Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5764
Views
0
Helpful
7
Replies

debug crypto ikev2 protocol

Go to solution
Douglas Holmes
Level 1
Level 1

‎10-30-2012 12:08 PM

I wanted to ask if anyone has done a point to point VPN Ikev2 with other vendors like Juniper or Aruba for "Suite B"?  Second on a debug that I have been working on today I get the following:

IKEv2-PROTO-1: (3357): Received Policies:

Proposal 1:  AES-CBC-256 MD5 DH_GROUP_768_MODP/Group 1

IKEv2-PROTO-1: (3357): Expected Policies:

Proposal 1:  AES-CBC-256 MD5 MD596 DH_GROUP_768_MODP/Group 1

See how they match up except for the MD596, I have been changing the setting here:

crypto ikev2 policy 1

encryption aes-256

integrity md5

group 1

prf md5

lifetime seconds 86400

But haven't found in the configuration where the MD596 comes from.  Any idea?  Thanks. 

Douglas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-30-2012 02:40 PM

Douglas,

You are most likely using a verion using smart defaults.

example:

GH2_R2#sh run | s crypto ikev2 prop
GH2_R2#sh cry ikev2 propo
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

I have not done any interoperability tests myself (not my part of the woods) but I would be curious what config you're trying and what are the full debugs.

Edit: Also, version info.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-30-2012 02:40 PM

Douglas,

You are most likely using a verion using smart defaults.

example:

GH2_R2#sh run | s crypto ikev2 prop
GH2_R2#sh cry ikev2 propo
 IKEv2 proposal: default
     Encryption : AES-CBC-256 AES-CBC-192 AES-CBC-128
     Integrity  : SHA512 SHA384 SHA256 SHA96 MD596
     PRF        : SHA512 SHA384 SHA256 SHA1 MD5
     DH Group   : DH_GROUP_1536_MODP/Group 5 DH_GROUP_1024_MODP/Group 2

I have not done any interoperability tests myself (not my part of the woods) but I would be curious what config you're trying and what are the full debugs.

Edit: Also, version info.

0 Helpful

Go to solution
Douglas Holmes
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-31-2012 05:01 AM

So glad you asked about version:  disk0:/asa10080-48-smp-k8.bin/asdm-70025.bin.  We are using some very beta code that comes with its share of bugs.  The command "sh cry ikev2 propo" doesn't work in this version.  The design is very simple. 

Aruba_to_ASA_P2P.png

But I think this is the part of the configuration. 

crypto ikev2 policy 1

encryption aes-256

integrity md5

group 1

prf md5

lifetime seconds 86400

On the Aruba it looks like this:

crypto isakmp policy 1

  version v2

  encryption aes256

  hash md5

  group 1

  prf prf-hmac-md5

  lifetime 86400

I think I am going to reload the ASA and use code version asa861-2-smp-k8.bin.  I then think the commands you offered would work.  I am only debugging "protocol" right now.  I wanted to ensure they match before I move forward.  I deleted all other proposals on both sides so I could more tightly examine this part.  I am new to this so suggestions are welcome.  Its a lab so I don't have issue sharing full configurations both of failures and sucess.  I have attached the configuration that I am using.  Please note that security has not been taken into consideration.  

My first attempt is to get them connected "point to point".  The next step is to implement the "Suite B" requirements, and third to implement normal network security practices.  So for now access to the devices is "ip any any".  So each day I sit in my office with two ASA's, two Aruba's, a small test network, six computers, and some soon to arrive Juniper Gear to figure out how to implement Suite B and interoperate the devices.  My experience is mosly large enterprises with very little ASA experience.  However, I am getting better.  I have gotten the two ASA devices to use Suite B certificates to do point to point.  I have also gotten the Anyconnect to connect to the ASA using Suite B certificates.  I have done the same with the Aruba gear using their VIA client. 

137723-5525.txt.zip
0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Douglas Holmes

‎10-31-2012 05:20 AM

Douglas,

Hold that thought. It wasn't clear to me from first post that you're talking about ASA (and not IOS - where my command comes from).

On ASA you can try "show run all crypto ikev2" this should show you defaults if any.

_IF_ this is a testing setup or you are free to run tests, you might want to try with ASA 9.0 it was released earlier this week.

M.

0 Helpful

Go to solution
Douglas Holmes
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-31-2012 05:31 AM

I had an early version of 9.  I will download the production version and get it running right away.  I ran the command:

ASA5525# show run all crypto ikev2

crypto ikev2 policy 1

encryption aes-256

integrity md5

group 1

prf md5

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev2 enable inside

crypto ikev2 cookie-challenge 50

crypto ikev2 limit max-in-negotiation-sa 100

no crypto ikev2 limit max-sa

crypto ikev2 redirect during-auth

Douglas

I should have version 9 running in a very short time. 

0 Helpful

Go to solution
Douglas Holmes
Level 1
Level 1
In response to Douglas Holmes

‎10-31-2012 05:44 AM

ASA5525# show ver

Cisco Adaptive Security Appliance Software Version 9.0(1)

Device Manager Version 7.0(1)

Compiled on Fri 26-Oct-12 17:15 PDT by builders

System image file is "disk0:/asa901-smp-k8.bin"

Config file at boot was "startup-config"

Douglas

0 Helpful

Go to solution
Douglas Holmes
Level 1
Level 1
In response to Douglas Holmes

‎10-31-2012 07:06 AM

Played around with this until I got a match. 

On the Cisco ASA:

crypto ikev2 policy 1

encryption aes-256

integrity sha384

group 1

prf sha384

On the Aruba:

crypto isakmp policy 1

  version v2

  encryption aes256

  hash sha2-384-192

  group 1

  prf prf-hmac-sha384

Now I have a match on protocol.  Do I have a working tunnel, not in the least bit, but I figured a good place to start was to match the proposals.  Which is done.  Now we can troubleshoot further.  You answered correctly that it was the interigty/hash. 

I would like to keep this open if you have any other suggestions on getting the devices to play nice.  I am going to turn on some other debugs to see if I can get some more insight on the tunnel. 

0 Helpful

Go to solution
Douglas Holmes
Level 1
Level 1
In response to Douglas Holmes

‎11-01-2012 10:45 AM

Got them working with a little help from a good man at Aruba.

On the Cisco end I had to delete:

no crypto isakmp identity address

On the Aruba end I had to delete:

(Aruba650) (config-ipsec-map)#  no peer-cert-dn

(Aruba650) (config-ipsec-map)#  exit

(Aruba650) (config) #exit

I you want to duplicate, use the attached configurations with these changes.  The pre-shared key is password. 

We have proved that a Cisco ASA5525 can tunnel to an Aruba 650  with ikev2 and a pre-shared key.  I will try certs next and share if  anyone is interested.  I can see someone asking, why would I want to ever do such a thing.  Well if you want to do "suite b" you have to use multiple vendors and/or operating systems. 

Douglas

Message was edited by: Douglas Holmes to correct the Aruba Configuration file. 

137830-5525.txt.zip
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents