Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Ikev2 issue between Sonicwall and Asa

Hi team,
Really need your help
Need help in understanding an issue faced when creating a tunnel between Asa and Sonicwall (Issue got resolved) still need help to understand.

SonicWall: Phase 1

Ikev2

Encryption aes

Authentication sha265

Dh 14

Lifetime 86400



Asa: phase 1

Ikev2

Encryption aes

Integrity sha256

Dh 15

Prf sha

Lifetime 86400

As you can see my asa is bydefault configured with prf and the remote firewall sonicwall dont have prf on phase 1 but after changing my config of prf on asa from sha to sha256 tunnel come up. Can anyone tell me is sonicwall is configured with default prf of sha256 ? As the phase 1 parameters should be same means prf is there on sonicwall otherwise the tunnel would never come up.
Category: Entry Level Firewalls
Reply
Tagged:

Best Answer

  • CORRECT ANSWER
    AjishlalAjishlal Community Legend ✭✭✭✭✭
    Answer ✓

    Hi @Sajesh

    Since sonicwall doesn't have PRF feature in 1st or 2nd phase, you must have to configure the Integrity algorithm and the PRF algorithm should be same in cisco ASA, since in IKEv2 (cisco), the hash algorithm is separated into two options, one for the integrity algorithm, and one for the pseudo-random function (PRF).

    NB: If both end you are using same ASA / Firepower you can use different algorithm in Integrity and PRF.

    Hope this info helps!!

Answers

  • SajeshSajesh Newbie ✭
    Its sha256 authentication on sonicwall**mistakenly i have written 265
  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    In my experience with Ciscos if PRF does not match authentication/integrity the tunnel will never succeed. I doubt Sonicwall has a default PRF; because it is related to the Authentication algorithm Sonicwall probably just uses whatever that setting is 'as its PRF setting'.

    Hope that helps.

  • SajeshSajesh Newbie ✭
    Right, i was also suspecting the same if any TAC or sonicwall experienced engineer can answer this query that will ve really helpful.
  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    Hi @Sajesh

    As I understood, In SonicWALL phase 2 to have PFS (Perfect forward Secrecy) not PFR.

    PRF does not have anything to do with PFS, the PRF ( pseudo-random function) that was introduced on ikev2, this function (PRF) is used as the algorithm to derive keying material and hashing operations required for the IKEv2 tunnel encryption.

    Perfect Forward Secrecy (PFS) is a cryptographic technique where the newly generated keys are unrelated to any previously generated key. With PFS enabled, the security Cisco ASA generates a new set of keys which is used during the IPSec Phase 2 negotiations. Without PFS, the Cisco ASA uses Phase 1 keys during the Phase 2 negotiations.

    Syntax for PFS: crypto map map-name seq-num set pfs {group1 | group2 | group5 | group7}

    Syntax for PRF: prf { md5 | sha | sha256 | sha384 | sha512 }

    Hope this info helps!!

  • SajeshSajesh Newbie ✭
    Hi @Ajishal,

    My concern was not with the ASA firewall. I know the difference of PRF and PFS concept used in Phase 1 and Phase 2, both are introduced in ikev2. In any Asa having multiple tunnel i can do the debug and find the error which phase and parameter is having an issue.

    I just wonder why changing the PRF value in my Asa make the tunnel Up, between Asa and Sonicwall. As the remote end engineer who manages sonicwall said there is no prf is configured in Sonicwall for phase 1. I want to know Does Sonicwall authentication parameter in phase 1 is equal to ASA integrity and PRF both parameter.

    If phase 1 is having mismatch parameter tunnel would never come up, you can see on above config my Asa is configured with prf and there is no prf in sonicwall for phase 1. That mean there is prf bydefault has been set or the setting is hidden in sonicwall that engineer don't know.
  • BasMBasM Newbie ✭

    Hi,

    I have the same problem, I think.

    My Cisco ASA5545 gives me an error: IKEv2 Negotiation aborted due to ERROR: No error

    TZ670: IKEv2 AES256, SHA256, PFS ON, DH Gr.14

    Tried to change the PRF in the ASA, no luck.

    IKEv1 (Main Mode) works fine.

    Any help is appreciated.

  • BasMBasM Newbie ✭

    Hi,

    Sorry, just found out that this IKEv2 problem is solved in firmware 7.0.1-R1456.

    I was using 7.0.1-R1262.

    Thanks.

Sign In or Register to comment.