VPN Troubleshooting: Cisco ASA IKEv2

A scenario existed where the Phase 1 of a VPN would result in a proposal mismatch (or no proposal selected)

One the local side of the Phase 1 VPN, the settings where selected as group 14 for Diffie-Hellman, encryption as AES 256 bit and SHA 256 for the hashing algorithm.

On the remote side of the VPN, operating a Cisco ASA, the below configuration was present:

crypto ikev2 policy 1
 encryption aes-256
 integrity sha256
 group 14
 prf sha
 lifetime seconds 86400

If I enabled SHA1 locally as well as SHA256, the VPN came online OK. This was due to the prf line in the Cisco configuration containing sha (SHA1)

Changing the Cisco ASA configuration from prf sha to prf sha256 allowed the VPN to come online with only SHA256 as the hashing algorithm.







Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.