Solved: FPR-2110, ASDM 7.14(1) , ASA 9.14(3) , IKEv1 Group-14 usable for PFS?

JVD66 · ‎05-13-2022

Good day -

I am trying to configure an FPR-2110, to follow instructions on connecting to an APN gateway,
which specifies to use a VTI IPSEC with IKEv1 pre-shared key only with PFS enabled ,
DH-Group-21 initially, which they kindly changed to DH-Group-14 for us, but now I find,
though I can select on the Configuration -> Site-To-Site VPN -> Advanced -> Crypto Maps -> Edit tab,
"Enable Perfect Forwarding Secrecy", with DH-Group 21 or 14 being selectable,
attempts to select DH-Group 21 or 14 on that tab are ignored -- when I go to the
Configuration -> Site-To-Site-VPN -> Connection Profiles -> Edit Connection Profile -> Advanced -> Crypto Maps
tab, then the only choices are Diffie-Hellman Groups : { 2, 5, 15, 16 }, with Group5 selected by default,
and if I change anything in the Connection Profile and save it, any PFS DH-Group setting gets
reset to 5.

So far, I've of course not been able to get the router to negotiate IKEv1 Phase 1 successfully with the gateway,
probably because of this reason - our PFS DH-Group-{14,21} settings made in the Connection Profile,
and in the IPSEC Profile in use, where we also select PFS Group-14 , are not being honored, and
only the Group5 setting in the Crypto Maps entry , which only allows Groups { 2, 5, 15, 16 } to be used,
takes effect.

Please, can anyone suggest a way of getting our FPR-2110 to use either DH-Group-21 or DH-Group-14 with IKEv1 only,

using ASDM 7.14(1) ? Or is this just not possible ?

Thanks & Best Regards,
Jason Vas Dias, SW & Sys Eng., Ireland

JVD66 · ‎05-17-2022

OK, just to wrap this up:

o it turns out the ONLY DH groups allowed for IKEv1-only PFS are either 2 or 5, both of which are deprecated.

o we had to hire a CISCO expert (which, you will have gathered, I am not) to diagnose the IKEv1 VTI tunnel connection problems -
he concluded there is a bug in either our ASA-9.14(3), or our provider's Cisco CSR running the IOS-XE, which prevent
the two from successfully negotiating an IKEv1-only tunnel - he could not get it to work.

o Our provider provided a new IKEv2-only tunnel configuration, and the VTI Tunnel is now "Up", using IKEv2 only.

Thanks to all who responded!

View solution in original post

Rob Ingram · ‎05-13-2022

@JVD66 if you are using 9.14 then DH group 14 is the default now. I notice you are not using the correct ASDM version for your ASA software, try using ASDM 7.16(1.150).

From the CLI provide the output of "show crypto" so we can determine what actually is configured.

Turn on IKEv1 debugs, attempt to establish the tunnel and provide the output for review.

JVD66 · ‎05-13-2022

Thanks for responding , Rob -
which 'show crypto' command output do you want to see? :

Result of the command: "show crypto ?"

exec mode commands/options:
accelerator Show accelerator operational data
ca Show certification authority policy
debug-condition Show crypto debug filters
ikev1 Show IKEv1 operational data
ikev2 Show IKEv2 operational data
ipsec Show IPsec operational data
isakmp Show ISAKMP operational data
key Show long term public keys
protocol Show protocol statistics
sockets Show secure socket information
ssl Show ssl information

I am running the ASDM that got downloaded from the Router . How do I upgrade it ?

How do I turn on IKEv1 debugs ?

Sorry, I am a bit of a CISCO newbie - I have done alot of Linux router & firewall admin work, though.

My precise issue might be better illustrated with screen shots :

The Connection Profile ONLY allows DH Groups { 2, 5, 15, 16 } to be used :

Each time I "Save" the config , the PFS Group for the Connection Profile gets set to 5 , even though I specified
Group 14 on the IPSEC Profile and IPSEC Rule :

But we are told to ONLY use DH-Group-14 or DH-Group-21 for PFS , and to

only enable IKEv1 and the ESP-AES-256-SHA proposal by the operator

of the gateway we are trying to connect to , for a VTI Tunnel interface.

My questions are:

o Why can't I choose Group 14 or Group 21 on the Connection Profile -> Advanced -> Crypto map tab ?

o Why does the PFS Group for the connection profile change from 14 to 5 when I Save the Config ?

o Is IKEv1-only , PFS with DH-Group-{14,21} supported at all by FPR-2110 ASA 9.14(3) ?

JVD66 · ‎05-13-2022

Sorry, to be clear, the question:
"o Why does the PFS Group for the connection profile change from 14 to 5 when I Save the Config ?"
should have been:
"o Why does the PFS Group for the Crypto Map change from 14 to 5 when I Save the Config ?"

The Crypto Map entry looks like:

Type # Source Dest Prot Act Transform Set (IKEv1) IPSEC Proposal (IKEv2) PFS
static:1 1 Inside-Network VTI_Tunnel/24 ip Protect ESP-AES-256-SHA (none) group5 True False bidirectional 08:00:00 or -1 KB main

The PFS group changes to "group5" each time I Save the config, even though everywhere else it is Group 14.

When I Edit the Crypto Map Entry, and specify "Group14" under "Enable Perfect Forwarding Secrecy", and then click OK,
the display of the "PFS Group" for the entry does specify group14, but then when I Save the config, it changes back to group5 .

The VTI Interface uses my IPSec Profile shown above that specifies PFS DH group14, but the Crypto Map always ends up using PFS DH group5 .

So I think that is why IKEv1 Phase 1 negotiation is failing.

Is there any way to get the Crypto Map to actually use PFS DH group14 (or group21) when only IKEv1 is enabled ?

That's what I really need to know . Thanks !

Rob Ingram · ‎05-14-2022

@JVD66 the reason I suggest upgrading ASDM is because you've got a newer version of the ASA software, sometimes using an older version of ASDM you get issues. I've not checked for bugs to check for you though.

Certainly from the CLI of my ASA 9.13 this supports group 14, this would be supported on newer versions including 9.14.

Group 21 is not supported on IKEv1, it would be supported on IKEv2.

ciscoasa(config)# show version | inc Version
Cisco Adaptive Security Appliance Software Version 9.13(1)
SSP Operating System Version 2.7(1.107)
Device Manager Version 7.13(1)
!
ciscoasa(config)# crypto map CMAP 1 set pfs ?
configure mode commands/options:
group14 D-H Group 14
group15 D-H Group 15 (Unsupported for IKEv1)
group16 D-H Group 16 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2 (DEPRECATED)
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1) (DEPRECATED)
group5 D-H Group 5 (DEPRECATED)
!
ciscoasa(config-ikev1-policy)# group ?
ikev1-policy mode commands/options:
14 Diffie-Hellman group 14
2 Diffie-Hellman group 2 (DEPRECATED)
5 Diffie-Hellman group 5 (DEPRECATED)

I suggest checking the configuration from the CLI and manually set to group 14.

MHM Cisco World · ‎05-14-2022

there are two group
one Phase 1 DH group this must match between two Peer
other phase2 group for PFS, this I think make issue since both Peer not have same PFS group, how we can solve it ?
disable PFS in BOTH Peer this make you escape the group mismatch.

JVD66 · ‎05-14-2022

OK, so I guess the answer to my question is :
"No, the FPR-2110 running 9.14(3) is not capable of negotiating PFS using Groups 14 or 21 with only IKEv1 enabled."
I will push back to our gateway supplier to request a configuration that does not require PFS using Group-14 or Group-21,
or which allows IKEv2 to be enabled.
It would be nice if the ASDM GUI could present an error message if PFS Groups 14 or 21 are selected when IKEv2 is not
enabled - is there somewhere I can raise a bug about this ?
Thanks for all responses,
Best Regards,
Jason Vas Dias

MHM Cisco World · ‎05-14-2022

IKEv1 don't have PFS
IKEv2 have PFS
if you use IKEv2 and there PFS is mismatch tunnel is failed, so
you can IKEv2 BUT disable PFS to escape the PFS group mismatch.

Rob Ingram · ‎05-14-2022

@JVD66 group 14 is supported on IKEv1, but group 21 is not supported.

ciscoasa(config)# crypto map CMAP 1 set pfs ?

configure mode commands/options:
group14 D-H Group 14
group15 D-H Group 15 (Unsupported for IKEv1)
group16 D-H Group 16 (Unsupported for IKEv1)
group19 D-H Group 19 (Unsupported for IKEv1)
group2 D-H Group 2 (DEPRECATED)
group20 D-H Group 20 (Unsupported for IKEv1)
group21 D-H Group 21 (Unsupported for IKEv1)
group24 D-H Group 24 (Unsupported for IKEv1) (DEPRECATED)
group5 D-H Group 5 (DEPRECATED)
<cr>

JVD66 · ‎05-15-2022

Aha, thanks for the info, Rob!

But the router and peer are currently configured to use Group-14, and it isn't working -
whenever I Save the Config, it resets to Group-5.

And I found in the 'asa-914-vpn-config.pdf' manual this sentence, on pp. 21:

" [no] crypto map map_name map_index set pfs [group14 | group15 | group16 | group19 | group20 | group21 ]
Specifies the ECDH group used for Perfect Forward Secrecy (PFS) for the cryptography map.
Prevents you from configuring group14 and group24 options for a cryptography map (when using an IKEv1 policy).
"

So I think "group24" there is a typo, it should be "group21", since I already know group21 cannot be chosen with an IKEv1 policy -

it looks like group14 cannot be chosen with an IKEv1 policy either.

I think the only Groups that CAN be chosen are the ones listed in the Connnection Profile -> Crypto Map Entry tab shown above,

ie { 2, 5, 15, 16 } - unfortunately, none of these are supported by our Peer .

I guess a working group must be in the intersection of this set and the set specified in the manual for 'set pfs ...' ie. one of { 15, 16 } .

I will try that 'crypto map $name $index set pfs ?' command and see what it says.

On Monday I will have some feedback from the gateway provider and will see if they can support Groups 15 or 16 for PFS .

It would be nice to understand WHY there are such restrictions on groups usable for IKEv1 PFS & not IKEv2 PFS .

JVD66 · ‎05-15-2022

Here is the result of the crypto map ... set pfs ? on the FPR-2110:

"

Result of the command: "crypto map "static: 1" 1 set pfs ?"

configure mode commands/options:
group14 D-H Group 14 (2048-bit MODP Group)
group15 D-H Group 15 (3072-bit MODP Group) (Unsupported for IKEv1)
group16 D-H Group 16 (4096-bit MODP Group) (Unsupported for IKEv1)
group19 D-H Group 19 (NIST 256-bit ECP Group) (Unsupported for IKEv1)
group2 D-H Group 2 (1024-bit MODP Group) (DEPRECATED)
group20 D-H Group 20 (NIST 384-bit ECP Group) (Unsupported for IKEv1)
group21 D-H Group 21 (NIST 521-bit ECP Group) (Unsupported for IKEv1)
group24 D-H Group 24 (2048-bit MODP Group with 256-bit Prime Order
Subgroup) (Unsupported for IKEv1) (DEPRECATED)
group5 D-H Group 5 (1536-bit MODP Group) (DEPRECATED)
<cr>

"

So, according to that, the ONLY group supported for IKEv1-only PFS is group14, yet the manual states

"Prevents you from configuring group14 and group24 options for a cryptography map (when using an IKEv1 policy).
"

So I guess the ONLY groups I can use for IKEv1 PFS are either 2 or 5, both of which are deprecated.

I should get our peer to enable IKEv2 !

Rob Ingram · ‎05-15-2022

@JVD66 ignoring what the manual states, but PFS group 14 works with IKEv1. If it didn't then you'd be unable to use PFS at all with IKEv1, as the other weaker groups are unsupported.

If like I said earlier you've are running an older verions of ASDM with an issue configuring a newer ASA software version, then check the configuration from the CLI. Note that as PFS group 14 is default it will just say "crypto map <CRYPTO MAP NAME> <ID NO> set pfs" < it doesn't appear to explictly state 14.

MHM Cisco World · ‎05-15-2022

Friend

As I mention there are two group

One in phase 1 this mandatory to be match in both peer

Other in phase2 this optional you can disbale pfs it will not make tunnel down, but ipsec with pfa is more secure.

Mimatch is issue and make traffic drop even if tunnel up.

JVD66 · ‎05-17-2022

OK, just to wrap this up:

o it turns out the ONLY DH groups allowed for IKEv1-only PFS are either 2 or 5, both of which are deprecated.

o we had to hire a CISCO expert (which, you will have gathered, I am not) to diagnose the IKEv1 VTI tunnel connection problems -
he concluded there is a bug in either our ASA-9.14(3), or our provider's Cisco CSR running the IOS-XE, which prevent
the two from successfully negotiating an IKEv1-only tunnel - he could not get it to work.

o Our provider provided a new IKEv2-only tunnel configuration, and the VTI Tunnel is now "Up", using IKEv2 only.

Thanks to all who responded!

MHM Cisco World · ‎05-17-2022

I am not sure that this tunnel is stable and there is no drop issue later after two three days,
PFS DH must be match otherwise changing from IKEv1 to IKEv2 with DH mismatch give us same result.