Good day -

  I am trying to configure an FPR-2110, to follow instructions on connecting to an APN gateway,
  which specifies to use a VTI IPSEC with IKEv1 pre-shared key only with PFS enabled ,
  DH-Group-21 initially, which they kindly changed to DH-Group-14 for us, but now I find,
  though I can select on the Configuration -> Site-To-Site VPN -> Advanced -> Crypto Maps -> Edit tab,
  "Enable Perfect Forwarding Secrecy", with DH-Group 21 or 14 being selectable,
  attempts to select DH-Group 21 or 14 on that tab are ignored -- when I go to the
  Configuration -> Site-To-Site-VPN -> Connection Profiles -> Edit Connection Profile -> Advanced -> Crypto Maps
  tab, then the only choices are Diffie-Hellman Groups : { 2, 5, 15, 16 }, with Group5 selected by default,
  and if I change anything in the Connection Profile and save it, any PFS DH-Group setting gets
  reset to 5.

  So far, I've of course not been able to get the router to negotiate IKEv1 Phase 1 successfully with the gateway,
  probably because of this reason - our PFS DH-Group-{14,21} settings made in the Connection Profile,
  and in the IPSEC Profile in use, where we also select PFS Group-14 ,  are not being honored, and
  only the Group5 setting in the Crypto Maps entry , which only allows Groups { 2, 5, 15, 16 } to be used,
  takes effect.

  Please, can anyone suggest a way of getting our FPR-2110 to use either DH-Group-21 or DH-Group-14 with IKEv1 only,

  using ASDM 7.14(1) ?  Or is this just not possible ? 

Thanks & Best Regards,
Jason Vas Dias, SW & Sys Eng., Ireland