ASR 1002 IPSec NGE algorithms support

VladimirTetyorkin · ‎12-15-2014

Hello!

We have ASR1002-5G-SEC/K9

We have to configure IPSec VPN vith such parameters

!

crypto isakmp policy 15

encr aes 256

hash sha256

authentication pre-share

group 5

lifetime 7200

!

crypto ipsec transform-set Profil esp-aes 256 esp-sha256-hmac

mode tunnel

!

But it did not work until we changed transform-set to esp-aes 256 esp-sha-hmac ~~(esp-sha256-hmac)~~

We see message crypto_engine_select_crypto_engine: can't handle any more

We try to use ikev2 to test with 2 ASR's

crypto ikev2 proposal ikev2proposal

encryption aes-cbc-256

integrity sha256

group 5

!

crypto ikev2 policy ikev2policy

match fvrf any

proposal ikev2proposal

!

crypto ikev2 keyring keys

peer ASR1002A

address 192.168.xxx.130

pre-shared-key local cisco

pre-shared-key remote cisco

!

crypto ikev2 profile ikev2profile

match identity remote address 192.168.xxx.130 255.255.255.248

authentication remote pre-share

authentication local pre-share

keyring local keys

!

crypto ipsec transform-set Profil esp-aes 256 esp-sha256-hmac

mode tunnel

!

crypto map SSB 2 ipsec-isakmp

set peer 192.168.xxx.130

set transform-set Profil

set pfs group5

set ikev2-profile ikev2profile

match address PTB_vpn

!

ip access-list extended PTB_vpn

permit icmp host 192.168.xxx.132 host 192.168.xxx.130

!

interface GigabitEthernet0/0/1.552

d encapsulation dot1Q 552

ip address 192.168.xxx.132 255.255.255.248

no ip proxy-arp

crypto map SSB

But the situation is same. It do not work until we change esp-sha256-hmac to esp-sha-hmac

Dec 15 19:57:22.783: IPSEC:(SESSION ID = 113) (key_engine) request timer fired: count = 3,

(identity) local= 192.168.xxx.130:0, remote= 192.168.xxx.132:0,

local_proxy= 192.168.xxx.130/255.255.255.255/1/0,

remote_proxy= 192.168.xxx.132/255.255.255.255/1/0

Dec 15 19:57:22.783: IPSEC(sa_request): ,

(key eng. msg.) OUTBOUND local= 192.168.xxx.130:500, remote= 192.168.xxx.132:500,

local_proxy= 192.168.xxx.130/255.255.255.255/1/0,

remote_proxy= 192.168.xxx.132/255.255.255.255/1/0,

protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),

lifedur= 3600s and 4608000kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Dec 15 19:57:22.784: crypto_engine: Create DH

Dec 15 19:57:22.813: crypto_engine: Create DH shared secret

Dec 15 19:57:22.817: crypto_engine: Create IKEv2 SA

Dec 15 19:57:22.817: crypto engine: deleting DH phase 2 SW:172

Dec 15 19:57:22.817: crypto_engine: Delete DH shared secret

Dec 15 19:57:22.817: crypto_engine: Generate IKEv2 auth

Dec 15 19:57:22.817: crypto_engine: Encrypt IKEv2 packet

Dec 15 19:57:22.818: crypto_engine: Generate IKEv2 hash

Dec 15 19:57:22.843: crypto_engine: Generate IKEv2 hash

Dec 15 19:57:22.843: crypto_engine: Decrypt IKEv2 packet

Dec 15 19:57:22.852: crypto_engine: Generate IKEv2 auth

Dec 15 19:57:22.864: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 15 19:57:22.864: IPSEC(validate_proposal_request): proposal part #1

Dec 15 19:57:22.864: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= 192.168.xxx.130:0, remote= 192.168.xxx.132:0,

local_proxy= 192.168.xxx.130/255.255.255.255/1/0,

remote_proxy= 192.168.xxx.132/255.255.255.255/1/0,

protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

Dec 15 19:57:22.864: Crypto mapdb : proxy_match

src addr : 192.168.xxx.130

dst addr : 192.168.xxx.132

protocol : 1

src port : 0

dst port : 0

Dec 15 19:57:22.864: (ipsec_process_proposal)Map Accepted: SSB, 2

Dec 15 19:57:22.879: IPSEC(key_engine): got a queue event with 1 KMI message(s)

Dec 15 19:57:22.879: Crypto mapdb : proxy_match

src addr : 192.168.xxx.130

dst addr : 192.168.xxx.132

protocol : 1

src port : 0

dst port : 0

Dec 15 19:57:22.879: IPSEC:(SESSION ID = 113) (crypto_ipsec_create_ipsec_sas) Map found SSB, 2

