Solved: ASA Phase 2 Requirments using IKEV2

Hawk · ‎11-09-2018

One of my remote peers are changing equipment in their data center & gave me a list of new requirments in order to establish an IPsec tunnel with them (requiremnets included in pic). I am running an ASA version 9.6(4)3 & notice that the pre shared key does not get configured within the ike2 policy like it is in ikev1. I also notice that my peer has multiple esp encryption options showing the integrity "sha1-hmac" linked with the "aes-256" in the same line. When I configure the ikev2 proposal I do not even see a sha-1 "hmac" option, only seeing "gmac". I would really appreciate some advice. This is the config I plan to use for the requirments given. Am I missing something?

# crypto ikev2 enable outside

# crypto ikev2 policy 10
encryption aes-gcm-256
integrity null
group 24 14
prf sha
lifetime seconds 86400

# crypto ipsec ikev2 ipsec-proposal ESP-AES-256-SHA1
protocol esp encryption aes-256
protocol esp integrity sha-1

# crypto map ikev2_outside_map 65 match address ACL-1
# crypto map ikev2_outside_map 65 set pfs group24
# crypto map ikev2_outside_map 65 set peer 1.2.3.4
# crypto map ikev2_outside_map 65 set ikev2 ipsec-proposal ESP-AES-256-SHA1
# crypto map ikev2_outside_map 65 set security-association lifetime seconds 86400

# crypto map ikev2_outside_map interface outside

# group-policy POLICY_L2L internal

group-policy POLICY_L2L attributes
vpn-filter value ACL-2
vpn-tunnel-protocol ikev2

# tunnel-group 1.2.3.4 type ipsec-l2l
tunnel-group 1.2.3.4 general-attributes
default-group-policy POLICY_L2L
tunnel-group 1.2.3.4 ipsec-attributes
ikev2 local-authentication pre-shared-key abc123
ikev2 remote-authentication pre-shared-key abc123

# leaving out the ACL's & NAT exemption configurations

Rob Ingram · ‎11-10-2018

Hi,

If you are using that screenshot as a reference for configuring the IKEv2 IPSec Proposal then that might be misleading you, the encryption and integrity algorithms are defined seperately on the ASA. GMAC is only available when defining the encryption algorithm, HMAC is only available when defining the integrity algorithm, which is what you observe in your output configuration.

If you are using the next gen (suite b) GCM algorthim for the IKEv2 Policy (which is fine) you would also want to use this for the IPSec Proposal. Use the suggestion below instead, which does partially match the requirements screenshot you provided. In this instance both aes-gcm-256 and aes-gcm-192 are defined, it will attempt to use 256 first, if no match it will then attempt 192. You could add the other encryption/integrity algorthims but they aren't Suite B (which isn't the latest algorithms).

crypto ipsec ikev2 ipsec-proposal ESP-AES-GCM
protocol esp encryption aes-gcm-256 aes-gcm-192

GCM is used for encryption and integrity/hash, so therefore you do not need to define SHA-1 or SHA-2 algorithm.

HTH

View solution in original post

Hawk · ‎11-12-2018

Thanks for the helpful feedback. I understand now that GCM encryption does not need hash/integrity/prf. When configuring the ikev2 policy I see that by default the string "prf sha" is included. When I try to use "no prf sha" the ASA accepts the command but when I "show run" I still see it in the ikev2 policy. Is this going to be a problem & cause the tunnel not to establish? Also is there a way to add PFS to phase 1? Perhaps in the ikev2 policy?

crypto ikev2 policy 10
encryption aes-gcm-256
integrity null
group 24 14 <--- anyway to add PFS to this config?
prf sha <---- cant remove from config using "no" Maybe try "prf no" or "prf ?" & find a way to remove?
lifetime seconds 86400

View solution in original post

Rob Ingram · ‎11-12-2018

Hi,
PFS is enabled under the crypto map - e.g. - "crypto map outside-map 1 set pfs"
When using IKEv2, PRF is required, sha is the default, you can change it but not removed it.

