I am creating a VPN with another router and for some reason PFS is not being enabled from my end. Here's my crypto config:
crypto isakmp policy 10
encr des
hash md5
authentication pre-share
!
crypto isakmp key ABC123456 address 20.30.40.50
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
mode tunnel
!
!
crypto map map1 30 ipsec-isakmp
set peer 20.30.40.50
set transform-set des-md5
set pfs group2
match address SECRET_STUFF
Here's the output of sh crypto ipsec sa:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
current_peer 20.30.40.50 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 821, #recv errors 0
local crypto endpt.: 1.2.3.4, remote crypto endpt.: 20.30.40.50
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none <<<
And here's sh crypto map:
Crypto Map IPv4 "map1" 30 ipsec-isakmp
Peer = 20.30.40.50
Extended IP access list VPN_TRAFFIC
access-list SECRET_STUFF permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y <<<
DH group: group2
Mixed-mode : Disabled
Transform sets={
des-md5: { esp-des esp-md5-hmac } ,
}
Interfaces using crypto map map1:
Vlan3
What am I doing wrong here? I also get the following error in the logs:
*May 9 01:52:29.850: ISAKMP:(2046): phase 2 SA policy not acceptable! (local 1.2.3.4 remote 20.30.40.50)
Both Phase 1 encr, hash and group are double checked on both sides. They match.