Yes it does support , depends on what IOS-XE version you are running . I have CSR1000v on IOS-XE 16.06.04 and it does support PFS - DH group16 for phase 2 .
Check this out :-
salman.hub(config)#do show version
Cisco IOS XE Software, Version 16.06.04
salman.hub(config)#crypto ipsec profile TSET
salman.hub(ipsec-profile)#set pfs ?
group1 D-H Group1 (768-bit modp)
group14 D-H Group14 (2048-bit modp)
group15 D-H Group15 (3072-bit modp)
group16 D-H Group16 (4096-bit modp)
group19 D-H Group19 (256-bit ecp)
group2 D-H Group2 (1024-bit modp)
group20 D-H Group20 (384-bit ecp)
group21 D-H Group21 (521-bit ecp)
group24 D-H Group24 (2048-bit modp, 256 bit subgroup)
group5 D-H Group5 (1536-bit modp)
salman.hub#show crypto ipsec profile TSET
IPSEC profile TSET
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group16
Mixed-mode : Disabled
Transform sets={
TSET: { masked } ,
Please rate this and mark as solution/answer, if this resolved/helped your issue
Regards
Salman
