How to change ikev2 policy 'DH group'

kimdaesung9811 · ‎03-06-2024

There are many crypto ikev2 policies,

Phase 1, 'D/H Group 2' needs to be changed to 'D/H Group 14',

How do I change it?

- phase 1, D/H Group 2 => D/H Group 14

[VPN Connection]

phase 1(ikev2) - D/H Group : 2

phase 2 (ipsec) - PFS Group : 2

[asa config]

crypto ikev2 policy 50
encryption aes-256
integrity sha256
group 2
prf sha256
lifetime seconds 28800

crypto ikev2 policy 60
encryption aes-256
integrity sha256
group 14
prf sha256
lifetime seconds 86400

crypto map outside_map 80 set pfs => group 2 (Default)

MHM Cisco World · ‎03-06-2024

What you did is correct' you change dh under ikev2 policy abd change pfs with it group in crypto map set.

MHM

kimdaesung9811 · ‎03-06-2024

Thank you for your quick reply.

If I change crypto map : set pfs group14, will it change phase 1 (D/H Group : 2 => 14)?

MHM Cisco World · ‎03-06-2024

I run lab for you friend to be sure that your config is correct
take look

MHM

kimdaesung9811 · ‎03-07-2024

There is no group 14 in crypto ikev2 policy.

Add a new policy?

-------------------

crypto ikev2 policy 20
encryption des
integrity md5
group 14
prf sha
lifetime seconds 86400

MHM Cisco World · ‎03-07-2024

there is no conflict between group of phase 2 and phase1
I correct lab make ikev2 policy (phase1) group 14 and ikev2 ipsec pfs (phase2) group 2