crypto ikev2 proposal DXC
integrity sha256 sha512
group 14
Then I’ll prioritize it with:
crypto ikev2 policy 5
proposal DXC
crypto ikev2 policy 10
proposal proposal1
IOS evaluates policies lowest → highest, so DXC will be tried first. If a peer only supports 20/21 it will fall through to proposal1, so existing tunnels shouldn’t break. The only change is some peers that support DH14 may negotiate that instead on rekey.