IKEV2 IOS to ASA with aes-gcm-256 encryption

Hello forum.

After reading the Cisco Next Generation Encryption document, I decided to reconfigure a bench ASA5525 to 1921 IKEV2 link using aes-gcm-256 encryption. The config on the ASA was a snap, but the 1921 continues to give me grief.

After entering the proposal with only the encryption method and group, the runfile shows:

crypto ikev2 proposal Prop-asa01
 ! Proposal Incomplete(MUST have atleast an encryption algorithm, an integrity algorithm and a dh group configured)
 encryption aes-gcm-256
 group 21

The warning message seems odd since aes-gcm-256 does not require integrity as it is included in the algorithm. When I tried to attach the proposal to the policy, I am told that “Policy Incomplete(MUST have at least one complete proposal attached)”.

There doesn’t appear to be a null integrity option in the proposal options:

vpn01.sennyc(config-ikev2-proposal)#integrity ?
  md5     Message Digest 5
  sha1    Secure Hash Standard
  sha256  Secure Hash Standard 2 (256 bit)
  sha384  Secure Hash Standard 2 (384 bit)
  sha512  Secure Hash Standard 2 (512 bit)

Any ideas how I can use aes-gcm encryption on the 1921 and get around the integrity warning? The 1921 is running Version 15.7(3)M9.


Hello Keith

Indeed the aes-gcm-256 encryption option includes integrity so it should not require any integrity configuration. On the ASA, you have the option of specifying null for integrity, but not on the 1921. I have been unable to find documentation for the 1921 that specifies how to use aes-gcm-256 successfully. Is the warning message only a warning or does the actual VPN fail to come up? If it’s just a warning, then it could be just a bug. If it actually causes the link to fail, then try to apply an integrity option on both ends and see if that resolves the problem. If that doesn’t work, you may need to consider using a different algorithm. Let us know how you get along so we can help you further.

I hope this has been helpful!