Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
744
Views
0
Helpful
1
Replies

IPsec PFS not working

Frank Sinatra
Level 1
Level 1

‎05-08-2019 08:01 PM

I am creating a VPN with another router and for some reason PFS is not being enabled from my end. Here's my crypto config:

 

crypto isakmp policy 10
 encr des
 hash md5
 authentication pre-share
!
crypto isakmp key ABC123456 address 20.30.40.50
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 20
!
!
crypto ipsec transform-set des-md5 esp-des esp-md5-hmac
 mode tunnel
!
!
crypto map map1 30 ipsec-isakmp
 set peer 20.30.40.50
 set transform-set des-md5
 set pfs group2
 match address SECRET_STUFF

 

 

Here's the output of sh crypto ipsec sa:

 

 

protected vrf: (none)
local  ident (addr/mask/prot/port): (10.10.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.10.20.0/255.255.255.0/0/0)
current_peer 20.30.40.50 port 500
 PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 821, #recv errors 0

 local crypto endpt.: 1.2.3.4, remote crypto endpt.: 20.30.40.50
 plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb Vlan10
 current outbound spi: 0x0(0)
 PFS (Y/N): N, DH group: none <<<

 

And here's sh crypto map:

 

 

Crypto Map IPv4 "map1" 30 ipsec-isakmp
        Peer = 20.30.40.50
        Extended IP access list VPN_TRAFFIC
            access-list SECRET_STUFF permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
        Security association lifetime: 4608000 kilobytes/3600 seconds
        Responder-Only (Y/N): N
        PFS (Y/N): Y <<<
        DH group:  group2
        Mixed-mode : Disabled
        Transform sets={
                des-md5:  { esp-des esp-md5-hmac  } ,
        }
        Interfaces using crypto map map1:
                Vlan3

 

What am I doing wrong here? I also get the following error in the logs:

 

*May  9 01:52:29.850: ISAKMP:(2046): phase 2 SA policy not acceptable! (local 1.2.3.4 remote 20.30.40.50)

Both Phase 1 encr, hash and group are double checked on both sides. They match.

 

Labels:
0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎05-08-2019 11:07 PM

Can please let us know the Environment ? Device Models, and Version of IOS you running.

 

how about other side Device ? ASA  or Cehckpoint ? if possible can you post both the side config please to review.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card