Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1485
Views
5
Helpful
3
Replies

Proposal order in IKEv2 issue

lucas50575
Level 1
Level 1

‎12-20-2021 07:06 AM

I have an issue regarding the proposal order in IKEv2.

If I understood correctly, when you initiate a negotiation in IKEv2, you send your proposals to the remote peer in the same order as it is configured in the policy, and the parameters inside the proposals are checked by the remote peer in the same order as they were configured too.

Here is the configuration I have:

 

crypto ikev2 proposal ikev2_proposal_HIGH 
 encryption aes-gcm-256 aes-gcm-128
 prf sha512 sha384 sha256
 group 21 20 19
crypto ikev2 proposal ikev2_proposal_LOW 
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 24 14 5
crypto ikev2 proposal ikev2_proposal_MEDIUM 
 encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
 integrity sha512 sha384 sha256
 group 21 20 19 16 15
no crypto ikev2 policy default
crypto ikev2 policy ikev2_policy 
 match address local X.X.X.X
 proposal ikev2_proposal_HIGH
 proposal ikev2_proposal_MEDIUM
 proposal ikev2_proposal_LOW

We agreed with the partner that has a cisco device too that we will negotiate our tunnel using aes-cbc-256, integrity sha512 and DH group 16, so these parameters are available in his configuration. The negotiation is initiated from my side. Here is the output of show crypto ikev2 sa d for this peer:

 

Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK

...

Initiator of SA : Yes

 

Can someone explain me why, if I am the initiator, the DH group isn't 16, this group having a higher priority.

 

Thank you in advance!

 

Labels:
3 Replies 3

bopage
Cisco Employee
Cisco Employee

‎06-08-2022 11:41 AM

It will negotiate with the peer as to which one to use in numerical/alphabetical order of proposal – not order listing in Policy.  So alphabetically it would be High, Low, Medium - need to see config on other side as well.

 

0 Helpful

NeverOutofTune
Level 1
Level 1
In response to bopage

‎11-17-2023 04:50 PM - edited ‎11-17-2023 04:51 PM

Unless something changed since v15 from: Configuring Internet Key Exchange Version 2 (IKEv2)  [Support] - Cisco Systems, order

The order listing does matter:

 

Step 4proposal name


Example:

Router(config-ikev2-policy)# proposal proposal1

 

Specifies the proposals that must be used with the policy.

  • The proposals are prioritized in the order of listing.
Note   You must specify at least one proposal. Optionally, you can specify additional proposals with each proposal in a separate statement.
0 Helpful

Sheraz.Salim
VIP
VIP

‎06-08-2022 12:01 PM

I think its agreed 14 because the remote side router proposal order must first have DH14, DH16 and so on. If your Router is ikev2 initiator it send all the proposal to remote side. Remote side router agreed on the provided list (Initatior Router).

 

you can test this if your remote router beocme the Initator and you are responder you can see this in "show crypto ikev2 sa detail"

 

 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents