Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
743
Views
2
Helpful
7
Replies

Ike v2 support dhgroup16

sujanyakj
Spotlight
Spotlight

‎04-21-2023 09:08 AM

Will the cisco router 1000 series will support dhgroup16 in phase 2 of the tunnel

Labels:
7 Replies 7

MHM Cisco World
VIP
VIP

‎04-21-2023 09:23 AM - edited ‎04-24-2023 07:26 AM

Cisco 1000 Series Connected Grid Routers Security Software Configuration Guide - Configuring IKEv2 and IPSec - Cisco

please @sujanyakj  specify which platform you have ?

0 Helpful

Salman Mahajan
Cisco Employee
Cisco Employee

‎04-24-2023 03:24 AM

Yes it does support , depends on what IOS-XE version you are running . I have CSR1000v on IOS-XE 16.06.04 and it does support PFS - DH group16 for phase 2 . 


Check this out :-

salman.hub(config)#do show version
Cisco IOS XE Software, Version 16.06.04

salman.hub(config)#crypto ipsec profile TSET

salman.hub(ipsec-profile)#set pfs ?
group1 D-H Group1 (768-bit modp)
group14 D-H Group14 (2048-bit modp)
group15 D-H Group15 (3072-bit modp)
group16 D-H Group16 (4096-bit modp)
group19 D-H Group19 (256-bit ecp)
group2 D-H Group2 (1024-bit modp)
group20 D-H Group20 (384-bit ecp)
group21 D-H Group21 (521-bit ecp)
group24 D-H Group24 (2048-bit modp, 256 bit subgroup)
group5 D-H Group5 (1536-bit modp)

 

salman.hub#show crypto ipsec profile TSET
IPSEC profile TSET
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group16
Mixed-mode : Disabled
Transform sets={
TSET: { masked } ,

Please rate this and mark as solution/answer, if this resolved/helped your issue
Regards
Salman

0 Helpful

sujanyakj
Spotlight
Spotlight

‎04-24-2023 04:51 AM

Hi all, thanks for responding. Will dhgroup16 supports in the phase 1 as well.

0 Helpful

Rob Ingram
VIP
VIP
In response to sujanyakj

‎04-24-2023 04:57 AM

@sujanyakj yes you can configure DH group 16 in the IKEv2 proposal (phase 1).

RobIngram_0-1682337436065.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to sujanyakj

‎04-24-2023 05:14 AM - edited ‎04-24-2023 07:25 AM

there are many platform, @sujanyakj  which platform you have ?

0 Helpful

Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎04-24-2023 06:33 AM

@MHM Cisco World the ISR 1000 router does support DH group 16 or better, you provided a link to the Cisco Connected Grid 1000 series router which run CG-OS.

@sujanyakj doesn't state which Cisco 1000 series router he is referring to. CSR/ISR 1000 routers do support DH group 16 or higher, CG 1000 series router does not.

Customers Also Viewed These Support Documents