Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2348
Views
5
Helpful
5
Replies

Missing DH group 2 / ipsec(DMVPN) command on C8200-1N-4T

Go to solution
Matsu1092
Level 1
Level 1

‎03-22-2024 01:50 AM

Hi,

We want to create DMVPN tunnel by using C8200-1N-4T.
We have activated network and dna licenses, but when we try crypto commands, there is no choice for Diffie-Hellman group 2.

C8200 is currently showing below DH-group

Router(config-isakmp)#group ?

  14  Diffie-Hellman group 14 (2048 bit)

  15  Diffie-Hellman group 15 (3072 bit)

  16  Diffie-Hellman group 16 (4096 bit)

  19  Diffie-Hellman group 19 (256 bit ecp)

  20  Diffie-Hellman group 20 (384 bit ecp)

  21  Diffie-Hellman group 21 (521 bit ecp)

Our DMVPN hub is using DH group 2, so I guess we need to figure out how to activate DH group 2 on C8200.

Is there something I'm missing?

1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Matsu1092

‎03-22-2024 02:47 AM

Yes you can config multi ISAKMP policies in Hub and Spoke with DH 14 will accept the second one and other spokes run old DH 2 will accept the first policy 

MHM

View solution in original post

5 Replies 5

Go to solution
MHM Cisco World
VIP
VIP

‎03-22-2024 02:27 AM

I think new Cisco Device not support DH group 2 anymore 
you need to config Hub to accept DH group list in your spoke 

MHM

0 Helpful

Go to solution
Matsu1092
Level 1
Level 1
In response to MHM Cisco World

‎03-22-2024 02:44 AM

Hi MHM,

Thanks for the info.

So when accepting new dh group on the hub,  will adding another isakmp policy works?
Or do we need to add dh group on the exisiting isakmp policy?

<example>
■Current config
 crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2

■What we want to do
crypto isakmp policy 1
encr aes
authentication pre-share
group 2

crypto isakmp policy 2
encr aes
authentication pre-share
group 14

Go to solution
MHM Cisco World
VIP
VIP
In response to Matsu1092

‎03-22-2024 02:47 AM

Yes you can config multi ISAKMP policies in Hub and Spoke with DH 14 will accept the second one and other spokes run old DH 2 will accept the first policy 

MHM

Go to solution
hunnymonster
Level 1
Level 1

‎03-22-2024 02:44 AM

dh group 2 has been deprecated since 7.0 (possibly 6.7) along with IKEv1 - since it is hideously insecure. You really need to look at the hub to see if that can accept a modern IKEv2 configuration with modern dh groups (19,20,21,31,...) [not all Cisco kit can yet do dh31, but some can already]

Go to solution
uthayakumar-rengasamy
Level 1
Level 1

‎03-07-2025 05:04 PM

Device(config)#crypto engine compliance shield disable

This will enable lower encryption method

0 Helpful
Customers Also Viewed These Support Documents