Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4918
Views
5
Helpful
11
Replies

Ikev2 Ipsec Between Asa and Sonicwall

Go to solution
SajeshB
Level 1
Level 1

‎01-22-2021 10:18 AM

Hi team,

 

Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.

 

SonicWall: Phase 1

Ikev2

Encryption aes

Authentication sha265

Dh 14

Lifetime 86400

 

Asa: phase 1

Ikev2 

Encryption aes

Integrity sha256

Dh 15

Prf sha

Lifetime 86400

 

As the issue was with the asa end. The prf was bydefault configured in ikev2 and i i cannot remove that but after changing prf sha to sha256 tunnel come up. Can anyone help me to understand why tunnel come up while changing the prf value i thought either i need to remove that from config or else changing the ikev2 mode to ikve1.

And one more additional thing sonicwall authentication is similar to cisco integrity attribute if im not wrong.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:07 AM

This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.

View solution in original post

0 Helpful
11 Replies 11

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 10:25 AM - edited ‎01-22-2021 10:26 AM

Hi @SajeshB 

IKE configuration needs to match between peers, it sounds like the Sonicwall was configured with a default prf value of SHA256 and changing the ASA's default value from SHA to SHA256 obviously made the settings match and establish connectivity.

 

HTH

Go to solution
SajeshB
Level 1
Level 1
In response to Rob Ingram

‎01-22-2021 10:51 AM

Spoiler
 

Yes, i also thought the same. But the other end engineer was also shocked as he was using regularly a sonicwall firewall and he was never heard about prf in phase 1 and when i told him if there is any advance setting in sonic wall where he can check this prf he said no only this much setting he was aware about phase 1. he told also if he will change from ikev2 to mainmode he will get prf option for phase 1 in sonic wall

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:07 AM

This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.

0 Helpful

Go to solution
SajeshB
Level 1
Level 1
In response to Rob Ingram

‎01-22-2021 11:18 AM

Thanx Rob, i thought i was wrong with my config seems to be an issue with the other end.

0 Helpful

Go to solution
zaidmd
Level 1
Level 1

‎06-09-2021 05:38 AM

Hi

I was also facing the same error that I cannot remove but after changing PRF SHA to SHA256 tunnel come up. But after checking this thread and implementing it I resolved my issue. Actually, The Sonicwall PRF value is automatically set to the same as the integrity value in my SHA256.

Thank you

0 Helpful

Go to solution
SajeshB
Level 1
Level 1
In response to zaidmd

‎06-09-2021 08:39 AM

Right zaid i have tested this on my lab and then I experienced how sonicwall IPSEC works. But if we see from ASA side then prf and integrity have similar function for authenticate messages might be they need to be same. So the same config I have tested for ASA and palo alto and it works.

0 Helpful

Go to solution
mulesmasters
Level 1
Level 1

‎12-28-2023 03:53 AM

 the essential skills and knowledge needed to excel in this field. In this course, you will learn the core concepts of HTML, CSS, and JavaScript, which are the building blocks of web development. From creating visually appealing layouts to adding interactivity and functionality to your websites

0 Helpful

Go to solution
kishorebrolly123
Level 1
Level 1

‎01-08-2024 02:11 AM

nice article

thanks for sharing with us

<a href="https://brollyacademy.com/">AWS Course in Hyderabad</a>

 

https://brollyacademy.com/aws-course-in-hyderabad/ 

0 Helpful

Go to solution
rudrasadev
Level 1
Level 1

‎03-21-2024 05:38 AM

Great article and thank you for sharing.

Keep sharing like this.https://rudrasa.com/prompt-engineering-course-in-hyderabad/

0 Helpful

Go to solution
sevakuladarendar
Level 1
Level 1

‎03-26-2024 01:06 AM

thank you for sharing
<a href="https://pmpacademy.in/scrum-master-training-in-hyderabad/">scrum master training in Hyderabad</a>
https://pmpacademy.in/scrum-master-training-in-hyderabad/

0 Helpful

Go to solution
rojarani0701
Level 1
Level 1

‎03-30-2024 01:08 AM

Thanks for the info

<a href="https://brollyai.com/machine-learning-classes-in-hyderabad/">machine learning classes in hyderabad </a>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card