Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA 5505 next generation encryption

Hi All,

ASA version 9 now includes the next generation (suite B) for encryption.
I have found the following Q&A:

Q. Is next generation encryption available on all ASA platforms?

A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.

http://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-appliance-asa-software/qa_c67-712934.html

But cant actually find a definitive list of what is actually available on the ASA 5505.
For example, could it run aes-gcm?

Any help/information would be greatly appreciated.

Thanks,

 

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

I do not have a complete

I do not have a complete documentation on that, but at least the encryption is quite limited. Here is what my 5505 supports:

 

asa(config)# sh version
Cisco Adaptive Security Appliance Software Version 9.1(3)

 


asa(config)# crypto ikev1 policy 10
asa(config-ikev1-policy)# encryption ?

ikev1-policy mode commands/options:
  3des     3des encryption
  aes      aes-128 encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption

asa(config-ikev1-policy)# hash ?

ikev1-policy mode commands/options:
  md5  set hash md5
  sha  set hash sha1

asa(config-ikev1-policy)# group ?

ikev1-policy mode commands/options:
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5
  7  Diffie-Hellman group 7 (DEPRECATED)

 

 

asa(config)# crypto ikev2 policy 10
asa(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption

asa(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

asa(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:
  1   Diffie-Hellman group 1
  14  Diffie-Hellman group 14
  19  Diffie-Hellman group 19
  2   Diffie-Hellman group 2
  20  Diffie-Hellman group 20
  21  Diffie-Hellman group 21
  24  Diffie-Hellman group 24
  5   Diffie-Hellman group 5

asa(config-ikev2-policy)# prf ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

 

 

asa(config)# cry ipsec ikev1 transform-set TEST ?

configure mode commands/options:
  esp-3des      esp 3des encryption
  esp-aes       esp aes 128 encryption
  esp-aes-192   esp aes 192 encryption
  esp-aes-256   esp aes 256 encryption
  esp-des       esp des encryption
  esp-md5-hmac  esp md5 authentication
  esp-none      esp no authentication
  esp-null      esp null encryption
  esp-sha-hmac  esp sha authentication

 


asa(config)# crypto ipsec ikev2 ipsec-proposal TEST
asa(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption

asa(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:
  md5    set hash md5
  null   set hash null
  sha-1  set hash sha-1


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
2 REPLIES
VIP Purple

I do not have a complete

I do not have a complete documentation on that, but at least the encryption is quite limited. Here is what my 5505 supports:

 

asa(config)# sh version
Cisco Adaptive Security Appliance Software Version 9.1(3)

 


asa(config)# crypto ikev1 policy 10
asa(config-ikev1-policy)# encryption ?

ikev1-policy mode commands/options:
  3des     3des encryption
  aes      aes-128 encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption

asa(config-ikev1-policy)# hash ?

ikev1-policy mode commands/options:
  md5  set hash md5
  sha  set hash sha1

asa(config-ikev1-policy)# group ?

ikev1-policy mode commands/options:
  1  Diffie-Hellman group 1
  2  Diffie-Hellman group 2
  5  Diffie-Hellman group 5
  7  Diffie-Hellman group 7 (DEPRECATED)

 

 

asa(config)# crypto ikev2 policy 10
asa(config-ikev2-policy)# encryption ?

ikev2-policy mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption

asa(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

asa(config-ikev2-policy)# group ?

ikev2-policy mode commands/options:
  1   Diffie-Hellman group 1
  14  Diffie-Hellman group 14
  19  Diffie-Hellman group 19
  2   Diffie-Hellman group 2
  20  Diffie-Hellman group 20
  21  Diffie-Hellman group 21
  24  Diffie-Hellman group 24
  5   Diffie-Hellman group 5

asa(config-ikev2-policy)# prf ?

ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

 

 

asa(config)# cry ipsec ikev1 transform-set TEST ?

configure mode commands/options:
  esp-3des      esp 3des encryption
  esp-aes       esp aes 128 encryption
  esp-aes-192   esp aes 192 encryption
  esp-aes-256   esp aes 256 encryption
  esp-des       esp des encryption
  esp-md5-hmac  esp md5 authentication
  esp-none      esp no authentication
  esp-null      esp null encryption
  esp-sha-hmac  esp sha authentication

 


asa(config)# crypto ipsec ikev2 ipsec-proposal TEST
asa(config-ipsec-proposal)# protocol esp encryption ?

ipsec-proposal mode commands/options:
  3des     3des encryption
  aes      aes encryption
  aes-192  aes-192 encryption
  aes-256  aes-256 encryption
  des      des encryption
  null     null encryption

asa(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:
  md5    set hash md5
  null   set hash null
  sha-1  set hash sha-1


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Hi, Thanks for the reply.That

Hi, Thanks for the reply.

That is the same encryption algorithms that I am seeing on my device.

It looks as though the actual next generation encryption algorithms are not available on the 5505, but there is the option for a higher DH group to be set and some SHA-2 support

I have just scoured the release notes and there is a one liner:

  • AES-GCM/GMAC support (128-, 192-, and 256-bit keys)
  • blah blah blah

 Hardware supported only on multi-core platforms

I guess this rules out the 5505 :-)

Cisco could have make it a bit clearer...

3975
Views
0
Helpful
2
Replies