Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
767
Views
2
Helpful
9
Replies

Multiple Diffie Helfman Group In Phase 2 Cisco FMC-FTD

Go to solution
qsscisco
Level 1
Level 1

‎04-04-2024 06:06 AM

Hello,

Is it possible on Cisco FTD managed by Cisco FMC define multiple DH Group in Phase2 ?

qsscisco_0-1712235854436.png

From what i see it is just possible one. I tried put , but it doesnt accept. Also looking maybe for option to add thorugh flex config but didnt find any relevant docuemntation. Can anyone help?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎04-04-2024 06:10 AM

@qsscisco no, you can only set one DH group for PFS (phase 2), not even will FlexConfig allow you to configure two as the ASA also only supports one (Flexconfig uses the ASA commands, so if it's not supported on ASA it won't be supported on Flexconfig).

View solution in original post

0 Helpful
9 Replies 9

Go to solution
Rob Ingram
VIP
VIP

‎04-04-2024 06:10 AM

@qsscisco no, you can only set one DH group for PFS (phase 2), not even will FlexConfig allow you to configure two as the ASA also only supports one (Flexconfig uses the ASA commands, so if it's not supported on ASA it won't be supported on Flexconfig).

0 Helpful

Go to solution
qsscisco
Level 1
Level 1
In response to Rob Ingram

‎04-04-2024 06:18 AM

Hi Rob,

Thank you. To conclude if i have one dynamic crypto map, and have 2 remote location (one can support group21, other can support group 14 in phase 2) i cant accept establishing vpn on the same crypto map, so i need to create 2 separate dynamic crypto map, one acceptin group 21, another one accepting group 14?

Thank you

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to qsscisco

‎04-04-2024 06:22 AM

@qsscisco if it's two locations, just create two separate VPN topologies, either crypto map or SVTI, with different PFS DH groups.

Go to solution
MHM Cisco World
VIP
VIP
In response to qsscisco

‎04-04-2024 07:06 AM

Which ver of FMC you use ?

MHM

0 Helpful

Go to solution
qsscisco
Level 1
Level 1
In response to MHM Cisco World

‎04-24-2024 10:20 AM

@MHM Cisco World 

I am using 7.4.1

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to qsscisco

‎04-24-2024 10:49 AM

Sorry this issue not solve ?

If yes 

Dh group you want for phaseI or phaseII

MHM

0 Helpful

Go to solution
qsscisco
Level 1
Level 1
In response to MHM Cisco World

‎04-25-2024 12:27 AM

Hi,

The solution is to create new vpn topology with another DH group in phase 2. It is not possible in one VPN topology use 2 DH group in phase 2.

Go to solution
MHM Cisco World
VIP
VIP
In response to qsscisco

‎04-25-2024 12:33 AM

if you see there is pencil icon beside the proposal 
add new proposal 
select it encrypt and integrity 
then I think when you click any of two proposal you will get DH group 
try this way

MHM

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎04-25-2024 01:48 AM

@MHM Cisco World as already stated in the previous answer, you can only select 1 PFS group.

PFS is not configured under the proposal section. You select "Enable Perfect Forward Secrecy" and select the Group from the drop down list, there is no option for multi choice.

RobIngram_0-1714033822295.png

 

0 Helpful
Customers Also Viewed These Support Documents