Friday, February 9, 2018

Diffie Hellman Group Selection in IKEv2

  • Because the initiator sends its KEi value in the IKE_SA_INIT, it must guess the DH group that the responder will select from its list of supported groups.  If the initiator guesses wrong, the responder will respond with a Notify payload of type INVALID_KE_PAYLOAD indicating the selected group.  In this case, the initiator MUST retry the IKE_SA_INIT with the corrected DH group.

*Feb  7 16:17:56.924: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
*Feb  7 16:17:56.924: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb  7 16:17:56.925: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Feb  7 16:17:56.926: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
*Feb  7 16:17:56.926: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
*Feb  7 16:17:56.927: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation),
Num. transforms: 11
   AES-CBC   AES-CBC   SHA256   SHA384   SHA256   SHA384   DH_GROUP_2048_MODP/Group 14   DH_GROUP_256_ECP/Group 19   DH_GROUP_1536_MODP/Group 5   DH_GROUP_4096_MODP/Group 16   DH_GROUP_3072_MODP/Group 15

*Feb  7 16:17:56.931: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 10.150.2.1:500/From 10.150.1.1:500/VRF i0:f0]
Initiator SPI : 97211F401E241BD2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange REQUEST
Payload contents:
 SA KE N VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP)

*Feb  7 16:17:56.937: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA

*Feb  7 16:17:56.950: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 10.150.2.1:500/To 10.150.1.1:500/VRF i0:f0]
Initiator SPI : 97211F401E241BD2 - Responder SPI : 0000000000000000 Message id: 0
IKEv2 IKE_SA_INIT Exchange RESPONSE
Payload contents:
 NOTIFY(INVALID_KE_PAYLOAD)

*Feb  7 16:17:56.952: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
*Feb  7 16:17:56.952: IKEv2:(SESSION ID = 1,SA ID = 1):Processing invalid ke notification, we sent group 14, peer prefers group 5
*Feb  7 16:17:56.953: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
*Feb  7 16:17:56.953: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 5
*Feb  7 16:17:56.954: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
*Feb  7 16:17:56.954: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
*Feb  7 16:17:56.955: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch

*Feb  7 16:17:56.956: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...

  • PxGrid Part # 3 - Troubleshooting FMC-ISE Identity Sync
    From FMC CLI, verify ISE integration status using the command   root@vFPMC:/etc/rc.d# cat /var/sf/run/adi-health $status = {      'ADI&#...
  • CUCM SIP Early Offer
    By default CUCM uses SIP Delayed Offer. In order to enable Early Offer, use one of the following methods: MTP is required ...
  • SIP Call Transfer
    In SIP IOS call transfer is achieved using REFER method. Similar to H450.2, a REFER message will be sent from transferor to transferee t...