HTH

View solution in original post

Rob Ingram · ‎11-10-2018

Hi,

If you are using that screenshot as a reference for configuring the IKEv2 IPSec Proposal then that might be misleading you, the encryption and integrity algorithms are defined seperately on the ASA. GMAC is only available when defining the encryption algorithm, HMAC is only available when defining the integrity algorithm, which is what you observe in your output configuration.

If you are using the next gen (suite b) GCM algorthim for the IKEv2 Policy (which is fine) you would also want to use this for the IPSec Proposal. Use the suggestion below instead, which does partially match the requirements screenshot you provided. In this instance both aes-gcm-256 and aes-gcm-192 are defined, it will attempt to use 256 first, if no match it will then attempt 192. You could add the other encryption/integrity algorthims but they aren't Suite B (which isn't the latest algorithms).

crypto ipsec ikev2 ipsec-proposal ESP-AES-GCM
protocol esp encryption aes-gcm-256 aes-gcm-192

GCM is used for encryption and integrity/hash, so therefore you do not need to define SHA-1 or SHA-2 algorithm.

HTH

Hawk · ‎11-12-2018

Thanks for the helpful feedback. I understand now that GCM encryption does not need hash/integrity/prf. When configuring the ikev2 policy I see that by default the string "prf sha" is included. When I try to use "no prf sha" the ASA accepts the command but when I "show run" I still see it in the ikev2 policy. Is this going to be a problem & cause the tunnel not to establish? Also is there a way to add PFS to phase 1? Perhaps in the ikev2 policy?

crypto ikev2 policy 10
encryption aes-gcm-256
integrity null
group 24 14 <--- anyway to add PFS to this config?
prf sha <---- cant remove from config using "no" Maybe try "prf no" or "prf ?" & find a way to remove?
lifetime seconds 86400

Rob Ingram · ‎11-12-2018

Hi,
PFS is enabled under the crypto map - e.g. - "crypto map outside-map 1 set pfs"
When using IKEv2, PRF is required, sha is the default, you can change it but not removed it.

HTH

Hawk · ‎11-12-2018

Is PFS capable of being enabled on phase 1? My peer just sent an updated document requiring PFS for phase 1. From my understanding crypto maps work in phase 2. What are your thoughts.

Rob Ingram · ‎11-12-2018

Well PFS is only enabled in the crypto map, when enabled, a negotiation of a new phase 2 SA between the peer gateways will generate a new set of phase 1 keys. It's not an option to configure under the IKEv2 Policy on the ASA.

greenk3 · ‎10-11-2023

https://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ikevpn/configuration/15-1mt/Configuring_Internet_Key_Exchange_Version_2.html

may be more dry than you're looking for but does confirm Cisco supports it.

IKEv2 Supported Standards

Cisco implements the IP Security Protocol (IPsec) standard for use in IKEv2.

The component technologies implemented in IKEv2 are as follows:

AES-CBC--Advanced Encryption Standard-Cipher Block Chaining
DES--Data Encryption Standard
Diffie-Hellman--A public-key cryptography protocol
MD5 (HMAC variant)--Message digest algorithm 5
SHA (HMAC variant)--Secure Hash Algorithm

ex:

!
crypto ipsec transform-set transform1 esp-3des esp-sha-hmac 
!
crypto ipsec profile ipsec-profile1
 set transform-set trans transform1 
 set ikev2-profile ikev2-profile1

alexandro.angel@softtek.com · ‎10-11-2023

Hi Team,

So, what about prf? I'm getting VPN requirements from a peer which has Palo Alto on their side, in Palo you can just skip integrity/hash, which in ASA you can also apply integrity null command... The problem is, it'll add prf sha by default, could this be messing up the tunnel creation?

Thanks!

Rob Ingram · ‎10-11-2023

alexandro.angel@softtek.com PRF is mandatory in the SA INIT phase and you must define the same algorithm (SHA, SHA256 etc) as the Palo Alto Firewall. You only set integrity/hash to null if using AES-GCM.

If you have further issues please create a new post with debug information, relevant configuration and what algorithms the Palo Alto firewall is using.

alexandro.angel@softtek.com · ‎10-11-2023

Sorry, yes I'm using AES-GCM so I have configured integrity null... But PRF is still there with the default prf sha parameter.

Thanks again!