Ikev2 issue between Sonicwall and Asa
Sajesh
Newbie ✭
Hi team,
Really need your help
Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.
SonicWall: Phase 1
Ikev2
Encryption aes
Authentication sha265
Dh 14
Lifetime 86400
Asa: phase 1
Ikev2
Encryption aes
Integrity sha256
Dh 15
Prf sha
Lifetime 86400
As you can see my asa is bydefault configured with prf and the remote firewall sonicwall dont have prf on phase 1 but after changing my config of prf on asa from sha to sha256 tunnel come up. Can anyone tell me is sonicwall is configured with default prf of sha256 ? As the phase 1 parameters should be same means prf is there on sonicwall otherwise the tunnel would never come up.
Really need your help
Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.
SonicWall: Phase 1
Ikev2
Encryption aes
Authentication sha265
Dh 14
Lifetime 86400
Asa: phase 1
Ikev2
Encryption aes
Integrity sha256
Dh 15
Prf sha
Lifetime 86400
As you can see my asa is bydefault configured with prf and the remote firewall sonicwall dont have prf on phase 1 but after changing my config of prf on asa from sha to sha256 tunnel come up. Can anyone tell me is sonicwall is configured with default prf of sha256 ? As the phase 1 parameters should be same means prf is there on sonicwall otherwise the tunnel would never come up.
Category: Entry Level Firewalls
Tagged:
0
Best Answer
-
Ajishlal Community Legend ✭✭✭✭✭
Hi @Sajesh
Since sonicwall doesn't have PRF feature in 1st or 2nd phase, you must have to configure the Integrity algorithm and the PRF algorithm should be same in cisco ASA, since in IKEv2 (cisco), the hash algorithm is separated into two options, one for the integrity algorithm, and one for the pseudo-random function (PRF).
NB: If both end you are using same ASA / Firepower you can use different algorithm in Integrity and PRF.
Hope this info helps!!
0
Answers
In my experience with Ciscos if PRF does not match authentication/integrity the tunnel will never succeed. I doubt Sonicwall has a default PRF; because it is related to the Authentication algorithm Sonicwall probably just uses whatever that setting is 'as its PRF setting'.
Hope that helps.
Hi @Sajesh
As I understood, In SonicWALL phase 2 to have PFS (Perfect forward Secrecy) not PFR.
PRF does not have anything to do with PFS, the PRF ( pseudo-random function) that was introduced on ikev2, this function (PRF) is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption.
Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations.
Syntax for PFS: crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}
Syntax for PRF: prf { md5 | sha | sha256 | sha384 | sha512 }
Hope this info helps!!
My concern was not with the ASA firewall. I know the difference of PRF and PFS concept used in Phase 1 and Phase 2, both are introduced in ikev2. In any Asa having multiple tunnel i can do the debug and find the error which phase and parameter is having an issue.
I just wonder why changing the PRF value in my Asa make the tunnel Up, between Asa and Sonicwall. As the remote end engineer who manages sonicwall said there is no prf is configured in Sonicwall for phase 1. I want to know Does Sonicwall authentication parameter in phase 1 is equal to ASA integrity and PRF both parameter.
If phase 1 is having mismatch parameter tunnel would never come up, you can see on above config my Asa is configured with prf and there is no prf in sonicwall for phase 1. That mean there is prf bydefault has been set or the setting is hidden in sonicwall that engineer don't know.
Hi,
I have the same problem, I think.
My Cisco ASA5545 gives me an error: IKEv2 Negotiation aborted due to ERROR: No error
TZ670: IKEv2 AES256, SHA256, PFS ON, DH Gr.14
Tried to change the PRF in the ASA, no luck.
IKEv1 (Main Mode) works fine.
Any help is appreciated.
Hi,
Sorry, just found out that this IKEv2 problem is solved in firmware 7.0.1-R1456.
I was using 7.0.1-R1262.
Thanks.