VPNISAKMP Policy Config

group [2|5|14]

Specifies the Diffie-Hellman (DH) group identifier for an ISAKMP policy, determining the key exchange strength and security level.

Syntax·ISAKMP Policy Config

group [2|5|14]

When to Use This Command

Configuring a VPN policy that requires strong encryption by using DH group 14 (2048-bit) for secure key exchange.
Setting up a legacy VPN peer that only supports DH group 2 (1024-bit) due to older hardware constraints.
Standardizing on DH group 5 (1536-bit) as a balance between security and performance in a mixed-vendor environment.
Troubleshooting a VPN failure caused by DH group mismatch between peers.

Command Examples

Setting DH group 14 for high security

group 14

No output is generated; the command silently configures the DH group. Use 'show crypto isakmp policy' to verify.

Verifying configured DH group

show crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption aes:    AES-CBC (128 bit key)
        hash:              sha
        group:             14
        lifetime:          86400 seconds
Protection suite of priority 20
        encryption des:    DES (56 bit keys)
        hash:              md5
        group:             2
        lifetime:          86400 seconds

The 'group' field shows the configured DH group (14 or 2). Ensure the group matches between peers; mismatched groups cause IKE negotiation failure.

Understanding the Output

The 'show crypto isakmp policy' command displays all configured ISAKMP policies. The 'group' field indicates the Diffie-Hellman group identifier. Common values: 1 (768-bit), 2 (1024-bit), 5 (1536-bit), 14 (2048-bit). Higher numbers provide stronger security but require more CPU. A mismatch between peers will prevent IKE phase 1 from completing. Always verify that the group matches on both ends of the VPN tunnel.

CCNA Exam Tips

CCNA exam may ask which DH group is the most secure among options (group 14 > 5 > 2).

Remember that DH group 2 is the default on many Cisco IOS versions; exam questions might test default values.

Know that DH group mismatch is a common cause of IKE phase 1 failure; exam scenarios often include troubleshooting such issues.

The 'group' command is configured in ISAKMP policy configuration mode; you must first enter 'crypto isakmp policy <priority>'.

Common Mistakes

Setting different DH groups on peers, causing IKE negotiation to fail.

Forgetting to apply the ISAKMP policy to the crypto map or interface, so the group setting is never used.

Using a DH group that is not supported by the peer device (e.g., group 14 on very old hardware).

Related Commands

crypto isakmp policy [priority]

Creates or modifies an ISAKMP (IKE) policy for IPsec VPN negotiations, defining encryption, authentication, and key exchange parameters.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions