cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
473
Views
4
Helpful
4
Replies

Missing DH group 2 / ipsec(DMVPN) command on C8200-1N-4T

Matsu1092
Level 1
Level 1

Hi,

We want to create DMVPN tunnel by using C8200-1N-4T.
We have activated network and dna licenses, but when we try crypto commands, there is no choice for Diffie-Hellman group 2.

C8200 is currently showing below DH-group

Router(config-isakmp)#group ?

  14  Diffie-Hellman group 14 (2048 bit)

  15  Diffie-Hellman group 15 (3072 bit)

  16  Diffie-Hellman group 16 (4096 bit)

  19  Diffie-Hellman group 19 (256 bit ecp)

  20  Diffie-Hellman group 20 (384 bit ecp)

  21  Diffie-Hellman group 21 (521 bit ecp)

Our DMVPN hub is using DH group 2, so I guess we need to figure out how to activate DH group 2 on C8200.

Is there something I'm missing?

1 Accepted Solution

Accepted Solutions

Yes you can config multi ISAKMP policies in Hub and Spoke with DH 14 will accept the second one and other spokes run old DH 2 will accept the first policy 

MHM

View solution in original post

4 Replies 4

I think new Cisco Device not support DH group 2 anymore 
you need to config Hub to accept DH group list in your spoke 

MHM

Hi MHM,

Thanks for the info.

So when accepting new dh group on the hub,  will adding another isakmp policy works?
Or do we need to add dh group on the exisiting isakmp policy?

<example>
■Current config
 crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

■What we want to do
crypto isakmp policy 1
encr aes
authentication pre-share
group 2

crypto isakmp policy 2
encr aes
authentication pre-share
group 14

Yes you can config multi ISAKMP policies in Hub and Spoke with DH 14 will accept the second one and other spokes run old DH 2 will accept the first policy 

MHM

hunnymonster
Level 1
Level 1

dh group 2 has been deprecated since 7.0 (possibly 6.7) along with IKEv1 - since it is hideously insecure. You really need to look at the hub to see if that can accept a modern IKEv2 configuration with modern dh groups (19,20,21,31,...) [not all Cisco kit can yet do dh31, but some can already]

Review Cisco Networking for a $25 gift card