cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


327
Views
15
Helpful
4
Replies
Highlighted
Contributor

IPSEC Tunnel PFS Groups need to match?

In regards to IPSEC tunnels, is it best to match PFS groups on the peer devices?

2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Tunnel PFS Groups need to match?

Hi,
Yes, all attributes must match/mirror each other on the devices when establishing a VPN.
PFS is also optional.

HTH
VIP Mentor

Re: IPSEC Tunnel PFS Groups need to match?

As RJI mentions, it should match/mirror on both sides. But it does not have to.

  • If the initiator does not have PFS configured or a smaller group than the responder, the connection will fail.
  • If the initiator has a group configured but the responder does not, or the responder has a smaller group configured, then the PFS-group of the initiator is used.

That means the PFS group is negotiated, but only to the minimum that is configured on the responder side.

4 REPLIES 4
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Tunnel PFS Groups need to match?

Hi,
Yes, all attributes must match/mirror each other on the devices when establishing a VPN.
PFS is also optional.

HTH
Contributor

Re: IPSEC Tunnel PFS Groups need to match?

Tunnel is up with different PFS groups, however not sure if it causes problems.
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: IPSEC Tunnel PFS Groups need to match?

Hmmm, can you provide the output of "show crypto ipsec sa detail" from both devices?
VIP Mentor

Re: IPSEC Tunnel PFS Groups need to match?

As RJI mentions, it should match/mirror on both sides. But it does not have to.

  • If the initiator does not have PFS configured or a smaller group than the responder, the connection will fail.
  • If the initiator has a group configured but the responder does not, or the responder has a smaller group configured, then the PFS-group of the initiator is used.

That means the PFS group is negotiated, but only to the minimum that is configured on the responder side.