Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


IPsec PFS not working

I am creating a VPN with another router and for some reason PFS is not being enabled from my end. Here's my crypto config:


crypto isakmp policy 10
 encr des
 hash md5
 authentication pre-share
crypto isakmp key ABC123456 address
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
 mode tunnel
crypto map map1 30 ipsec-isakmp
 set peer
 set transform-set des-md5
 set pfs group2
 match address SECRET_STUFF



Here's the output of sh crypto ipsec sa:



protected vrf: (none)
local  ident (addr/mask/prot/port): (
remote ident (addr/mask/prot/port): (
current_peer port 500
 PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 821, #recv errors 0

 local crypto endpt.:, remote crypto endpt.:
 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
 current outbound spi: 0x0(0)
 PFS (Y/N): N, DH group: none <<<


And here's sh crypto map:



Crypto Map IPv4 "map1" 30 ipsec-isakmp
        Peer =
        Extended IP access list VPN_TRAFFIC
            access-list SECRET_STUFF permit ip
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y <<<
        DH group:  group2
        Mixed-mode : Disabled
        Transform sets={
                des-md5:  { esp-des esp-md5-hmac  } ,
        Interfaces using crypto map map1:


What am I doing wrong here? I also get the following error in the logs:


*May  9 01:52:29.850: ISAKMP:(2046): phase 2 SA policy not acceptable! (local remote

Both Phase 1 encr, hash and group are double checked on both sides. They match.


VIP Advisor

Re: IPsec PFS not working

Can please let us know the Environment ? Device Models, and Version of IOS you running.


how about other side Device ? ASA  or Cehckpoint ? if possible can you post both the side config please to review.

*** Rate All Helpful Responses ***
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here