asa 5510 ipsec proposal sha256

Unanswered Question
Feb 18th, 2014
User Badges:

hi, we have a 5510 asa with 9.1(3) firmware, security plus license.

i can't configure sha256 in the ipsec proposal, is there any reason for that?

the only 2 options are md5 and sha1



asa(config-ipsec-proposal)# protocol esp integrity ?


ipsec-proposal mode commands/options:

  md5    set hash md5

  null   set hash null

  sha-1  set hash sha-1

asa(config-ipsec-proposal)# protocol esp integrity

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
pculka001 Tue, 02/18/2014 - 07:57
User Badges:

just to be clear, we are talking about ikev2, here is the error mesage:


IKEv2-PROTO-1: (348): Failed to find a matching policy

IKEv2-PROTO-1: (348): Received Policies: 

Proposal 1:  AES-CBC-256 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14


IKEv2-PROTO-1: (348): Failed to find a matching policy

IKEv2-PROTO-1: (348): Expected Policies: 

Proposal 1:  AES-CBC-256 SHA1 SHA256 DH_GROUP_2048_MODP/Group 14

pculka001 Wed, 02/19/2014 - 06:08
User Badges:

Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure

for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.


is this true?

iai-admins Mon, 08/11/2014 - 12:55
User Badges:

I found this limitation listed in the Cisco documentation.

Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 - Configuring IPSec and ISAKMP - Creating a Basic IPsec Configuration - Note at end of Step 2:

"... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."

Since Cisco has announced the end-of-life date for these older platforms, it may be a good time to evaluate migrating to the newer hardware. The standard sha-1 is plenty of hash for the ipsec sa's for now until systems are replaced with the new gear.

 

The following legacy models do not support ASA 9.2 (refer to the link at the bottom). That is why in 9.2 guide the note "... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)." was removed. In other words, the following models do not support SHA-2 in IKEv1 or IPsec (but they do support SHA-2 in IKEv2).

 

ASA 5510, 5520, 5540

ASA 5550

ASA 5580

ASA 1000V

 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx...

Ben Tue, 11/03/2015 - 06:42
User Badges:

Your link (as of right now) says 9.2 is supported on the 5505 but SHA-2 for ESP integrity is not supported in the 5505 despite what half the documentation says. 9.2 VPN CLI configuration guide page 1-31 says it should support it while page 6-10 says it doesn't support it. SHA-1 it is then it seems

Actions

This Discussion

Related Content