ASA IKEv2 Multiple Key Exchange

IKEv2 normally uses a single Diffie-Hellman (DH) key exchange during the IKE_SA_INIT phase to derive a shared secret between the VPN peers. Multiple Key Exchanges lets the peers perform more than one key exchange. The main reason for this feature is quantum-resilience and hybrid cryptography. Instead of trusting just one key exchange method, you mix multiple methods so an attacker must break all of them to compromise the VPN keys.

This post describes configuring multiple IKEv2 key exchanges on Cisco ASA platform.

Software

The information in this post is based on software version: –

  • ASA version 9.20(2)2

Configuration

The typical IKEv2 policy will be configured with encryption, integrity, DH group, PFS and lifetime, as the example below.

crypto ikev2 policy 5
 encryption aes-gcm-256
 integrity null
 group 21 20 19
 prf sha256
 lifetime seconds 86400

You can configure one or more key exchange method, using DH group as 14, 15, 16, 19, 20, 21, or 31. Each peer must be configured with the same number of additional key exchanges and match at least one additional key exchange method.

  • Edit the IKEv2 policy and configure up to 7 additional key exchanges in addition to the encryption, integrity, DH group, PFS and lifetime (as above).
crypto ikev2 policy 5
 encryption aes-gcm-256  
 integrity null  
 group 21 20 19  
 prf sha256  
 lifetime seconds 86400
 additional-key-exchange 1
  key-exchange-method 31 21
 additional-key-exchange 2
  key-exchange-method 19 15 14
 additional-key-exchange 3
  key-exchange-method 15

NOTE – the peer device must also support multiple key exchanges. If using multiple key exchange methods per additional key exchange, at least one DH group must match.

Verification

From the CLI of the ASA, run the command show crypto ikev2 sa detail

ASA1# show crypto ikev2 sa detail

IKEv2 SAs:
Session-id:17, Status:UP-ACTIVE, IKE count:28, CHILD count:1
Tunnel-id Local                 Remote            fvrf/ivrf          Status   Role
2551259543 1.1.1.1/500          3.3.3.1/500       Global/Global      READY    INITIATOR
      Encr: AES-GCM, keysize: 256, Hash: N/A, DH Grp:21, Auth sign: PSK, Auth verify: PSK
      Additional Key Exchange Group: AKE1: 31  AKE2: 14  AKE3: 15
      Life/Active Time: 86400/2 sec
      Session-id: 17
      Status Description: Negotiation done
      Local spi: 7BE0C0C295D6B9FA       Remote spi: E1C52BDFF3912277
      Local id: 1.1.1.1
      Remote id: 3.3.3.1
      Local req mess id: 6              Remote req mess id: 1
      Local next mess id: 6             Remote next mess id: 1
      Local req queued: 6               Remote req queued: 1
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected
      IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
      VTI Interface: TUNNEL1 / Tunnel1
      Remote subnets:
         10.5.100.2 255.255.255.255
Parent SA Extended Status:
      Delete in progress: FALSE
      Marked for delete: FALSE

From the output above you can determine multiple key exchanges have been established with the line  “Additional Key Exchange Group: AKE1: 31  AKE2: 14  AKE3: 15”

You will note that AKE2 is DH group 14, this was the third additional key method configured under additional key exchange #2 on the local ASA. This is because peer device did not have DH group 19 or 15 configured.

A packet capture of the IKEv2 exchange, you will be able to determine the additional key exchange (ADDKE) attributes.

Run debug on the ASA using the command debug crypto ikev2 protocol 127. From the output below you can determine the additional key exchange groups (AKE).

