topic Re: Cipher Related Issues in Network Security

Cipher Related Issues

edwinjosey — Thu, 24 Aug 2023 17:21:26 GMT

Hi,

This is my first post on this forum. Actually, I'm having trouble upgrading to the latest Cisco firmware in a site-to-site VPN.
The ciphers used in the current version do not work in the upgraded version, so I want to know which ciphers will work and which will be deprecated or eliminated in the newer version before patching it to the new version. Otherwise, the vpn tunnel will go down after patching, so please direct me to where I can find all the details about this.

Re: Cipher Related Issues

Rob Ingram — Thu, 24 Aug 2023 17:28:01 GMT

@edwinjosey the weak ciphers were depreciated from 9.13 and removed in subsequent releases and are detailed in the release notes https://www.cisco.com/c/en/us/td/docs/security/asa/asa913/release/notes/asarn913.html

Re: Cipher Related Issues

edwinjosey — Thu, 24 Aug 2023 21:33:30 GMT

Thank you, Rob; your assistance was really appreciated. But I have a few more questions. If ciphers are deprecated in a newer version and we are utilizing that cipher in our present setup, we must modify it before patching. How to choose the appropriate security cipher to use for Firewalls in order to replace the previous deprecated one. For Example: Model: Cisco ASA 5525x
Current Version: 9.8(4)29
Recommended Version: 9.16(4)14

ssh key-exchange group dh-group1-sha1 will change to ssh key-exchange group group14-sha1 automatically by updating to version 9.16.

Re: Cipher Related Issues

Rob Ingram — Fri, 25 Aug 2023 07:12:35 GMT

@edwinjosey in regard to VPN ciphers, you should be fine using AES (GCM or CBC), SHA (2 preferred), DH group 19, 20 or 21. You should change the VPN configuration before migration to avoid post upgrade issues.

Cisco Next Generation Encryption recommendations - https://sec.cloudapps.cisco.com/security/center/resources/next_generation_cryptography

Re: Cipher Related Issues

edwinjosey — Thu, 31 Aug 2023 16:09:54 GMT

Dear Rob,

Thank you for your help. But in my scenario some of the deprecated ciphers are not mentioned in your link. so leaving you with my current details of my firewall.

Match Found: crypto map outside_map0 3 set pfs group5 at line 2258

Match With: group5

Match Found: crypto map outside_map0 3 set pfs group5 at line 2258

Match With: set pfs group5

Match Found: crypto ikev2 policy 2 at line 2316

Match With: crypto ikev2 policy

Match Found: group 5 at line 2319

Match With: group 5

Match Found: crypto ikev1 policy 10 at line 2324