Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2 to Cisco ASA - no acceptable PSEUDO_RANDOM_FUNCTION found

    Scheduled Pinned Locked Moved IPsec
    5 Posts 2 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      ljorgensen
      last edited by

      Hi,

      I'm trying to establish a LAN to LAN IPsec tunnel to a business partner. He's running Cisco ASA and sent me this:

      crypto ikev2 policy 1
      encryption aes-256 3des
      integrity sha256 md5
      group 5 2
      prf sha
      lifetime seconds 86400

      I've put things in the relevant fields in pfSense. When trying to establish the tunnel I get:

      Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> selecting proposal:
      Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19>  no acceptable PSEUDO_RANDOM_FUNCTION found
      Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> received proposals: IKE:AES_CBC_256/3DES_CBC/HMAC_SH
      A2_256_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536/MODP_1024
      Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_
      128/PRF_HMAC_SHA2_256/MODP_1024
      Oct 27 15:25:54 10.12.4.21 charon: 12[IKE] <19> received proposals inacceptable

      I'm guessing it's his "prf sha" configuration that messes things up, as I cannot find any place to configure Pseudo Random Function on pfSense. Are we out of options, or am I missing something?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        What options does he have on the ASA?

        prf ?

        What is listed? Make a proposal that matches PRF_HMAC_SHA2_256.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • L
          ljorgensen
          last edited by

          @Derelict:

          What options does he have on the ASA?

          I listed them at the top of my post.

          prf ?

          Yes. "prf sha"

          What is listed? Make a proposal that matches PRF_HMAC_SHA2_256.

          That's what I'm trying to do, but I can't seem to find where to configure PRF (Pseudo Random Function) on pfSense.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            The easiest thing to do in your case is to set the ASA PRF to match if possible. sha256 should do it.

            This is from 9.1.7

            ciscoasa(config-ikev2-policy)# prf ?

            ikev2-policy mode commands/options:
              md5    set hash md5
              sha    set hash sha1
              sha256  set hash sha256
              sha384  set hash sha384
              sha512  set hash sha512

            prf sha256 sha

            on the asa should do it.

            I do not think there is a knob to tweak the ikev2 prf in pfSense yet. It proposes whatever the integrity algorithm is.

            I'd probably do this on the asa:

            crypto ikev2 policy 1
            encryption aes-256 aes-192 aes
            integrity sha256
            group 20 5
            prf sha256
            lifetime seconds 86400
            crypto ikev2 policy 2
            encryption 3des
            integrity sha md5
            group 5 2
            prf sha md5
            lifetime seconds 86400

            And policy 2 is only if you want to allow the 3des+sha/md5

            Maybe add some higher pfs groups but that should work.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • L
              ljorgensen
              last edited by

              Thank you so much! I'll get on it right away!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.