SRX

Hi, all,

I struggled hours to bring up IKEv2 between SRX and Cisco ASA which we have no control of, SRX is the initiator, ASA side immediately returns "no proposal chosen" when IKEv2 is initiated from SRX side. Finally I gave up and ask ASA side admin to send me their side configuration, I was suprised to find that ASA's IKEv2 policy has a seperate entry for PRF, PRF has the same algorithm as authenticationin IKEv1 but Cisco ASA obviously gives user the option to choose a different algorithm for PRF than the authentication algorithm in IKEv2. After asking ASA side admin to match the PRF algorithm with authentication algoritm, both P1 and P2 came up right away (why the discrepency between actual configuration and proposals exchanged over email is a totally different story).

My question: SRX does not allow user to choose PRF in IKEv2 proposal at all, is this the right implementation?

You can configure the proposal and specify the algorithms to match those on the ASA. Can you post the relevant SRX config? No proposal chosen is an indication of mismatch configurations.

Of course, this is ASA side configuration, ASA side anticipated me to match ikev2 policy 60 with sha-256  DH group 14 and PRF sha1, but I can not specify PRF algorithm sha-1 on SRX, they have to create create policy 1 (where authentication and PRF algoritm match) for me for IKEv2 to come up.

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 60

encryption aes-256

integrity sha256

group 21 20 19 24 14 5

prf sha

lifetime seconds 86400

crypto ikev2 enable inside

crypto ikev2 enable outside

SRX side:

#show configuration security ike proposal ike-prop
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;

Notice that I have no way to specifiy PRF on SRX side

I am guessing that the prf is the authentication algorithm which you would configure when you create the proposal using sha-1
What is the prf? can you give a full description of it and we may be able to find the Juniper equivalent. Pardon my ignorance of Cisco.

Does your version of JunosOS support IKEv2?
Did you configure Juniper to use Ikev2? This is the onoly thing I can see so far as to why it is not working. If we could see even the details of the debug logs, we may find something else.

set security ipsec proposal <ipsec_proposal> authentication-algorithm sha1
set security ike gateway <gateway> version v2-only

What is the prf? It seems to be Pseudo random function, which equates to the hashing algorithm used for authentication, which you have configured. Maybe try a different algorithm? Can you give a full description of it and we may be able to find the Juniper equivalent. Pardon my ignorance of Cisco. I searched for an explanation but could not find one other than , just a configuration using the term.