IKEV1 supported ASA version

NIKHIL M K — Wed, 28 Sep 2022 11:50:44 GMT

Could someone please help me with IKEV1 supported ASA versions? I mean the most recent version that will support IKEV1.

Thanks

Nik

Re: IKEV1 supported ASA version

MHM Cisco World — Wed, 28 Sep 2022 11:52:33 GMT

I think all ASA ver. support IKEv1

Re: IKEV1 supported ASA version

Rob Ingram — Wed, 28 Sep 2022 11:54:41 GMT

@NIKHIL M K IKEv1 the older IKE protocol, but it's supported on the really old ASA versions up to the current latest versions. It's not yet depreciated.

IKEv1 does not support the latest Next Generation Encryption algorithms, if you want those you'll need to use IKEv2.

Re: IKEV1 supported ASA version

Sheraz.Salim — Wed, 28 Sep 2022 12:35:07 GMT

yes it is supported IKEV1 but stay away from the DH group 1,2,5,24. they are gone depreciated. the industry use are 19,20,21 DH group.

would highly recommand you to use the IKEV2 as it more secure and scalable.

Here for your reference look on provided document.

Re: IKEV1 supported ASA version

Marvin Rhoads — Thu, 29 Sep 2022 12:55:23 GMT

Confirming that all ASA versions as of this writing support IKEv1. Older ciphers, hashes and DH groups were deprecated beginning in ASA 9.13 as listed below. 9.15 was the release that removed support altogether for those:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html

From the 9.13 release notes:

Low-Security Cipher Deprecation— Several encryption ciphers used by the ASA IKE, IPsec, and SSH modules are considered insecure and have been deprecated. They will be removed in a later release.

IKEv1: The following subcommands are deprecated:
- crypto ikev1 policy priority:
  - hash md5
  - encryption 3des
  - encryption des
  - group 2
  - group 5
IKEv2: The following subcommands are deprecated:
- crypto ikev2 policy priority
  - integrity md5
  - prf md5
  - group 2
  - group 5
  - group 24
  - encryption 3des
  - encryption des (this command is still available when you have the DES encryption license only)
  - encryption null
IPsec: The following commands are deprecated:
- crypto ipsec ikev1 transform-set name esp-3des esp-des esp-md5-hmac
- crypto ipsec ikev2 ipsec-proposal name
  - protocol esp integrity md5
  - protocol esp encryption 3des aes-gmac aes-gmac- 192 aes-gmac -256 des
- crypto ipsec profile name
  - set pfs group2 group5 group24
SSH: The following commands are deprecated:
- ssh cipher integrity custom hmac-sha1-96:hmac-md5: hmac-md5-96
- ssh key-exchange group dh-group1-sha1
SSL: The following commands are deprecated:
- ssl dh-group group2
- ssl dh-group group5
- ssl dh-group group24
Crypto Map: The following commands are deprecated:
- crypto map name sequence set pfs group2
- crypto map name sequence set pfs group5
- crypto map name sequence set pfs group24
- crypto map name sequence set ikev1 phase1-mode aggressive group2
- crypto map name sequence set ikev1 phase1-mode aggressive group5
In 9.13(1), Diffie-Hellman Group 14 is now the default for the group command under crypto ikev1 policy , ssl dh-group , and crypto ikev2 policy for IPsec PFS using crypto map set pfs , crypto ipsec profile , crypto dynamic-map set pfs , and crypto map set ikev1 phase1-mode . The former default Diffie-Hellman group was Group 2.

When you upgrade from a pre-9.13(1) release, if you need to use the old default (Diffie-Hellman Group 2), then you must manually configure the DH group as group 2 or else your tunnels will default to Group 14. Because group 2 will be removed in a future release, you should move your tunnels to group 14 as soon as possible.

topic IKEV1 supported ASA version in Network Security

IKEV1 supported ASA version

Re: IKEV1 supported ASA version

Re: IKEV1 supported ASA version

Re: IKEV1 supported ASA version

Re: IKEV1 supported ASA version