IKEv2 to Cisco ASA - no acceptable PSEUDO_RANDOM_FUNCTION found
-
Hi,
I'm trying to establish a LAN to LAN IPsec tunnel to a business partner. He's running Cisco ASA and sent me this:
crypto ikev2 policy 1
encryption aes-256 3des
integrity sha256 md5
group 5 2
prf sha
lifetime seconds 86400I've put things in the relevant fields in pfSense. When trying to establish the tunnel I get:
Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> selecting proposal:
Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> received proposals: IKE:AES_CBC_256/3DES_CBC/HMAC_SH
A2_256_128/HMAC_MD5_96/PRF_HMAC_SHA1/MODP_1536/MODP_1024
Oct 27 15:25:54 10.12.4.21 charon: 12[CFG] <19> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_
128/PRF_HMAC_SHA2_256/MODP_1024
Oct 27 15:25:54 10.12.4.21 charon: 12[IKE] <19> received proposals inacceptableI'm guessing it's his "prf sha" configuration that messes things up, as I cannot find any place to configure Pseudo Random Function on pfSense. Are we out of options, or am I missing something?
-
What options does he have on the ASA?
prf ?
What is listed? Make a proposal that matches PRF_HMAC_SHA2_256.
-
What options does he have on the ASA?
I listed them at the top of my post.
prf ?
Yes. "prf sha"
What is listed? Make a proposal that matches PRF_HMAC_SHA2_256.
That's what I'm trying to do, but I can't seem to find where to configure PRF (Pseudo Random Function) on pfSense.
-
The easiest thing to do in your case is to set the ASA PRF to match if possible. sha256 should do it.
This is from 9.1.7
ciscoasa(config-ikev2-policy)# prf ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512prf sha256 sha
on the asa should do it.
I do not think there is a knob to tweak the ikev2 prf in pfSense yet. It proposes whatever the integrity algorithm is.
I'd probably do this on the asa:
crypto ikev2 policy 1
encryption aes-256 aes-192 aes
integrity sha256
group 20 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption 3des
integrity sha md5
group 5 2
prf sha md5
lifetime seconds 86400And policy 2 is only if you want to allow the 3des+sha/md5
Maybe add some higher pfs groups but that should work.
-
Thank you so much! I'll get on it right away!