Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5726
Views
30
Helpful
5
Replies

IPSEC Tunnel PFS Groups need to match?

Go to solution
CiscoBrownBelt
Level 6
Level 6

‎08-27-2019 01:08 PM - edited ‎02-21-2020 09:25 AM

In regards to IPSEC tunnels, is it best to match PFS groups on the peer devices?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-27-2019 01:11 PM

Hi,
Yes, all attributes must match/mirror each other on the devices when establishing a VPN.
PFS is also optional.

HTH

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎08-28-2019 06:40 AM

As RJI mentions, it should match/mirror on both sides. But it does not have to.

  • If the initiator does not have PFS configured or a smaller group than the responder, the connection will fail.
  • If the initiator has a group configured but the responder does not, or the responder has a smaller group configured, then the PFS-group of the initiator is used.

That means the PFS group is negotiated, but only to the minimum that is configured on the responder side.

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎08-27-2019 01:11 PM

Hi,
Yes, all attributes must match/mirror each other on the devices when establishing a VPN.
PFS is also optional.

HTH

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to Rob Ingram

‎08-27-2019 01:13 PM

Tunnel is up with different PFS groups, however not sure if it causes problems.
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoBrownBelt

‎08-27-2019 01:14 PM

Hmmm, can you provide the output of "show crypto ipsec sa detail" from both devices?
0 Helpful

Go to solution
desktopAdmin
Level 1
Level 1
In response to CiscoBrownBelt

‎02-24-2022 06:44 AM

I had an issue with mismatched PFS settings yesterday......here's what happened in my case. Phase 1 and phase 2 completed and the tunnel was up. However, only the first device trying to send traffic through the tunnel was able to communicate. Communication from all other devices failed. It didn't matter which device was the first to initiate traffic, the device that initiated traffic was the only one that could communicate through the tunnel.......communication from all other devices would fail.

Go to solution
Karsten Iwen
VIP
VIP

‎08-28-2019 06:40 AM

As RJI mentions, it should match/mirror on both sides. But it does not have to.

  • If the initiator does not have PFS configured or a smaller group than the responder, the connection will fail.
  • If the initiator has a group configured but the responder does not, or the responder has a smaller group configured, then the PFS-group of the initiator is used.

That means the PFS group is negotiated, but only to the minimum that is configured on the responder side.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card