10-05-2022 02:33 PM
So I'm trying to get an IKEv2 tunnel working between my ASA 5516-X running 9.12(4)48 code and a Sonicwall SA3600. We couldn't get an IKEv2 tunnel working AT ALL!! They don't have a PRF selection, and I tried almost everything with no luck.
We finally built an IKEv1 tunnel. P1 AES256-SHA1 DH5, P2 AES256-SHA1 PFS DH5.
My question is this: why is SHA256 not supported in an IKEv1 tunnel?!?! Seems to me that a company making security appliances would want to better secure data through better encryption techniques. The guy at the other end could configure SHA256 for an IKEv1 IPsec tunnel.
10-05-2022 05:50 PM
The same is possible on the IOS platform. IMO it's just a business decision not to implement the newer algorithms on IKEv1.
Initially you say there is no PRF section. Then it is likely that the Sonicwall defaults to the same algorithm as is used for integrity.
Do you have debugs from your tests? If you tried almost everything, it could be that you just missed the one settings that works.
10-10-2022 05:32 AM
I did set the hash and prf settings to the same (SHA256), and still couldn't get the IKEv2 tunnel to negotiate. Fell back to an IKEv1 config due to operational needs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide