Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2398
Views
5
Helpful
3
Replies

I configure IKEv2 on cisco router to Palo Alto but need to remove pfs from the config

Go to solution
jomo frank
Level 1
Level 1

‎04-16-2021 10:28 AM - edited ‎04-16-2021 01:26 PM

Hello Support,

 

I configure my cisco 892 router to do ipsec vpn using IKEv2 but the Palo Alto at third party is not using pfs  how can I remove pfs from the configure and just include set group20

 

crypto map vpn 10 ipsec-isakmp
set peer 1.1.1.1 --> Palo Alto VPN Peer
set transform-set tset
set pfs group20
set ikev2-profile BOG_TEST
match address vpn

 

Regards

 

 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9

‎04-16-2021 10:44 PM

hi,

are you referring to keep 'group 20' in the IKEv2 policy/proposal? can you post a 'show run | sec crypto' output.

to remove 'group 20' in the crypto map, just use a 'no' to negate the line.

crypto map vpn 10
 no set pfs group20

 

make sure you got 'group 20' in any of your IKEv2 proposal. example below:

 

crypto ikev2 proposal <PROPOSAL NAME>
encryption aes-cbc-128
integrity sha1
group 20

 

View solution in original post

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎04-17-2021 07:15 PM

hi,

make sure both the 892 router and PA FW have identical IKEv2 phase 1 and phase 2 policies to build the IPSec SA.

can you post a 'show run | sec crypto' output to verify?

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
johnlloyd_13
Level 9
Level 9

‎04-16-2021 10:44 PM

hi,

are you referring to keep 'group 20' in the IKEv2 policy/proposal? can you post a 'show run | sec crypto' output.

to remove 'group 20' in the crypto map, just use a 'no' to negate the line.

crypto map vpn 10
 no set pfs group20

 

make sure you got 'group 20' in any of your IKEv2 proposal. example below:

 

crypto ikev2 proposal <PROPOSAL NAME>
encryption aes-cbc-128
integrity sha1
group 20

 

0 Helpful

Go to solution
jomo frank
Level 1
Level 1
In response to johnlloyd_13

‎04-17-2021 01:32 PM - edited ‎04-17-2021 04:16 PM

Hello John,

 

I have group 14 in my IKEv2 proposal.

So your are saying once i this configured in my proposal I could negate the without any problems

I new to IKEv2, hence i am unsure if I could leave the group 14 line in the crypto map

 

 

Regards

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9

‎04-17-2021 07:15 PM

hi,

make sure both the 892 router and PA FW have identical IKEv2 phase 1 and phase 2 policies to build the IPSec SA.

can you post a 'show run | sec crypto' output to verify?

 

0 Helpful
Customers Also Viewed These Support Documents