol standards issue.

I know for a fact that Fortinet support multiple DH groups.

It does not use all of them at once (obviously), it just means it will match on any of the specified DH groups.

So if you specify DH2 and DH5, the remote peer can use either or.

Yes, but in the documentation of e.g. racoon on Linux, where you could configure this, it warns that this is not
going to work. I guess there is something in the protocol or in existing implementations that might cause problems.
Maybe a trick was found to work around this. (like alternating these settings on subsequent sessions until one works)

Winbox support for this new feature is already added (v6.35.2 definitely have it).
It works as nz_monkey stated, picked one from the set of supported DH groups. Also note that whenever possible strongest will be used first.
Feature was added to support as many devices as possible in road warrior setups, because recent windows phones works only with 2048, but iphones only with 1024.