Skip to main content

ikev2 VPN s-2-s - IOS and ASA - pre-shared-key - update

In my last post I tested ikev2 on ASA and IOS and when I tried to work on the configs which I posted there I found one missing parameter. The tunnel didn’t come up and I tried to find why.

R1: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
 
ASA1: Cisco Adaptive Security Appliance Software Version 8.4(2)

ISAKMP settings for ASA1 and R1:

ASA1:
 
!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
 prf sha
 lifetime seconds 86400
!

R1:
 
!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity md5
 group 5
!

When I try to ping I see the tunnel can’t come up:

R1#
*May  4 17:28:52.815: IKEv2:(SA ID = 1):Initial exchange failed
R1#
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:28:54.791: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  3DES SHA1 MD596 DH_GROUP_1536_MODP/Gro                

   up 5
*May  4 17:28:54.791:
*May  4 17:28:54.791:
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:28:54.791: IKEv2:(SA ID = 1):Expected Policies: Proposal 1:  3DES MD5 MD596 DH_GROUP_1536_MODP/Grou                

   p 5
*May  4 17:28:54.791:
*May  4 17:28:54.791:
*May  4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy

Why it sends ‘SHA1’ instead of md5? When I change the proposal on ASA:
 
!
crypto ikev2 policy 10
 encryption aes-256
 integrity md5
 group 5
 prf sha
 lifetime seconds 86400
!

I see the ASA sends correct encryption algorithm (AES-CBC-256), so ASA is checking the policy 10, but why it sends ‘SHA1’ instead of md5?

R1#
*May  4 17:34:02.131: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:34:02.135: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  AES-CBC-256 SHA1 MD596 DH_GROUP_1536_MODP/Group 5
*May  4 17:34:02.139:
*May  4 17:34:02.143:
*May  4 17:34:02.143: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:34:02.147: IKEv2:(SA ID = 1):Expected Policies: Proposal 1:  3DES MD5 MD596 DH_GROUP_1536_MODP/Group 5
*May  4 17:34:02.147:
*May  4 17:34:02.147:
*May  4 17:34:02.147: IKEv2:(SA ID = 1):Failed to find a matching policy

Let’s try to change integrity algorithm from MD5 to SHA512:

ASA1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity sha512
 group 5
 prf sha
 lifetime seconds 86400
!

R1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity sha512
 group 5
!
 
R1#
*May  4 17:39:15.115: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:39:15.119: IKEv2:(SA ID = 1):Received Policies: Proposal 1:  3DES SHA1 SHA512 DH_GROUP_1536_MODP/Group 5
*May  4 17:39:15.123:
*May  4 17:39:15.123:
*May  4 17:39:15.123: IKEv2:(SA ID = 1):Failed to find a matching policy

*May  4 17:39:15.123: IKEv2:(SA ID = 1):Expected Policies: Proposal 1:  3DES SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*May  4 17:39:15.123:

As we see now the 2nd parameter is not ‘INTEGRITY’ as I thought but ‘PRF’ and it expects SHA512 in proposal. So, on the ASA we can set ‘prf’, not like on routers where the algorithm is the same as for ‘integrity’. So, to fix it we can change current SHA1 for ‘prf’ to SHA512. Let’s see if it helps:
 
asa1(config-ikev2-policy)# prf sha512

ASA1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity sha512
 group 5
!

R1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity sha512
 group 5
 prf sha512
 lifetime seconds 86400
!

Let’s ping to initiate the tunnel:

R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 56/94/124 ms
R2#

So, the ping is working fine:

R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.0.0.1/500          10.0.0.2/500          none/none            READY
      Encr: 3DES, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/241 sec

 IPv6 Crypto IKEv2  SA 
 
 
 
R1#

asa1(config)# sh crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
220762183          10.0.0.2/500          10.0.0.1/500      READY    INITIATOR
      Encr: 3DES, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/163 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0x736c82a8/0x31fcaa9b
asa1(config)#
 
 
asa1# sh crypto ipsec sa
interface: outside
    Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2

      access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
      local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
      current_peer: 10.0.0.1

      #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
      #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
      path mtu 1500, ipsec overhead 58, media mtu 1500
      current outbound spi: 31FCAA9B
      current inbound spi : 736C82A8

    inbound esp sas:
      spi: 0x736C82A8 (1936491176)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 65536, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4239359/28599)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x000001FF
    outbound esp sas:
      spi: 0x31FCAA9B (838642331)
         transform: esp-3des esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, }
         slot: 0, conn_id: 65536, crypto-map: MAPA
         sa timing: remaining key lifetime (kB/sec): (4285439/28599)
         IV size: 8 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001

asa1#

So, it seems to be working fine. I still wonder if we can adjust ISAKMP parameters with ‘md5’, from the first example.

R1:

!
crypto ikev2 proposal IKEV2-PROPOSAL
 encryption 3des
 integrity md5
 group 5
!

ASA1:

!
crypto ikev2 policy 10
 encryption 3des
 integrity md5
 group 5
 prf md5
 lifetime seconds 86400
!
 
R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/84/112 ms
R2#

so, when I change prf on md5 (and now it matches with ‘integrity’ on R1) it works fine as expected:

R1#sh crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
1         10.0.0.1/500          10.0.0.2/500          none/none            READY
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/12 sec

 IPv6 Crypto IKEv2  SA

R1#

 
 
asa1# sh crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
228933749          10.0.0.2/500          10.0.0.1/500      READY    INITIATOR
      Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/88 sec
Child sa: local selector  20.0.0.1/0 - 20.0.0.1/65535
          remote selector 11.11.11.11/0 - 11.11.11.11/65535
          ESP spi in/out: 0xbfb5537e/0x6214842b
asa1#

Be careful with the PRF as on IOS you can’t set the parameter in the explicit way.

From Cisco documentation:

IOS: Pseudo-Random Function (PRF) algorithm is the same as the integrity algorithm, and hence, it is not configured separately.

ASA: For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption and so on.

sha (default) - SHA-1 (HMAC variant) - Specifies the pseudo random function (PRF)—the algorithm used to generate keying material.
The sha is a default one but you can choose following ones:
  • md5
  • sha256
  • sha384
  • sha512

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...