Symptom

Weak cryptographic algorithms should not be used for IPsec as they are insecure and do not provide adequate protection from modern threats. These algorithms should be replaced with stronger algorithms. The following algorithms will be rejected when configured: - PFS using Diffie-Hellman group 1, 2, and 5.

Conditions

Device configured with weak cryptographic algorithms used in an IPsec configuration.

Workaround

Update the configuration to use strong cryptographic algorithms used for IPsec. If that's not possible, then the following configuration command is required for IPsec to continue to function with the weak algorithms upon an upgrade to IOS XE version 17.11.1: Device(config)#crypto engine compliance shield disable Note the above command will only take effect after a reboot. Cisco does NOT recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats and should only be used as a last resort.

Further Problem Description