Monday, May 5, 2014

ikev2 VPN s-2-s - IOS and ASA - pre-shared-key - update

In my last post I tested ikev2 on ASA and IOS and when I tried to work on the configs which I posted there I found one missing parameter. The tunnel didn’t come up and I tried to find why.

R1: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
 
ASA1: Cisco Adaptive Security Appliance Software Version 8.4(2)

ISAKMP settings for ASA1 and R1:

ASA1:
 
!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
 prf sha
 lifetime seconds 86400
!

R1:
 
!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity md5
 group 5
!

When I try to ping I see the tunnel can’t come up:

R1#
*May  4 17:28:52.815: IKEv2:(SA ID = 1):Initial exchange failed
R1#
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:28:54.791: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  3DES SHA1 MD596 DH_GROUP_1536_MODP/Gro                

   up 5
*May  4 17:28:54.791:
*May  4 17:28:54.791:
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:28:54.791: IKEv2:(SA ID = 1):Expected Policies: Proposal 1:  3DES MD5 MD596 DH_GROUP_1536_MODP/Grou                

   p 5
*May  4 17:28:54.791:
*May  4 17:28:54.791:
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

Why it sends ‘SHA1’ instead of md5? When I change the proposal on ASA:
 
!
crypto ikev2 policy 10
 encryption aes-256
 integrity md5
 group 5
 prf sha
 lifetime seconds 86400
!

I see the ASA sends correct encryption algorithm (AES-CBC-256), so ASA is checking the policy 10, but why it sends ‘SHA1’ instead of md5?

R1#
*May  4 17:34:02.131: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:34:02.135: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  AES-CBC-256 SHA1 MD596 DH_GROUP_1536_MODP/Group 5
*May  4 17:34:02.139:
*May  4 17:34:02.143:
*May  4 17:34:02.143: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:34:02.147: IKEv2:(SA ID = 1):Expected Policies: Proposal 1:  3DES MD5 MD596 DH_GROUP_1536_MODP/Group 5
*May  4 17:34:02.147:
*May  4 17:34:02.147:
*May  4 17:34:02.147: IKEv2:(SA ID = 1):Failed to find a matching policy

Let’s try to change integrity algorithm from MD5 to SHA512:

ASA1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity sha512
 group 5
 prf sha
 lifetime seconds 86400
!

R1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity sha512
 group 5
!
 
R1#
*May  4 17:39:15.115: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:39:15.119: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  3DES SHA1 SHA512 DH_GROUP_1536_MODP/Group 5
*May  4 17:39:15.123:
*May  4 17:39:15.123:
*May  4 17:39:15.123: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:39:15.123: IKEv2:(SA ID = 1):Expected Policies: Proposal 1:  3DES SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*May  4 17:39:15.123:

As we see now the 2nd parameter is not ‘INTEGRITY’ as I thought but ‘PRF’ and it expects SHA512 in proposal. So, on the ASA we can set ‘prf’, not like on routers where the algorithm is the same as for ‘integrity’. So, to fix it we can change current SHA1 for ‘prf’ to SHA512. Let’s see if it helps:
 
asa1(config-ikev2-policy)# prf sha512

ASA1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity sha512
 group 5
!

R1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity sha512
 group 5
 prf sha512
 lifetime seconds 86400
!

Let’s ping to initiate the tunnel:

R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 56/94/124 ms
R2#

So, the ping is working fine:

R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.0.0.1/500          10.0.0.2/500          none/none            READY
      Encr: 3DES, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/241 sec

 IPv6 Crypto IKEv2  SA 
 
 
 
R1#

asa1(config)# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
220762183          10.0.0.2/500          10.0.0.1/500      READY    INITIATOR
      Encr: 3DES, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/163 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0x736c82a8/0x31fcaa9b
asa1(config)#
 
 
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
      local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
      current_peer: 10.0.0.1

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 31FCAA9B
      current inbound spi : 736C82A8

    inbound esp sas:
      spi: 0x736C82A8 (1936491176)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 65536, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4239359/28599)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0x31FCAA9B (838642331)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 65536, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4285439/28599)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa1#

So, it seems to be working fine. I still wonder if we can adjust ISAKMP parameters with ‘md5’, from the first example.

R1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity md5
 group 5
!

ASA1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
 prf md5
 lifetime seconds 86400
!
 
R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/84/112 ms
R2#

so, when I change prf on md5 (and now it matches with ‘integrity’ on R1) it works fine as expected:

R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.0.0.1/500          10.0.0.2/500          none/none            READY
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/12 sec

 IPv6 Crypto IKEv2  SA

R1#

 
 
asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
228933749          10.0.0.2/500          10.0.0.1/500      READY    INITIATOR
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/88 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0xbfb5537e/0x6214842b
asa1#

Be careful with the PRF as on IOS you can’t set the parameter in the explicit way.

From Cisco documentation:

IOS: Pseudo-Random Function (PRF) algorithm is the same as the integrity algorithm, and hence, it is not configured separately.

ASA: For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption and so on.

sha (default) - SHA-1 (HMAC variant) - Specifies the pseudo random function (PRF)—the algorithm used to generate keying material.
The sha is a default one but you can choose following ones:
  • md5
  • sha256
  • sha384
  • sha512

No comments:

Post a Comment