ASA2# debug crypto ikev2 protocol 127
ASA2(config)# IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_SET_POLICY
IKEv2-PROTO-7: (1033): Setting configured policies
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GEN_DH_KEY
IKEv2-PROTO-4: (1033): [IKEv2 -> Crypto Engine] Computing DH public key, DH Group 21
IKEv2-PROTO-4: (1033): Request queued for computation of DH key
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP
IKEv2-PROTO-7: (1033): Action: Action_Null
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE
IKEv2-PROTO-7: (1033): SM Trace-> SA: I_SPI=5AD5AB7C8ADF5B66 R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG
IKEv2-PROTO-4: (1033): Generating IKE_SA_INIT message
IKEv2-PROTO-4: (1033): IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 11
(1033):    AES-GCM(1033):    AES-GCM(1033):    AES-GCM(1033):    SHA256(1033):    DH_GROUP_521_ECP/Group 21(1033):    DH_GROUP_384_ECP/Group 20(1033):    DH_GROUP_256_ECP/Group 19(1033):    AKE1:KEM_GROUP_25519_ECP/Group 31(1033):    AKE1:KEM_GROUP_521_ECP/Group 21(1033):    AKE2:KEM_GROUP_2048_MODP/Group 14(1033):    AKE3:KEM_GROUP_3072_MODP/Group 15
IKEv2-PROTO-7: Construct Vendor Specific Payload: DELETE-REASONIKEv2-PROTO-7: Construct Vendor Specific Payload: (CUSTOM)
IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_SOURCE_IP
IKEv2-PROTO-7: Construct Notify Payload: NAT_DETECTION_DESTINATION_IP
IKEv2-PROTO-7: Construct Notify Payload: IKEV2_FRAGMENTATION_SUPPORTED
IKEv2-PROTO-7: Construct Vendor Specific Payload: FRAGMENTATION
IKEv2-PROTO-7: Construct Notify Payload: INTERMEDIATE_EXCHANGE_SUPPORTED(1033):
IKEv2-PROTO-4: (1033): Sending Packet [To 1.1.1.1:500/From 3.3.3.1:500/VRF i0:f0]
(1033): Initiator SPI : 5AD5AB7C8ADF5B66 - Responder SPI : 0000000000000000 Message id: 0
(1033): IKEv2 IKE_SA_INIT Exchange REQUESTIKEv2-PROTO-5: (1033): Next payload: SA, version: 2.0 (1033): Exchange type: IKE_SA_INIT, flags: INITIATOR (1033): Message id: 0, length: 522(1033):
Payload contents:
(1033):  SA(1033):   Next payload: KE, reserved: 0x0, length: 112
(1033):   last proposal: 0x0, reserved: 0x0, length: 108
  Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 11(1033):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-GCM
(1033):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-GCM
(1033):     last transform: 0x3, reserved: 0x0: length: 12
    type: 1, reserved: 0x0, id: AES-GCM
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 2, reserved: 0x0, id: SHA256
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_521_ECP/Group 21
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_384_ECP/Group 20
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 4, reserved: 0x0, id: DH_GROUP_256_ECP/Group 19
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 6, reserved: 0x0, id: AKE1:KEM_GROUP_25519_ECP/Group 31
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 6, reserved: 0x0, id: AKE1:KEM_GROUP_521_ECP/Group 21
(1033):     last transform: 0x3, reserved: 0x0: length: 8
    type: 7, reserved: 0x0, id: AKE2:KEM_GROUP_2048_MODP/Group 14
(1033):     last transform: 0x0, reserved: 0x0: length: 8
    type: 8, reserved: 0x0, id: AKE3:KEM_GROUP_3072_MODP/Group 15
(1033):  KE(1033):   Next payload: N, reserved: 0x0, length: 140
(1033):     DH group: 21, Reserved: 0x0

When troubleshooting multiple key exchanges, if the peer is not configured to use multiple keys exchanges the debugs will confirm a discrepancy in the received and expected policies. From the output below, we can determine the peer device did not send any additional key exchange groups, but the local ASA is expecting to receive them, the outcome is the IKEv2 exchange fails.

IKEv2-PROTO-2: (1226): Failed to find a matching policy
IKEv2-PROTO-2: (1226): Received Policies:
Proposal 1:  AES-GCM-256 SHA256 DH_GROUP_521_ECP/Group 21 DH_GROUP_384_ECP/Group 20 DH_GROUP_256_ECP/Group 19
IKEv2-PROTO-2: (1226): Failed to find a matching policy
IKEv2-PROTO-2: (1226): Expected Policies:
Proposal 1:  AES-GCM-256 SHA256 DH_GROUP_521_ECP/Group 21 DH_GROUP_384_ECP/Group 20 DH_GROUP_256_ECP/Group 19 KEM_GROUP_25519_ECP/Group 31 KEM_GROUP_521_ECP/Group 21 KEM_GROUP_256_ECP/Group 19 KEM_GROUP_3072_MODP/Group 15 KEM_GROUP_2048_MODP/Group 14 KEM_GROUP_3072_MODP/Group 15
IKEv2-PROTO-2: (1226): Failed to find a matching policy

References

Refer to the Cisco ASA VPN guide for more information about IKEv2 multiple key exchanges. https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/vpn/asa-920-vpn-config/vpn-site2site.html?bookSearch=true#configure-multiple-key-exchanges-for-ikev2

 

 

Tags: , , ,

Leave a Reply