Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3080
Views
0
Helpful
5
Replies

IOS to ASA with DH group 14

Go to solution
martinbuffleo
Level 1
Level 1

‎07-04-2013 08:35 AM

Has any one had the pleasure of trying to build a VPN tunnel between IOS and ASA using ikev1 and DH group 14?

The ASDM allows me to select grooup 14 but the CLI returns an error when the command is applied.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎07-04-2013 11:33 PM

You need to move to IKEv2, there you have support for DH-Group 14 both on IOS and the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
5 Replies 5

Go to solution
johnlloyd_13
Level 9
Level 9

‎07-04-2013 09:00 PM

hi,

was the error on the router IOS? could you post the CLI error?

0 Helpful

Go to solution
martinbuffleo
Level 1
Level 1
In response to johnlloyd_13

‎07-04-2013 11:12 PM

No it was in the asa. The asa woul only take 'group 1.2,5 or 7'

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎07-04-2013 11:33 PM

You need to move to IKEv2, there you have support for DH-Group 14 both on IOS and the ASA.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
martinbuffleo
Level 1
Level 1
In response to Karsten Iwen

‎07-05-2013 01:23 AM

Thats a shame becuase my IOS devices is in production, not sure I'll be able to move to IKEv2

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to martinbuffleo

‎07-05-2013 01:34 AM 

Thats a shame becuase my IOS devices is in production, not sure I'll be able to move to IKEv2

Yes, it would be really nice to have that on the ASA. Are you already on DH5 for your VPNs? With that you had at least more security then the avarage VPN-Admin. Most VPNs I see are still running DH2 (and some to my astonishment even with DH1).

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents