topic Re: IPSEC Tunnel PFS Groups need to match? in Network Security

IPSEC Tunnel PFS Groups need to match?

CiscoBrownBelt — Fri, 21 Feb 2020 17:25:59 GMT

In regards to IPSEC tunnels, is it best to match PFS groups on the peer devices?

Re: IPSEC Tunnel PFS Groups need to match?

Rob Ingram — Tue, 27 Aug 2019 20:11:36 GMT

Hi,
Yes, all attributes must match/mirror each other on the devices when establishing a VPN.
PFS is also optional.

HTH

Re: IPSEC Tunnel PFS Groups need to match?

CiscoBrownBelt — Tue, 27 Aug 2019 20:13:22 GMT

Tunnel is up with different PFS groups, however not sure if it causes problems.

Re: IPSEC Tunnel PFS Groups need to match?

Rob Ingram — Tue, 27 Aug 2019 20:14:38 GMT

Hmmm, can you provide the output of "show crypto ipsec sa detail" from both devices?

Re: IPSEC Tunnel PFS Groups need to match?

Karsten Iwen — Wed, 28 Aug 2019 13:40:35 GMT

As RJI mentions, it should match/mirror on both sides. But it does not have to.

If the initiator does not have PFS configured or a smaller group than the responder, the connection will fail.
If the initiator has a group configured but the responder does not, or the responder has a smaller group configured, then the PFS-group of the initiator is used.

That means the PFS group is negotiated, but only to the minimum that is configured on the responder side.

Re: IPSEC Tunnel PFS Groups need to match?

desktopAdmin — Thu, 24 Feb 2022 14:44:22 GMT

I had an issue with mismatched PFS settings yesterday......here's what happened in my case. Phase 1 and phase 2 completed and the tunnel was up. However, only the first device trying to send traffic through the tunnel was able to communicate. Communication from all other devices failed. It didn't matter which device was the first to initiate traffic, the device that initiated traffic was the only one that could communicate through the tunnel.......communication from all other devices would fail.