Dec 15 19:57:22.879: crypto_engine_select_crypto_engine: can't handle any more

Dec 15 19:57:22.880: crypto_engine_select_crypto_engine: can't handle any more

Dec 15 19:57:22.880: crypto_engine_ipsec_key_create_by_qmv2: no IPSec engine

Dec 15 19:57:22.880: IPSEC:(SESSION ID = 113) (get_old_outbound_sa_for_peer) No outbound SA found for peer 3E52F33C

Dec 15 19:57:22.880: IPSEC:(SESSION ID = 113) (update_current_outbound_sa) updated peer 192.168.xxx.132 current outbound sa to SPI 0

Dec 15 19:57:22.880: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :442204F4

Dec 15 19:57:22.880: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS

Dec 15 19:57:22.880: crypto engine: deleting IPSec SA ???

Dec 15 19:57:22.880: delete_ipsec_sa: no such crypto engine

Dec 15 19:57:22.880: crypto engine: deleting IPSec SA ???

Dec 15 19:57:22.880: delete_ipsec_sa: no such crypto engine

IOS version - asr1000rp1-adventerprisek9.03.10.04.S.153-3.S4-ext.bin

sh crypto engine br

crypto engine name: Cisco VPN Software Implementation

crypto engine type: software

serial number: FF99B796

crypto engine state: installed

crypto engine in slot: N/A

sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine IOSXE-ESP(14) details: state = Active

Capability : DES, 3DES, AES, RSA, IPv6, GDOI, FAILCLOSE

IPSec-Session : 320 active, 32766 max, 0 failed

sh platform

Chassis type: ASR1002

Slot Type State Insert time (ago)

--------- ------------------- --------------------- -----------------

0 ASR1002-SIP10 ok 2d23h

0/0 4XGE-BUILT-IN ok 2d22h

0/2 SPA-4X1FE-TX-V2 ok 2d22h

R0 ASR1002-RP1 ok, active 2d23h

F0 ASR1000-ESP5 ok, active 2d23h

P0 ASR1002-PWR-AC ok 2d23h

P1 ASR1002-PWR-AC ok 2d23h

Slot CPLD Version Firmware Version

--------- ------------------- ---------------------------------------

0 07120202 12.2(33r)XNC

R0 08011017 12.2(33r)XNC

F0 07091401 12.2(33r)XNB

show crypto ace slot 14 stat | inc status

ACE status: ONLINE

Could you please hel us to undestand why IPSec do not work with crypto ipsec transform-set Profil esp-aes 256 esp-sha256-hmac

Thank you!

Marcin Latosiewicz · ‎12-16-2014

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

Support for NGE control plane (ECDH and ECDSA) has been introduced with XE37. Control plane SHA-2 support is for IKEv2 only (with planned IKEv1 support for XE3.10). Dataplane support is added in XE3.8 for Octeon based platforms (ASR1002-X and ESP100).

and CSCtn18426

I think you need to go for 15.3.3s

VladimirTetyorkin · ‎12-16-2014

Hello, Marcin

Thank you for your reply!

We used asr1000rp1-adventerprisek9.03.10.04.S.153-3.S4-ext.bin. It is 15.3.3s, correct?

We tried with asr1000rp1-adventerprisek9.03.13.01.S.154-3.S1-ext.bin, result was same.

Thank you for the information regarding CSCtn18426. But we tried with ikev2, result was same.

VladimirTetyorkin · ‎12-22-2014

The answer from Cisco TAC - ASR1002-5G-SEC/K9 does not support NGE. You mast have ASR1002x or ESP100.

Comment. We tried NGE with ISR 2821, NGE work.

Peter Zsiros · ‎02-22-2016

Hi Marcin,

DMVPN does not establish using SHA 256. (works fine with SHA-1)

Is SHA-256 supported now on ASR 1004?

HW: Cisco ASR1004 (RP2) processor (revision RP2) with 4164879K/6147K bytes of memory.

SW:
Cisco IOS XE Software, Version 03.13.04.S - Extended Support Release
Cisco IOS Software, ASR1000 Software (X86_64_LINUX_IOSD-ADVENTERPRISEK9-M), Version 15.4(3)S4, RELEASE SOFTWARE (fc3)
System image file is "bootflash:asr1000rp2-adventerprisek9.03.13.04.S.154-3.S4-ext.bi"

Config:
crypto isakmp policy 20
encr aes 256
hash sha256
group 14

crypto ipsec transform-set ESP-AES256-SHA256 esp-aes 256 esp-sha256-hmac
mode transport require

Thx in advance for clarification!