Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Cisco CSR1000V IPSec Profile PFS not set

David Rollins
Level 1
Level 1

‎11-12-2021 01:33 PM - edited ‎11-12-2021 01:35 PM

I have configured a flexvpn in my lab for use in production, on virtual CSR1000v's. I have PFS set in the IPsec Profile, but I am not seeing it in use. Any thoughts why that may be? I even changed the default IPsec profile, to see if it would have any affect.

 

Here is my config:

aaa authorization network FLEXVPN_LOCAL local
!
aaa session-id common
!
crypto ikev2 authorization policy IKEV2_AUTH
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption aes-cbc-256
integrity sha512
group 21
!
crypto ikev2 policy IKEV2-POLICY
proposal IKEV2-PROPOSAL
!
crypto pki certificate map CERT_MAP 5
issuer-name co pki-server
!
crypto ikev2 profile IKEV2-PROFILE
match certificate CERT_MAP
identity local fqdn remote1.homelab.com
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint pki-trust
dpd 10 3 periodic
aaa authorization group cert list FLEXVPN_LOCAL IKEV2_AUTH
!
crypto ipsec transform-set IPSEC-TRANS esp-aes 256 esp-sha512-hmac
mode tunnel
!
crypto ipsec profile IPSEC-PROFILE
set transform-set IPSEC-TRANS
set pfs group21
set ikev2-profile IKEV2-PROFILE
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.252
tunnel source GigabitEthernet2
tunnel destination 172.17.1.2
tunnel path-mtu-discovery
tunnel protection ipsec profile IPSEC-PROFILE
service-policy output tunnel

 

Here is an output of show commands:

#sh crypto ipsec sa

interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 172.17.1.2

protected vrf: (none)
local ident (addr/mask/prot/port): (172.17.1.2/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.17.1.1/255.255.255.255/47/0)
current_peer 172.17.1.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 373, #pkts encrypt: 373, #pkts digest: 373
#pkts decaps: 374, #pkts decrypt: 374, #pkts verify: 374
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.17.1.2, remote crypto endpt.: 172.17.1.1
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet2
current outbound spi: 0x873CA09B(2268897435)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xE4CBD56(239910230)
transform: esp-256-aes esp-sha512-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: CSR:16, sibling_flags FFFFFFFF80000048, crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec): (4607935/2371)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

 

 

#sh crypto ipsec profile
IPSEC profile IPSEC-PROFILE
IKEv2 Profile: IKEV2-PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group21
Mixed-mode : Disabled
Transform sets={
IPSEC-TRANS: { esp-256-aes esp-sha512-hmac } ,
}

IPSEC profile default
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group21
Mixed-mode : Disabled
Transform sets={
default: { esp-aes esp-sha-hmac } ,
}

 

1 person had this problem
Labels:
0 Helpful
Who Me Too'd this topic