SRX

Expand all | Collapse all

IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

Jump to Best Answer
  • 1.  IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

    Posted 08-07-2019 10:11

    Hi, 

    I have the following IKEv2 configuration, external partner is running ASA, we agreed the DH-group is group14, but IKEv2 SA comes up with DH-group-5, I am initiator, partner side is complaining DH-group mis-macth ... in what scenario will this happen?

     

    SRX# run show configuration security ike proposal ike-prop-ExtParter02
    authentication-method pre-shared-keys;
    dh-group group14; <==================================
    authentication-algorithm sha-256;
    encryption-algorithm aes-256-cbc;
    lifetime-seconds 86400;

     

    vSRX# run show configuration security ike policy ike-pol-ExtParter02
    mode main;
    proposals ike-prop-ExtParter02;
    pre-shared-key ascii-text "FOOBAR"; ## SECRET-DATA

     

    SRX# run show configuration security ike gateway ExtParter02-GW
    ike-policy ike-pol-ExtParter02;
    address 213.5.3.2;
    dead-peer-detection {
    always-send;
    interval 10;
    threshold 3;
    }
    local-identity inet 48.5.23.7;
    external-interface ge-0/0/0.0;
    version v2-only;

     

    SRX# run show security ike security-associations 213.5.3.2 detail
    IKE peer 213.5.3.2, Index 7224719, Gateway Name: ExtParter02-GW
    Role: Initiator, State: UP
    Initiator cookie: 021e684b9220c6d8, Responder cookie: 76a3aef189f63d9f
    Exchange type: IKEv2, Authentication method: Pre-shared-keys
    Local: 48.5.23.7:500, Remote: 213.5.3.2:500
    Lifetime: Expires in 85091 seconds
    Reauth Lifetime: Disabled
    IKE Fragmentation: Enabled, Size: 576
    Remote Access Client Info: Unknown Client
    Peer ike-id: 213.5.3.2
    AAA assigned IP: 0.0.0.0
    Algorithms:
    Authentication : hmac-sha256-128
    Encryption : aes256-cbc
    Pseudo random function: hmac-sha256
    Diffie-Hellman group : DH-group-5 <=============================
    Traffic statistics:
    Input bytes : 1112558
    Output bytes : 1852214
    Input packets: 5489
    Output packets: 5470
    Input fragmentated packets: 0
    Output fragmentated packets: 0
    IPSec security associations: 2 created, 0 deleted
    Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 48.5.23.7:500, Remote:213.5.3.2:500
    Local identity: 48.5.23.7
    Remote identity:213.5.3.2
    Flags: IKE SA is created



  • 2.  RE: IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group
    Best Answer

    Posted 08-07-2019 16:53

    Hi, oldcreek

     

    As per the IKEv2 RFC:

     

    "Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH exchanges (known in IKEv1 as Phase 1). These initial exchanges normally consist of four messages, though in some scenarios that number can grow. All communications using IKE consist of request/response pairs.
    
    The first pair of messages (IKE_SA_INIT) negotiate cryptographic algorithms, exchange nonces, and do a Diffie-Hellman exchange [DH]. The second pair of messages (IKE_AUTH) authenticate the previous messages, exchange identities and certificates, and establish the first Child SA.
    .
    .
    .
    Because the initiator sends its Diffie-Hellman value in the IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify payload of type INVALID_KE_PAYLOAD indicating the selected group. In this case, the initiator MUST retry the IKE_SA_INIT with the corrected Diffie-Hellman group. The initiator MUST again propose its full set of acceptable cryptographic suites..."

     

    Based on that I think that the SRX could be using DH group 14 as configured, however the ASA could be replying stating to use Group 5 and after that the SRX uses Group 5. Can you confirm that Group 5 is not configured on the remote end?

     

    If both ends are configured to use Group 5, the I would take a packet capture and confirm the DH group used by the SRX and if the ASA is asking for DH Group 5. In the following screenshots, from captures found in Internet, I believe Wireshark displays the DH Group being used by the Initiator:

     

    DH 1.PNG

     

    DH 2.PNG

     

    Ref: https://tools.ietf.org/html/rfc7296#section-1.2

    Ref: https://www.cloudshark.org/captures/767a93d720ad

    Ref: https://blog.webernetz.net/ikev1-ikev2-capture/

     

    Hope this helps.

     



  • 3.  RE: IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

    Posted 08-07-2019 17:48

    Thank you stwardIp, that makes sense, ASA takes a different approach in terms of IKE policy configuration, IKE policy map is defined in global level and comprises multiple policies, it is very possible that the peer's IKE map has DH-group5 in a policy that has lower sequence number. What does not make sense is that my side is already showing that IKE SA is up, but peer is complaining mis-matched DH-group.



  • 4.  RE: IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

    Posted 08-07-2019 18:04

    Yes, I thought the same. And why will the SRX agree to use Group 5 if it is configure with Group 14 only?

     

    If you can take the pcap it will be great to confirm if my theory is correct so we can mark the post as Resolved.