topic Re: Ikev2 Ipsec Between Asa and Sonicwall in Network Security

Ikev2 Ipsec Between Asa and Sonicwall

SajeshB — Fri, 22 Jan 2021 18:18:14 GMT

Hi team,

Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.

SonicWall: Phase 1

Ikev2

Encryption aes

Authentication sha265

Dh 14

Lifetime 86400

Asa: phase 1

Ikev2

Encryption aes

Integrity sha256

Dh 15

Prf sha

Lifetime 86400

As the issue was with the asa end. The prf was bydefault configured in ikev2 and i i cannot remove that but after changing prf sha to sha256 tunnel come up. Can anyone help me to understand why tunnel come up while changing the prf value i thought either i need to remove that from config or else changing the ikev2 mode to ikve1.

And one more additional thing sonicwall authentication is similar to cisco integrity attribute if im not wrong.

Re: Ikev2 Ipsec Between Asa and Sonicwall

Rob Ingram — Fri, 22 Jan 2021 18:26:56 GMT

Hi @SajeshB

IKE configuration needs to match between peers, it sounds like the Sonicwall was configured with a default prf value of SHA256 and changing the ASA's default value from SHA to SHA256 obviously made the settings match and establish connectivity.

HTH

Re: Ikev2 Ipsec Between Asa and Sonicwall

SajeshB — Fri, 22 Jan 2021 18:51:11 GMT

Yes, i also thought the same. But the other end engineer was also shocked as he was using regularly a sonicwall firewall and he was never heard about prf in phase 1 and when i told him if there is any advance setting in sonic wall where he can check this prf he said no only this much setting he was aware about phase 1. he told also if he will change from ikev2 to mainmode he will get prf option for phase 1 in sonic wall

Re: Ikev2 Ipsec Between Asa and Sonicwall

Rob Ingram — Fri, 22 Jan 2021 19:07:22 GMT

This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.

Re: Ikev2 Ipsec Between Asa and Sonicwall

SajeshB — Fri, 22 Jan 2021 19:18:14 GMT

Thanx Rob, i thought i was wrong with my config seems to be an issue with the other end.

Re: Ikev2 Ipsec Between Asa and Sonicwall

SajeshB — Wed, 09 Jun 2021 15:39:00 GMT

Right zaid i have tested this on my lab and then I experienced how sonicwall IPSEC works. But if we see from ASA side then prf and integrity have similar function for authenticate messages might be they need to be same. So the same config I have tested for ASA and palo alto and it works.

Re: Ikev2 Ipsec Between Asa and Sonicwall

shekarnaidu520 — Sun, 22 Sep 2024 07:26:14 GMT

Nice Artcle

Thanks for Sharining With Us