Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
2
Replies

IPSec Tunnel & DH Group Settings

markwitt
Level 1
Level 1

‎07-10-2020 06:06 AM

I have created a VPN IPSec Tunnel between my Cisco ASA5515 and an Ubiquity Edge Router Lite. I am passing three different subnets. Everything is working great except when I changed the DH Group to 21 I no longer can have access to all three subnets.

 

If configure for 5 I get all three, configured for 19 I get two and configured for 21 I only can access one.

 

Is there something I have missed? Does this make any sense?

 

Thanks,

Mark

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎07-10-2020 07:14 PM

This looks odd the way you mentioned, when the VPN establish, it should have all the communication between peer allowed interesting traffic, not for 1 subnet or so on.

 

can you post relevant config to understand better?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP

‎07-10-2020 11:54 PM

Hello,

 

which encryption/authentication algorithms are you using ? The general guideline is:

 

Diffie-Hellman groups 5, 14, 19, 20 --> use encryption or authentication algorithms with a 128-bit key

Diffie-Hellman group 21 or 24--> use encryption or authentication algorithms with a 256-bit key or higher

 

That said, group 5 should be avoided as it is no longer considered secure.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card