The NIT has issued a Technical Decision making DH Group 14 optional in FCS_IPSEC_EXT.1.11.

To align with NIT interpretation # 201702a, FCS_IPSEC_EXT.1.11 is modified as follows:

FCS_IPSEC_EXT.1.11 The TSF shall ensure that IKE protocols implement DH Group(s) [selection: 14 (2048-bit MODP), 19 (256-bit Random ECP), 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP)] and [selection: 5 (1536-bit MODP), no other group].

The application note related to FCS_IPSEC_EXT.1.11 shall be modified as follows:

"The selection is used to specify DH groups supported. This applies to IKEv1 and IKEv2 exchanges. It should be noted that if any additional DH groups are specified, they must comply with the requirements (in terms of the ephemeral keys that are established) listed in FCS_CKM.1."

For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfI201702a.pdf

See issue description.