01-22-2021 10:18 AM
Hi team,
Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.
SonicWall: Phase 1
Ikev2
Encryption aes
Authentication sha265
Dh 14
Lifetime 86400
Asa: phase 1
Ikev2
Encryption aes
Integrity sha256
Dh 15
Prf sha
Lifetime 86400
As the issue was with the asa end. The prf was bydefault configured in ikev2 and i i cannot remove that but after changing prf sha to sha256 tunnel come up. Can anyone help me to understand why tunnel come up while changing the prf value i thought either i need to remove that from config or else changing the ikev2 mode to ikve1.
And one more additional thing sonicwall authentication is similar to cisco integrity attribute if im not wrong.
Solved! Go to Solution.
01-22-2021 11:07 AM
This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.
01-22-2021 10:25 AM - edited 01-22-2021 10:26 AM
Hi @SajeshB
IKE configuration needs to match between peers, it sounds like the Sonicwall was configured with a default prf value of SHA256 and changing the ASA's default value from SHA to SHA256 obviously made the settings match and establish connectivity.
HTH
01-22-2021 10:51 AM
Yes, i also thought the same. But the other end engineer was also shocked as he was using regularly a sonicwall firewall and he was never heard about prf in phase 1 and when i told him if there is any advance setting in sonic wall where he can check this prf he said no only this much setting he was aware about phase 1. he told also if he will change from ikev2 to mainmode he will get prf option for phase 1 in sonic wall
09-22-2024 12:26 AM
01-22-2021 11:07 AM
This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.
01-22-2021 11:18 AM
Thanx Rob, i thought i was wrong with my config seems to be an issue with the other end.
06-09-2021 08:39 AM
Right zaid i have tested this on my lab and then I experienced how sonicwall IPSEC works. But if we see from ASA side then prf and integrity have similar function for authenticate messages might be they need to be same. So the same config I have tested for ASA and palo alto and it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide