Solved: Re: Cisco ASR1000 and SHA256

hhofstet · ‎06-06-2023

Hello,

We currently have a pair of Cisco 3945 routers supporting about 1000 policy based IPSec VPNs. We recently inherited a pair of ASR1004 routers from another part of the business and would like to migrate the VPNs from the 3945s to the ASRs. We have been doing some testing with the ASRs to a Cisco ASA5506 to validate some of the various configurations. We set up a IKEv2 configuration between the 2 devices and can only get the tunnel to establish if we use sha1 for the phase 2 transform. The tunnel fails to establish when we try to use sha256 or sha512 in the phase 2 transform.

Below is a small section of the debug output when trying to use sha256 or sha512.

Jun 5 00:26:55.144: IPSEC:(SESSION ID = 61) (crypto_ipsec_create_ipsec_sas) Map found vpn-ftr-2, 1
Jun 5 00:26:55.144: IPSEC:(SESSION ID = 61) (get_old_outbound_sa_for_peer) No outbound SA found for peer 7FCCC810EDC8
Jun 5 00:26:55.144: IPSEC:(SESSION ID = 61) (update_current_outbound_sa) updated peer x.x.x.x current outbound sa to SPI 0
Jun 5 00:26:55.144: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :7FCCCFCFC6F8
Jun 5 00:26:55.144: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
Jun 5 00:26:55.144: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
Jun 5 00:26:55.144: IPSEC(IPsec Create SAs): failed, free_ident_kmi
Jun 5 00:26:55.144: IPSEC(IPsec Create SAs): failed, free_acl_kmi
Jun 5 00:26:55.144: IKEv2:(SESSION ID = 61,SA ID = 1):(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database FAILED
Jun 5 00:26:55.145: IKEv2-ERROR:(SESSION ID = 61,SA ID = 1):: Creation/Installation of IPsec SA into IPsec DB failed
Jun 5 00:26:55.145: IKEv2:(SESSION ID = 61,SA ID = 1):Queuing IKE SA delete request reason: unknown
Jun 5 00:26:55.146: IKEv2:(SESSION ID = 61,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0xBA0F5CD1]
Jun 5 00:26:55.146: IKEv2:(SESSION ID = 61,SA ID = 1):Building packet for encryption.
Payload contents:
DELETE

Phase 1 doesn't seem to have any issues with sha256 or sha512 integrity hashing. We only seem to have the problem with phase 2.

We are currently running IOS XE version 17.3.5.

We obviously don't have any issues using the different sha-2 hashing algorithms with our 3945s. Has anyone else run into this sort of issue?

Regards,

HH

hhofstet · ‎06-06-2023

Thank you for the information, Salman. This confirms my suspicions and gives me the information I needed.

Regards,

HH

View solution in original post

Salman Mahajan · ‎06-06-2023

Hi @hhofstet

If my response helps with your issue , yoou can mark this post as resolved

Regards
Salman Mahajan

View solution in original post

Salman Mahajan · ‎06-06-2023

Hi @hhofstet ,

SHA256 & SHA512 are NGE ( Next Generation Encryption ) Algorithm . NGE dataplane ( Phase 2 ) support for Ikev2/Ikev1 was added in Version XE3.8 (15.3(1)S) for Octeon based platforms only (ASR1006 or ASR1013 with an ESP-100 or ESP-200 module); dataplane ( Phase 2 ) support is not available for other ASR1000 platforms.

Reference Document :- https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html

Hope this helps !

Regards
Salman Mahajan
If this helps with your issue , mark this helpful

hhofstet · ‎06-06-2023

Thank you for the information, Salman. This confirms my suspicions and gives me the information I needed.

Regards,

HH

Salman Mahajan · ‎06-06-2023

Hi @hhofstet

If my response helps with your issue , yoou can mark this post as resolved

Regards
Salman Mahajan