IKEv2 to Cisco ASA - no acceptable PSEUDO_RANDOM_FUNCTION found



  • Hi,

    I'm trying to establish a LAN to LAN IPsec tunnel to a business partner. He's running Cisco ASA and sent me this:

    crypto ikev2 policy 1
    encryption aes-256 3des
    integrity sha256 md5
    group 5 2
    prf sha
    lifetime seconds 86400

    I've put things in the relevant fields in pfSense. When trying to establish the tunnel I get:

    Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> selecting proposal:
    Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19>  no acceptable PSEUDO_RANDOM_FUNCTION found
    Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> received proposals: IKE:AES_CBC_256/3DES_CBC/HMAC_SH
    A2_256_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536/MODP_1024
    Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_
    128/PRF_HMAC_SHA2_256/MODP_1024
    Oct 27 15:25:54 10.12.4.21 charon: 12[IKE] <19> received proposals inacceptable

    I'm guessing it's his "prf sha" configuration that messes things up, as I cannot find any place to configure Pseudo Random Function on pfSense. Are we out of options, or am I missing something?


  • LAYER 8 Netgate

    What options does he have on the ASA?

    prf ?

    What is listed? Make a proposal that matches PRF_HMAC_SHA2_256.



  • @Derelict:

    What options does he have on the ASA?

    I listed them at the top of my post.

    prf ?

    Yes. "prf sha"

    What is listed? Make a proposal that matches PRF_HMAC_SHA2_256.

    That's what I'm trying to do, but I can't seem to find where to configure PRF (Pseudo Random Function) on pfSense.


  • LAYER 8 Netgate

    The easiest thing to do in your case is to set the ASA PRF to match if possible. sha256 should do it.

    This is from 9.1.7

    ciscoasa(config-ikev2-policy)# prf ?

    ikev2-policy mode commands/options:
      md5    set hash md5
      sha    set hash sha1
      sha256  set hash sha256
      sha384  set hash sha384
      sha512  set hash sha512

    prf sha256 sha

    on the asa should do it.

    I do not think there is a knob to tweak the ikev2 prf in pfSense yet. It proposes whatever the integrity algorithm is.

    I'd probably do this on the asa:

    crypto ikev2 policy 1
    encryption aes-256 aes-192 aes
    integrity sha256
    group 20 5
    prf sha256
    lifetime seconds 86400
    crypto ikev2 policy 2
    encryption 3des
    integrity sha md5
    group 5 2
    prf sha md5
    lifetime seconds 86400

    And policy 2 is only if you want to allow the 3des+sha/md5

    Maybe add some higher pfs groups but that should work.



  • Thank you so much! I'll get on it right away!


Log in to reply