06-09-2016 05:40 AM - edited 03-12-2019 12:52 AM
Hi. I'm having a really weird issue on an ASA 5506 firewall where i'm trying to use DH Group20 on a VPN tunnel. For some odd reason on my crypto map it only gives me the option to set groups 1,2, or 5. But if I were to change the name of the crypto map, I then have the option to set all the other groups.
Any ideas?
ASA-5506(config)# crypto map CRYPTO-MAP1 10 set pfs ?
configure mode commands/options:
group1 D-H Group 1
group2 D-H Group 2
group5 D-H Group 5
<cr>
ASA-5506(config)# crypto map CRYPTO-MAP-2 10 set pfs ?
configure mode commands/options:
group1 D-H Group 1
group14 D-H Group 14 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1)
group5 D-H Group 5
<cr>
ASA-5506(config)#
Solved! Go to Solution.
06-14-2016 02:58 AM
This behavior is shown if the crypto map sequence is already in use with a peer that uses IKEv1. Is that the case for "CRYPTO-MAP1 10"? If you test it with the same crypto map but an unused sequence, then you should also see all DH-groups for PFS.
06-14-2016 02:58 AM
This behavior is shown if the crypto map sequence is already in use with a peer that uses IKEv1. Is that the case for "CRYPTO-MAP1 10"? If you test it with the same crypto map but an unused sequence, then you should also see all DH-groups for PFS.
06-14-2016 07:07 AM
Really appreciate the help! you were exactly right. Once i removed the last line in bold I was good to go. I didn't realize I added that in there. Thanks again!
crypto map CRYPTO-MAP 10 match address ACL_1_VPN_TUNNEL
crypto map CRYPTO-MAP 10 set pfs group5
crypto map CRYPTO-MAP 10 set peer REMOTE-ASA
crypto map CRYPTO-MAP 10 set ikev1 transform-set ESP-3DES-SHA-TRANS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide