GetVPN key length mismatch

mcselltor · ‎12-06-2016

Hello,

I have to migrate a GetVPN environment (7301 and 3825 with IOS 15.1) to new routers (ASR1K and ISR4K with IOS XE 3.16 or higher).
The first ISR4331 is already running, but no encrypted packet can be transmitted correctly. Without encryption every works fine.
I have analyzed this problem and found out, that the transmitted policy from the KS is differently interpreted.

7301/3825 with 15.1(4)M9:
KEK POLICY:
...
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024

ISR4331 with XE 3.13 / 3.16 / 16.3 (Denali) / 16.4 (Everest)
KEK POLICY:
...
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1296

GDOI KS Policy
KEK POLICY (transport type : Unicast)
...
    sig hash algorithm : enabled     sig key length    : 162
    sig size           : 128
    sig key name       : *

Sig size = 128 Byte = 1024 Bit
Sig key length = 162 Byte = 1296 Bit

Any hints?

Thanks,
Torsten

GetVPN key length mismatch

ISR4331 with XE 3.13 / 3.16 / 16.3 (Denali) / 16.4 (Everest)KEK POLICY:... Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1296

GDOI KS PolicyKEK POLICY (transport type : Unicast)... sig hash algorithm : enabled sig key length : 162 sig size : 128 sig key name : *

ISR4331 with XE 3.13 / 3.16 / 16.3 (Denali) / 16.4 (Everest)
KEK POLICY:
...
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1296

GDOI KS Policy
KEK POLICY (transport type : Unicast)
...
sig hash algorithm : enabled sig key length : 162
sig size : 128
sig key name : *