ikev2 VPN s-2-s - IOS and ASA - pre-shared-key - update
In my last post I tested ikev2 on ASA and IOS and when I tried to work on the configs which I posted there I found one missing parameter. The tunnel didn’t come up and I tried to find why.
R1: Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
ASA1: Cisco Adaptive Security Appliance Software Version 8.4(2)
ISAKMP settings for ASA1 and R1:
ASA1:
!
crypto ikev2 policy 10
encryption 3des
integrity md5
group 5
prf sha
lifetime seconds 86400
!
R1:
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity md5
group 5
!
When I try to ping I see the tunnel can’t come up:
R1#
*May 4 17:28:52.815: IKEv2:(SA ID = 1):Initial exchange failed
R1#
*May 4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy
*May 4 17:28:54.791: IKEv2:(SA ID = 1):Received Policies: Proposal 1: 3DES SHA1 MD596 DH_GROUP_1536_MODP/Gro
up 5
*May 4 17:28:54.791:
*May 4 17:28:54.791:
*May 4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy
*May 4 17:28:54.791: IKEv2:(SA ID = 1):Expected Policies: Proposal 1: 3DES MD5 MD596 DH_GROUP_1536_MODP/Grou
p 5
*May 4 17:28:54.791:
*May 4 17:28:54.791:
*May 4 17:28:54.791: IKEv2:(SA ID = 1):Failed to find a matching policy
Why it sends ‘SHA1’ instead of md5? When I change the proposal on ASA:
!
crypto ikev2 policy 10
encryption aes-256
integrity md5
group 5
prf sha
lifetime seconds 86400
!
I see the ASA sends correct encryption algorithm (AES-CBC-256), so ASA is checking the policy 10, but why it sends ‘SHA1’ instead of md5?
R1#
*May 4 17:34:02.131: IKEv2:(SA ID = 1):Failed to find a matching policy
*May 4 17:34:02.135: IKEv2:(SA ID = 1):Received Policies: Proposal 1: AES-CBC-256 SHA1 MD596 DH_GROUP_1536_MODP/Group 5
*May 4 17:34:02.139:
*May 4 17:34:02.143:
*May 4 17:34:02.143: IKEv2:(SA ID = 1):Failed to find a matching policy
*May 4 17:34:02.147: IKEv2:(SA ID = 1):Expected Policies: Proposal 1: 3DES MD5 MD596 DH_GROUP_1536_MODP/Group 5
*May 4 17:34:02.147:
*May 4 17:34:02.147:
*May 4 17:34:02.147: IKEv2:(SA ID = 1):Failed to find a matching policy
Let’s try to change integrity algorithm from MD5 to SHA512:
ASA1:
!
crypto ikev2 policy 10
encryption 3des
integrity sha512
group 5
prf sha
lifetime seconds 86400
!
R1:
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity sha512
group 5
!
R1#
*May 4 17:39:15.115: IKEv2:(SA ID = 1):Failed to find a matching policy
*May 4 17:39:15.119: IKEv2:(SA ID = 1):Received Policies: Proposal 1: 3DES SHA1 SHA512 DH_GROUP_1536_MODP/Group 5
*May 4 17:39:15.123:
*May 4 17:39:15.123:
*May 4 17:39:15.123: IKEv2:(SA ID = 1):Failed to find a matching policy
*May 4 17:39:15.123: IKEv2:(SA ID = 1):Expected Policies: Proposal 1: 3DES SHA512 SHA512 DH_GROUP_1536_MODP/Group 5
*May 4 17:39:15.123:
As we see now the 2nd parameter is not ‘INTEGRITY’ as I thought but ‘PRF’ and it expects SHA512 in proposal. So, on the ASA we can set ‘prf’, not like on routers where the algorithm is the same as for ‘integrity’. So, to fix it we can change current SHA1 for ‘prf’ to SHA512. Let’s see if it helps:
asa1(config-ikev2-policy)# prf sha512
ASA1:
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity sha512
group 5
!
R1:
!
crypto ikev2 policy 10
encryption 3des
integrity sha512
group 5
prf sha512
lifetime seconds 86400
!
Let’s ping to initiate the tunnel:
R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
..!!!
Success rate is 60 percent (3/5), round-trip min/avg/max = 56/94/124 ms
R2#
So, the ping is working fine:
R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 none/none READY
Encr: 3DES, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/241 sec
IPv6 Crypto IKEv2 SA
R1#
asa1(config)# sh crypto isakmp sa
There are no IKEv1 SAs
IKEv2 SAs:
Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
220762183 10.0.0.2/500 10.0.0.1/500 READY INITIATOR
Encr: 3DES, Hash: SHA512, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/163 sec
Child sa: local selector 20.0.0.1/0 - 20.0.0.1/65535
remote selector 11.11.11.11/0 - 11.11.11.11/65535
ESP spi in/out: 0x736c82a8/0x31fcaa9b
asa1(config)#
asa1# sh crypto ipsec sa
interface: outside
Crypto map tag: MAPA, seq num: 10, local addr: 10.0.0.2
access-list VPN extended permit ip host 20.0.0.1 host 11.11.11.11
local ident (addr/mask/prot/port): (20.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (11.11.11.11/255.255.255.255/0/0)
current_peer: 10.0.0.1
#pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 10.0.0.2/500, remote crypto endpt.: 10.0.0.1/500
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: 31FCAA9B
current inbound spi : 736C82A8
inbound esp sas:
spi: 0x736C82A8 (1936491176)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 65536, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4239359/28599)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x000001FF
outbound esp sas:
spi: 0x31FCAA9B (838642331)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 65536, crypto-map: MAPA
sa timing: remaining key lifetime (kB/sec): (4285439/28599)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
asa1#
So, it seems to be working fine. I still wonder if we can adjust ISAKMP parameters with ‘md5’, from the first example.
R1:
!
crypto ikev2 proposal IKEV2-PROPOSAL
encryption 3des
integrity md5
group 5
!
ASA1:
!
crypto ikev2 policy 10
encryption 3des
integrity md5
group 5
prf md5
lifetime seconds 86400
!
R2#ping 11.11.11.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 11.11.11.11, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 60/84/112 ms
R2#
so, when I change prf on md5 (and now it matches with ‘integrity’ on R1) it works fine as expected:
R1#sh crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 none/none READY
Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/12 sec
IPv6 Crypto IKEv2 SA
R1#
asa1# sh crypto ikev2 sa
IKEv2 SAs:
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
228933749 10.0.0.2/500 10.0.0.1/500 READY INITIATOR
Encr: 3DES, Hash: MD596, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/88 sec
Child sa: local selector 20.0.0.1/0 - 20.0.0.1/65535
remote selector 11.11.11.11/0 - 11.11.11.11/65535
ESP spi in/out: 0xbfb5537e/0x6214842b
asa1#
Be careful with the PRF as on IOS you can’t set the parameter in the explicit way.
From Cisco documentation:
IOS:
Pseudo-Random Function (PRF) algorithm is the same as the integrity algorithm, and hence, it is not configured separately.
ASA:
For IKEv2, a separate pseudo-random function (PRF) used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption and so on.
sha (default) - SHA-1 (HMAC variant) - Specifies the pseudo random function (PRF)—the algorithm used to generate keying material.
The sha is a default one but you can choose following ones:
- md5
- sha256
- sha384
- sha512