Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA PFS

In the config for ikev2 you can specify multiple DH groups.  Does that work like the multiple ike polices where they're all sent and they agree on the first proposal?

for example:

crypto ikev2 policy 10

group 1 2 5

Does this mean the ASA sends a request to use either DH group 1, 2, or 5.  And just matches the first one that the responder says it's willing to do?

Thanks.

1 REPLY
Cisco Employee

Cisco ASA PFS

Unlike IKEv1 in IKEv2 you're sending things you support and you agree with the peer (typically) on the strongest encryption both of you are willing to do.

Have a look at:

http://tools.ietf.org/html/rfc5996

2.7.  Cryptographic Algorithm Negotiation

190
Views
0
Helpful
1
Replies