cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
25778
Views
5
Helpful
6
Replies

asa 5510 ipsec proposal sha256

pculka001
Level 1
Level 1

hi, we have a 5510 asa with 9.1(3) firmware, security plus license.

i can't configure sha256 in the ipsec proposal, is there any reason for that?

the only 2 options are md5 and sha1

asa(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:

  md5    set hash md5

  null   set hash null

  sha-1  set hash sha-1

asa(config-ipsec-proposal)# protocol esp integrity

6 Replies 6

pculka001
Level 1
Level 1

just to be clear, we are talking about ikev2, here is the error mesage:

IKEv2-PROTO-1: (348): Failed to find a matching policy

IKEv2-PROTO-1: (348): Received Policies: 

Proposal 1:  AES-CBC-256 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

IKEv2-PROTO-1: (348): Failed to find a matching policy

IKEv2-PROTO-1: (348): Expected Policies: 

Proposal 1:  AES-CBC-256 SHA1 SHA256 DH_GROUP_2048_MODP/Group 14

pculka001
Level 1
Level 1

Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure

for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.

is this true?

I found this limitation listed in the Cisco documentation.

Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 - Configuring IPSec and ISAKMP - Creating a Basic IPsec Configuration - Note at end of Step 2:

"... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."

Since Cisco has announced the end-of-life date for these older platforms, it may be a good time to evaluate migrating to the newer hardware. The standard sha-1 is plenty of hash for the ipsec sa's for now until systems are replaced with the new gear.

Just for the archive:

5505 with 9.2 supports SHA-256 and the quote from 9.1 guide is gone in 9.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-ike.html

 

 

 

Michael Please rate all helpful posts

 

The following legacy models do not support ASA 9.2 (refer to the link at the bottom). That is why in 9.2 guide the note "... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)." was removed. In other words, the following models do not support SHA-2 in IKEv1 or IPsec (but they do support SHA-2 in IKEv2).

 

ASA 5510, 5520, 5540

ASA 5550

ASA 5580

ASA 1000V

 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Your link (as of right now) says 9.2 is supported on the 5505 but SHA-2 for ESP integrity is not supported in the 5505 despite what half the documentation says. 9.2 VPN CLI configuration guide page 1-31 says it should support it while page 6-10 says it doesn't support it. SHA-1 it is then it seems

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: