Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2192
Views
0
Helpful
1
Replies

IKEv2 L2L problems with Cisco ASA /-X /-FPWR

Go to solution
Ronni J
Level 1
Level 1

‎10-19-2015 06:14 AM

Hi,

Has anyone experienced IKEv2 configuration problems on ASA like these going higher than AES-256 encryption and sha1 integrity hashing? And have a solution maybe?

First of, I want to use other DH groups than 2 and 5; that is possible through both CLI and ASDM. If GCM type encryption is chosen through CLI in the IKEv2 policy the only possible integrity hash value possible is "null". However, if a lower encryption method is chosen, e.g. AES-256, then there are lots of possibilities.

FW01/pri/act(config)# crypto ikev2 policy 2
FW01/pri/act(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
  3des         3des encryption
  aes          aes encryption
  aes-192      aes-192 encryption
  aes-256      aes-256 encryption
  aes-gcm      aes-gcm encryption
  aes-gcm-192  aes-gcm-192 encryption
  aes-gcm-256  aes-gcm-256 encryption
  des          des encryption
  null         null encryption

FW01/pri/act(config-ikev2-policy)# encryption aes-gcm-256 aes-gcm-192 aes-gcm
FW01/pri/act(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  null  set hash null
FW01/pri/act(config-ikev2-policy)# integrity 



FW01/pri/act(config-ikev2-policy)# encryption aes-256
FW01/pri/act(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512


Looking at the ASDM screenshots the possibilities are not even the same. No GCM possible there.

Due to documentation it should be possible, for example http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/asdm70/configuration_guide/asdm_70_config/vpn_asdm_ike.html#pgfId-1041173 and to comply with Ciscos own security recommendations (http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html).. but it seems like there are bugs (or undocumented features) in both the ASA firmware and ASDM. Or am I missing something obvious?

Tested with these ASA/ASDM software:

asa913-2-smp-k8.bin
asa916-1-smp-k8.bin
asa924-smp-k8.bin
asa942-smp-k8.bin
asa951-smp-k8.bin
asdm-731-101.bin
asdm-751.bin

 

Any working solution would be much appreciated! :-)

Br!

 

Labels:
Preview file
35 KB
Preview file
37 KB
Preview file
33 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Henrik Grankvist
Level 4
Level 4

‎10-19-2015 10:58 AM

aes-gcm combines encryption amd integrity, so you can't specify a integrity protocol if you have chosen aes-gcm.

But there seems to be a bug in ASDM, because I can't choose aes-gcm there either. When I try and create a crypto ikev2 policy in the cli and specify it as the encryption protocol and then try and open that policy in ASDM, it's empty (see below picture).

View solution in original post

Preview file
39 KB
0 Helpful
1 Reply 1

Go to solution
Henrik Grankvist
Level 4
Level 4

‎10-19-2015 10:58 AM

aes-gcm combines encryption amd integrity, so you can't specify a integrity protocol if you have chosen aes-gcm.

But there seems to be a bug in ASDM, because I can't choose aes-gcm there either. When I try and create a crypto ikev2 policy in the cli and specify it as the encryption protocol and then try and open that policy in ASDM, it's empty (see below picture).

Preview file
39 KB
0 Helpful
Customers Also Viewed These Support Documents