SRX Services Gateway
SRX Services Gateway

IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

[ Edited ]
‎08-07-2019 10:11 AM

Hi, 

I have the following IKEv2 configuration, external partner is running ASA, we agreed the DH-group is group14, but IKEv2 SA comes up with DH-group-5, I am initiator, partner side is complaining DH-group mis-macth ... in what scenario will this happen?

 

SRX# run show configuration security ike proposal ike-prop-ExtParter02
authentication-method pre-shared-keys;
dh-group group14; <==================================
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 86400;

 

vSRX# run show configuration security ike policy ike-pol-ExtParter02
mode main;
proposals ike-prop-ExtParter02;
pre-shared-key ascii-text "FOOBAR"; ## SECRET-DATA

 

SRX# run show configuration security ike gateway ExtParter02-GW
ike-policy ike-pol-ExtParter02;
address 213.5.3.2;
dead-peer-detection {
always-send;
interval 10;
threshold 3;
}
local-identity inet 48.5.23.7;
external-interface ge-0/0/0.0;
version v2-only;

 

SRX# run show security ike security-associations 213.5.3.2 detail
IKE peer 213.5.3.2, Index 7224719, Gateway Name: ExtParter02-GW
Role: Initiator, State: UP
Initiator cookie: 021e684b9220c6d8, Responder cookie: 76a3aef189f63d9f
Exchange type: IKEv2, Authentication method: Pre-shared-keys
Local: 48.5.23.7:500, Remote: 213.5.3.2:500
Lifetime: Expires in 85091 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Remote Access Client Info: Unknown Client
Peer ike-id: 213.5.3.2
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes256-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-5 <=============================
Traffic statistics:
Input bytes : 1112558
Output bytes : 1852214
Input packets: 5489
Output packets: 5470
Input fragmentated packets: 0
Output fragmentated packets: 0
IPSec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 48.5.23.7:500, Remote:213.5.3.2:500
Local identity: 48.5.23.7
Remote identity:213.5.3.2
Flags: IKE SA is created

3 REPLIES 3
SRX Services Gateway
Solution
Accepted by topic author oldcreek
‎08-07-2019 11:27 PM

Re: IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

[ Edited ]
‎08-07-2019 04:52 PM

Hi, oldcreek

 

As per the IKEv2 RFC:

 

"Communication using IKE always begins with IKE_SA_INIT and IKE_AUTH exchanges (known in IKEv1 as Phase 1). These initial exchanges normally consist of four messages, though in some scenarios that number can grow. All communications using IKE consist of request/response pairs.

The first pair of messages (IKE_SA_INIT) negotiate cryptographic algorithms, exchange nonces, and do a Diffie-Hellman exchange [DH]. The second pair of messages (IKE_AUTH) authenticate the previous messages, exchange identities and certificates, and establish the first Child SA.
.
.
.
Because the initiator sends its Diffie-Hellman value in the IKE_SA_INIT, it must guess the Diffie-Hellman group that the responder will select from its list of supported groups. If the initiator guesses wrong, the responder will respond with a Notify payload of type INVALID_KE_PAYLOAD indicating the selected group. In this case, the initiator MUST retry the IKE_SA_INIT with the corrected Diffie-Hellman group. The initiator MUST again propose its full set of acceptable cryptographic suites..."

 

Based on that I think that the SRX could be using DH group 14 as configured, however the ASA could be replying stating to use Group 5 and after that the SRX uses Group 5. Can you confirm that Group 5 is not configured on the remote end?

 

If both ends are configured to use Group 5, the I would take a packet capture and confirm the DH group used by the SRX and if the ASA is asking for DH Group 5. In the following screenshots, from captures found in Internet, I believe Wireshark displays the DH Group being used by the Initiator:

 

DH 1.PNG

 

DH 2.PNG

 

Ref: https://tools.ietf.org/html/rfc7296#section-1.2

Ref: https://www.cloudshark.org/captures/767a93d720ad

Ref: https://blog.webernetz.net/ikev1-ikev2-capture/

 

Hope this helps.

 

Please mark this comment as the Solution if applicable
SRX Services Gateway

Re: IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

[ Edited ]
‎08-07-2019 05:47 PM

Thank you stwardIp, that makes sense, ASA takes a different approach in terms of IKE policy configuration, IKE policy map is defined in global level and comprises multiple policies, it is very possible that the peer's IKE map has DH-group5 in a policy that has lower sequence number. What does not make sense is that my side is already showing that IKE SA is up, but peer is complaining mis-matched DH-group.

SRX Services Gateway

Re: IKEv2 configured DH-group 14 but SA comes up with DH-group 5, peer complains mismatched DH-group

‎08-07-2019 06:03 PM

Yes, I thought the same. And why will the SRX agree to use Group 5 if it is configure with Group 14 only?

 

If you can take the pcap it will be great to confirm if my theory is correct so we can mark the post as Resolved.

 

Please mark this comment as the Solution if applicable