IPSec无法建立?注意第一阶段hash sha !
该篇注意记录一下,有些情况下,我们配置了IPSec ,但是就是无法建立,发现连第一阶段都无法建立起来。
1、检查配置无问题
2、开启debug crypto isakmp发现有IKE的重传
3、show crypto session、show crypto isakmp sa等会话肯定是没有建立起来的
如果遇到这样的情况,请检查IKE第一阶段是否配置了hash sha256 / sha512 等。
The algorithms that make up NGE(Next Generation Encryption ) are the result of more than 30 years of global advances and evolution in cryptography. Each component of NGE has its own history, which depicts the diverse history of the NGE algorithms and their longstanding academic and community review. NGE comprises globally created, globally reviewed, and publicly available algorithms.
NGE algorithms are integrated into Internet Engineering Task Force (IETF), IEEE, and other international standards. As a result, NGE algorithms have been applied to the most recent and highly-secure protocols that protect user data, such as Internet Key Exchange Version 2 (IKEv2).
Types of cryptographic algorithms include:
- Symmetric encryption -128-bit or 256-bit Advanced Encryption Standard (AES) in GCM (Galois/Counter mode)
- Hash - Secure Hash Algorithms (SHA)-2 (SHA-256, SHA-384, and SHA-512)
- Digital signatures -Elliptic Curve Digital Signature Algorithm (ECDSA)
- Key agreement - Elliptic Curve Diffie-Hellman (ECDH)
下面是思科官方公布的IOS和IOS XE对下一代加密算法的支持情况:
Platforms | Crypto Engine Type | Supported by NGE | First Version of Cisco IOS/IOS-XE to Support NGE |
---|---|---|---|
All platforms that run Cisco IOS classic |
Cisco IOS software crypto engine | Yes | 15.1(2)T |
7200 | VAM/VAM2/VSA | No | N/A |
ISR G1 | All | No | N/A |
ISR G2 2951, 3925, 3945 | Onboard1 | Yes | 15.1(3)T |
ISR G2 (excludes 3925E/3945E) | VPN-ISM1 | Yes | 15.2(1)T1 |
ISR G2 1900, 2901, 2911, 2921, 3925E, 3945E | Onboard1 | Yes | 15.2(4)M |
ISR G2 CISCO87x | Software / Hardware | No | N/A |
ISR G2 CISCO86x/C86x | Software2 | Yes | 15.1(2)T |
ISR G2 C812/C819 | Software / Hardware | Yes | Day 1 |
ISR G2 CISCO88x/CISCO89x |
Software / Hardware3 | Yes | 15.1(2)T |
ISR G2 C88x |
Software / Hardware4 | Yes | Day 1 |
6500/7600 | VPN-SPA | No | N/A |
ASR 1000 | Onboard | Yes | Note5 |
ASR 1001-X, ASR 1002-X, ASR 1006-X, ASR 1009-X | Onboard | Yes | Cisco IOX-XE 3.12 (15.4(2)S) |
ASR 1001-HX, ASR1002-HX | Optional Crypto module | Yes | Denali-16.3.1 |
ISR 4451-X | Onboard | Yes | Cisco IOS-XE 3.9 (15.3(2)S) |
ISR 4321, 4331, 4351, 4431 | Onboard | Yes | Cisco IOS-XE 3.13 (15.4(3)S) |
ISR 42xx | Onboard | Yes | Cisco IOS-XE Everest 16.4.1 |
CSR 1000v | Software | Yes | Cisco IOS-XE 3.12 (15.4(2)S) |
ISR 1100 | Onboard | Yes | Cisco IOS-XE Everest 16.6.2 |
Note 1: On the ISR G2 platform, if ECDH/ECDSA is configured, these cryptographic operations will be run in software irrespective of the cryptographic engine. AES-GCM-128 and AES-GCM-256 encryption algorithms have been supported for IKEv2 control plane protection since Version 15.4(2)T. |
|||
Note 2: ISR G2 CISCO86x/C86x does not have NGE support in the hardware crypto engine. |
|||
Note 3: ISR G2 CISCO88x/CISCO89x has hardware support for SHA-256 ONLY with Version 15.2(4)M3 or later. |
|||
Note 4: These C88x SKUs have no hardware support for NGE: C881SRST-K9, C881SRSTW-GN-A-K9, C881SRSTW-GN-E-K9, C881-CUBE-K9, C881-V-K9, C881G-U-K9, C881G-S-K9, C881G-V-K9, C881G-B-K9, C881G+7-K9, C881G+7-A-K9, C886SRST-K9, C886SRSTW-GN-E-K9, C886VA-CUBE-K9, C886VAG+7-K9, C887SRST-K9, C887SRSTW-GN-A-K9, C887SRSTW-GN-E-K9, C887VSRST-K9, C887VSRSTW-GNA-K9, C887VSRSTW-GNE-K9, C887VA-V-K9, C887VA-V-W-E-K9, C887VA-CUBE-K9, C887VAG-S-K9, C887VAG+7-K9, C887VAMG+7-K9, C888SRSTW-GN-A-K9, C888SRSTW-GN-E-K9, C888SRST-K9, C888ESRST-K9, C888ESRSTW-GNA-K9, C888ESRSTW-GNE-K9, C888-CUBE-K9, C888E-CUBE-K9, and C888EG+7-K9. |
|||
Note 5: Support for the NGE control plane (ECDH and ECDSA) has been introduced with Version XE3.7 (15.2(4)S). Initial control plane SHA-2 support was for IKEv2 only, with IKEv1 support added in Version XE3.10 (15.3(3)S). AES-GCM-128 and AES-GCM-256 encryption algorithms have been supported for IKEv2 control plane protection since Version XE3.12 (15.4(2)S) and 15.4(2)T. NGE dataplane support was added in Version XE3.8 (15.3(1)S) for Octeon based platforms only (ASR1006 or ASR1013 with an ESP-100 or ESP-200 module); dataplane support is not available for other ASR1000 platforms. |
如果我们的设备的版本没有在支持的版本里面,那就是不支持下一代加密算法的,这样的情况,在不升级的情况下,只能将hash 修改为sha-1 或 md5 等。
另外,对于该情况相关的bug说明:
On an ASR1000 series router, the CLI allows configuration of SHA-2 for ISAKMP, e.g.:
crypto isakmp policy 10
hash sha256
However, the VPN tunnel will not establish.
Crypto debugs indicate that phase 1 fails with "ISAKMP : Unable to allocate IKE SA " on the responder.
Please note that this is expected behavior, since SHA-2 is not supported yet on the ASR1000. Please refer to CSCtn18426.
This bug serves to remove the CLI commands that are not yet supported.
Conditions:
N/A
Workaround:
Use SHA-1.