Problem:

On the new cisco C8500 routers, Cisco security baseline does not allow the use of DH Group 2 in the implementation of IPSEC VPNs. This means that IPSEC that wont work if it uses DH Group 2.


Solution:
Turn off this baseline restriction.


Procedure:


1. Go to Rommon on the device

2. Enter  "CSDL_MODE_DISABLE=1"

3. Enter "sync" to save

4. Enter "boot" to reload the device.