Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

VPN Client user cannot connect to the PIX. The user needs to configure DH group 2

Core issue

If you use a pre-shared key for the Cisco VPN Client version 3.x to connect to the PIX Firewall, you need to configure Diffie-Hellman (DH) group 2 using the isakmp policy priority group 2 command.


Check that the Internet Security Association and Key Management Protocol (ISAKMP) policy on the PIX has the correct DH group configured. Your configuration should be similar to this:

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

For more information about configuring IPSec, refer to Configuring Cisco Secure PIX Firewall 6.0 and Cisco VPN 3000 Clients Using IPSec.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:11 PM
Updated by:
Labels (1)