Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

asa 5510 ipsec proposal sha256

hi, we have a 5510 asa with 9.1(3) firmware, security plus license.

i can't configure sha256 in the ipsec proposal, is there any reason for that?

the only 2 options are md5 and sha1

asa(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:

  md5    set hash md5

  null   set hash null

  sha-1  set hash sha-1

asa(config-ipsec-proposal)# protocol esp integrity

Everyone's tags (6)
6 REPLIES
Community Member

Re: asa 5510 ipsec proposal sha256

just to be clear, we are talking about ikev2, here is the error mesage:

IKEv2-PROTO-1: (348): Failed to find a matching policy

IKEv2-PROTO-1: (348): Received Policies: 

Proposal 1:  AES-CBC-256 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14

IKEv2-PROTO-1: (348): Failed to find a matching policy

IKEv2-PROTO-1: (348): Expected Policies: 

Proposal 1:  AES-CBC-256 SHA1 SHA256 DH_GROUP_2048_MODP/Group 14

Community Member

Re: asa 5510 ipsec proposal sha256

Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure

for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.

is this true?

Community Member

I found this limitation

I found this limitation listed in the Cisco documentation.

Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 - Configuring IPSec and ISAKMP - Creating a Basic IPsec Configuration - Note at end of Step 2:

"... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."

Since Cisco has announced the end-of-life date for these older platforms, it may be a good time to evaluate migrating to the newer hardware. The standard sha-1 is plenty of hash for the ipsec sa's for now until systems are replaced with the new gear.

Just for the archive:5505

Just for the archive:

5505 with 9.2 supports SHA-256 and the quote from 9.1 guide is gone in 9.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-ike.html

 

 

 

Michael Please rate all helpful posts
Community Member

 The following legacy models

 

The following legacy models do not support ASA 9.2 (refer to the link at the bottom). That is why in 9.2 guide the note "... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)." was removed. In other words, the following models do not support SHA-2 in IKEv1 or IPsec (but they do support SHA-2 in IKEv2).

 

ASA 5510, 5520, 5540

ASA 5550

ASA 5580

ASA 1000V

 

 

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Ben
Community Member

Your link says 9.2 is

Your link (as of right now) says 9.2 is supported on the 5505 but SHA-2 for ESP integrity is not supported in the 5505 despite what half the documentation says. 9.2 VPN CLI configuration guide page 1-31 says it should support it while page 6-10 says it doesn't support it. SHA-1 it is then it seems

12812
Views
5
Helpful
6
Replies
CreatePlease to create content