cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3492
Views
0
Helpful
7
Replies
Highlighted
Beginner

debug crypto ikev2 protocol

I wanted to ask if anyone has done a point to point VPN Ikev2 with other vendors like Juniper or Aruba for "Suite B"?  Second on a debug that I have been working on today I get the following:

IKEv2-PROTO-1: (3357): Received Policies:

Proposal 1:  AES-CBC-256 MD5 DH_GROUP_768_MODP/Group 1

IKEv2-PROTO-1: (3357): Expected Policies:

Proposal 1:  AES-CBC-256 MD5 MD596 DH_GROUP_768_MODP/Group 1

See how they match up except for the MD596, I have been changing the setting here:

crypto ikev2 policy 1

encryption aes-256

integrity md5

group 1

prf md5

lifetime seconds 86400

But haven't found in the configuration where the MD596 comes from.  Any idea?  Thanks. 

Douglas

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: debug crypto ikev2 protocol

Douglas,

You are most likely using a verion using smart defaults.

example:

GH2_R2#sh run | s crypto ikev2 prop

GH2_R2#sh cry ikev2 propo

IKEv2 proposal: default

     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128

     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596

     PRF        : SHA512 SHA384 SHA256 SHA1 MD5

     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

I have not done any interoperability tests myself (not my part of the woods) but I would be curious what config you're trying and what are the full debugs.

Edit: Also, version info.

View solution in original post

7 REPLIES 7
Cisco Employee

Re: debug crypto ikev2 protocol

Douglas,

You are most likely using a verion using smart defaults.

example:

GH2_R2#sh run | s crypto ikev2 prop

GH2_R2#sh cry ikev2 propo

IKEv2 proposal: default

     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128

     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596

     PRF        : SHA512 SHA384 SHA256 SHA1 MD5

     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

I have not done any interoperability tests myself (not my part of the woods) but I would be curious what config you're trying and what are the full debugs.

Edit: Also, version info.

View solution in original post

Beginner

Re: debug crypto ikev2 protocol

So glad you asked about version:  disk0:/asa10080-48-smp-k8.bin/asdm-70025.bin.  We are using some very beta code that comes with its share of bugs.  The command "sh cry ikev2 propo" doesn't work in this version.  The design is very simple. 

Aruba_to_ASA_P2P.png

But I think this is the part of the configuration. 

crypto ikev2 policy 1

encryption aes-256

integrity md5

group 1

prf md5

lifetime seconds 86400

On the Aruba it looks like this:

crypto isakmp policy 1

  version v2

  encryption aes256

  hash md5

  group 1

  prf prf-hmac-md5

  lifetime 86400

I think I am going to reload the ASA and use code version asa861-2-smp-k8.bin.  I then think the commands you offered would work.  I am only debugging "protocol" right now.  I wanted to ensure they match before I move forward.  I deleted all other proposals on both sides so I could more tightly examine this part.  I am new to this so suggestions are welcome.  Its a lab so I don't have issue sharing full configurations both of failures and sucess.  I have attached the configuration that I am using.  Please note that security has not been taken into consideration.  

My first attempt is to get them connected "point to point".  The next step is to implement the "Suite B" requirements, and third to implement normal network security practices.  So for now access to the devices is "ip any any".  So each day I sit in my office with two ASA's, two Aruba's, a small test network, six computers, and some soon to arrive Juniper Gear to figure out how to implement Suite B and interoperate the devices.  My experience is mosly large enterprises with very little ASA experience.  However, I am getting better.  I have gotten the two ASA devices to use Suite B certificates to do point to point.  I have also gotten the Anyconnect to connect to the ASA using Suite B certificates.  I have done the same with the Aruba gear using their VIA client. 

Cisco Employee

Re: debug crypto ikev2 protocol

Douglas,

Hold that thought. It wasn't clear to me from first post that you're talking about ASA (and not IOS - where my command comes from).

On ASA you can try "show run all crypto ikev2" this should show you defaults if any.

_IF_ this is a testing setup or you are free to run tests, you might want to try with ASA 9.0 it was released earlier this week.

M.

Beginner

Re: debug crypto ikev2 protocol

I had an early version of 9.  I will download the production version and get it running right away.  I ran the command:

ASA5525# show run all crypto ikev2

crypto ikev2 policy 1

encryption aes-256

integrity md5

group 1

prf md5

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 enable inside

crypto ikev2 cookie-challenge 50

crypto ikev2 limit max-in-negotiation-sa 100

no crypto ikev2 limit max-sa

crypto ikev2 redirect during-auth

Douglas

I should have version 9 running in a very short time. 

Beginner

Re: debug crypto ikev2 protocol

ASA5525# show ver

Cisco Adaptive Security Appliance Software Version 9.0(1)

Device Manager Version 7.0(1)

Compiled on Fri 26-Oct-12 17:15 PDT by builders

System image file is "disk0:/asa901-smp-k8.bin"

Config file at boot was "startup-config"

Douglas

Beginner

Re: debug crypto ikev2 protocol

Played around with this until I got a match. 

On the Cisco ASA:

crypto ikev2 policy 1

encryption aes-256

integrity sha384

group 1

prf sha384

On the Aruba:

crypto isakmp policy 1

  version v2

  encryption aes256

  hash sha2-384-192

  group 1

  prf prf-hmac-sha384

Now I have a match on protocol.  Do I have a working tunnel, not in the least bit, but I figured a good place to start was to match the proposals.  Which is done.  Now we can troubleshoot further.  You answered correctly that it was the interigty/hash. 

I would like to keep this open if you have any other suggestions on getting the devices to play nice.  I am going to turn on some other debugs to see if I can get some more insight on the tunnel. 

Beginner

Re: debug crypto ikev2 protocol

Got them working with a little help from a good man at Aruba.

On the Cisco end I had to delete:

no crypto isakmp identity address

On the Aruba end I had to delete:

(Aruba650) (config-ipsec-map)#  no peer-cert-dn

(Aruba650) (config-ipsec-map)#  exit

(Aruba650) (config) #exit

I you want to duplicate, use the attached configurations with these changes.  The pre-shared key is password. 

We have proved that a Cisco ASA5525 can tunnel to an Aruba 650  with ikev2 and a pre-shared key.  I will try certs next and share if  anyone is interested.  I can see someone asking, why would I want to ever do such a thing.  Well if you want to do "suite b" you have to use multiple vendors and/or operating systems. 

Douglas

Message was edited by: Douglas Holmes to correct the Aruba Configuration file.