cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
381
Views
0
Helpful
1
Replies

Cisco ASA PFS

zyang
Level 1
Level 1

In the config for ikev2 you can specify multiple DH groups.  Does that work like the multiple ike polices where they're all sent and they agree on the first proposal?

for example:

crypto ikev2 policy 10

group 1 2 5

Does this mean the ASA sends a request to use either DH group 1, 2, or 5.  And just matches the first one that the responder says it's willing to do?

Thanks.

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Unlike IKEv1 in IKEv2 you're sending things you support and you agree with the peer (typically) on the strongest encryption both of you are willing to do.

Have a look at:

http://tools.ietf.org/html/rfc5996

2.7.  Cryptographic Algorithm Negotiation

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: