https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051818#M1068183 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;Whatever is part of the Suite B (Next Generation Algorithms), including what you're asking for, is only supported on the ASA for IPsec tunnels build over IKEv2, so not for IPsec tunnel over IKEv1. With IKEv2 IPsec tunnels, you can use the Suite B algorithms for both the IKEv2 and IPsec tunnel (or only for one, you choose), while with IKEv1 IPsec tunnels, you can't use Suite B algorithms for IKEv1 or IPsec tunnel.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Wed, 25 Mar 2020 07:33:30 GMT Cristian Matei 2020-03-25T07:33:30Z https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051766#M1068175 <P>How can I tell if may ASA 5525-X supports the following:</P><P>hmac-sha2-256<BR />hmac-sha2-384<BR />hmac-sha2-512<BR />and if it does how do I enable it. My software ver is :</P><P>&nbsp;</P><P>Cisco Adaptive Security Appliance Software Version 9.7(1)24</P> Wed, 25 Mar 2020 03:06:24 GMT https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051766#M1068175 bruce.thornton 2020-03-25T03:06:24Z https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051777#M1068177 <P>For IKEv2 you can configure the HMAC-SHA2 variants:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/vpn/asa-913-vpn-config/vpn-ike.html#ID-2441-000005d2" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/configuration/vpn/asa-913-vpn-config/vpn-ike.html#ID-2441-000005d2</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html#pgfId-2175641" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html#pgfId-2175641</A></P> <P>IKEv1 is limited to SHA/HMAC-160 (or MD5/HMAC-128)</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c5.html#pgfId-2607523" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/c5.html#pgfId-2607523</A></P> Wed, 25 Mar 2020 04:02:26 GMT https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051777#M1068177 Marvin Rhoads 2020-03-25T04:02:26Z https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051818#M1068183 <P>Hi,</P><P>&nbsp;</P><P>&nbsp; &nbsp;Whatever is part of the Suite B (Next Generation Algorithms), including what you're asking for, is only supported on the ASA for IPsec tunnels build over IKEv2, so not for IPsec tunnel over IKEv1. With IKEv2 IPsec tunnels, you can use the Suite B algorithms for both the IKEv2 and IPsec tunnel (or only for one, you choose), while with IKEv1 IPsec tunnels, you can't use Suite B algorithms for IKEv1 or IPsec tunnel.</P><P>&nbsp;</P><P>Regards,</P><P>Cristian Matei.</P> Wed, 25 Mar 2020 07:33:30 GMT https://community.cisco.com/t5/network-security/hmac-support-on-asa/m-p/4051818#M1068183 Cristian Matei 2020-03-25T07:33:30Z