Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6369
Views
5
Helpful
5
Replies

Ikev2 Ipsec Between Asa and Sonicwall

Go to solution
SajeshB
Level 1
Level 1

‎01-22-2021 10:18 AM

Hi team,

 

Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.

 

SonicWall: Phase 1

Ikev2

Encryption aes

Authentication sha265

Dh 14

Lifetime 86400

 

Asa: phase 1

Ikev2 

Encryption aes

Integrity sha256

Dh 15

Prf sha

Lifetime 86400

 

As the issue was with the asa end. The prf was bydefault configured in ikev2 and i i cannot remove that but after changing prf sha to sha256 tunnel come up. Can anyone help me to understand why tunnel come up while changing the prf value i thought either i need to remove that from config or else changing the ikev2 mode to ikve1.

And one more additional thing sonicwall authentication is similar to cisco integrity attribute if im not wrong.

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:07 AM

This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 10:25 AM - edited ‎01-22-2021 10:26 AM

Hi @SajeshB 

IKE configuration needs to match between peers, it sounds like the Sonicwall was configured with a default prf value of SHA256 and changing the ASA's default value from SHA to SHA256 obviously made the settings match and establish connectivity.

 

HTH

Go to solution
SajeshB
Level 1
Level 1
In response to Rob Ingram

‎01-22-2021 10:51 AM

Spoiler
 

Yes, i also thought the same. But the other end engineer was also shocked as he was using regularly a sonicwall firewall and he was never heard about prf in phase 1 and when i told him if there is any advance setting in sonic wall where he can check this prf he said no only this much setting he was aware about phase 1. he told also if he will change from ikev2 to mainmode he will get prf option for phase 1 in sonic wall

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎01-22-2021 11:07 AM

This is probably a question that should be posed to Sonicwall TAC. I imagine that on the Sonicwall the PRF value is automatically set to the same as the integrity value, in your instance SHA256. The fact that on the ASA you had to change the value from SHA to SHA256 in order to get the VPN to establish, indicates that the Sonicwall is using PRF with SHA256, otherwise it would not have worked.

0 Helpful

Go to solution
SajeshB
Level 1
Level 1
In response to Rob Ingram

‎01-22-2021 11:18 AM

Thanx Rob, i thought i was wrong with my config seems to be an issue with the other end.

0 Helpful

Go to solution
SajeshB
Level 1
Level 1
In response to zaidmd

‎06-09-2021 08:39 AM

Right zaid i have tested this on my lab and then I experienced how sonicwall IPSEC works. But if we see from ASA side then prf and integrity have similar function for authenticate messages might be they need to be same. So the same config I have tested for ASA and palo alto and it works.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card