Solved: ASA 5506 - Unable to set DH Group 20

Charger1129 · ‎06-09-2016

Hi. I'm having a really weird issue on an ASA 5506 firewall where i'm trying to use DH Group20 on a VPN tunnel. For some odd reason on my crypto map it only gives me the option to set groups 1,2, or 5. But if I were to change the name of the crypto map, I then have the option to set all the other groups.

Any ideas?

ASA-5506(config)# crypto map CRYPTO-MAP1 10 set pfs ?

configure mode commands/options:
group1 D-H Group 1
group2 D-H Group 2
group5 D-H Group 5
<cr>
ASA-5506(config)# crypto map CRYPTO-MAP-2 10 set pfs ?

configure mode commands/options:
group1 D-H Group 1
group14 D-H Group 14 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1)
group5 D-H Group 5
<cr>
ASA-5506(config)#

Karsten Iwen · ‎06-14-2016

This behavior is shown if the crypto map sequence is already in use with a peer that uses IKEv1. Is that the case for "CRYPTO-MAP1 10"? If you test it with the same crypto map but an unused sequence, then you should also see all DH-groups for PFS.

View solution in original post

Karsten Iwen · ‎06-14-2016

This behavior is shown if the crypto map sequence is already in use with a peer that uses IKEv1. Is that the case for "CRYPTO-MAP1 10"? If you test it with the same crypto map but an unused sequence, then you should also see all DH-groups for PFS.

Charger1129 · ‎06-14-2016

Really appreciate the help! you were exactly right. Once i removed the last line in bold I was good to go. I didn't realize I added that in there. Thanks again!

crypto map CRYPTO-MAP 10 match address ACL_1_VPN_TUNNEL
crypto map CRYPTO-MAP 10 set pfs group5
crypto map CRYPTO-MAP 10 set peer REMOTE-ASA
crypto map CRYPTO-MAP 10 set ikev1 transform-set ESP-3DES-SHA-TRANS