topic Hi Karsten, in Network Security

Migration from sha1 to sha2

Mady — Tue, 12 Mar 2019 07:10:47 GMT

Hi Team,

Can you help me on migrating my asa from sha1 to sha2? What should be the requirement before I do that and also the method for migration.

Thank you very much.

Regards,

Mady

For which function of the ASA

Karsten Iwen — Sat, 23 Jan 2016 13:54:01 GMT

For which function of the ASA do you want to migrate?
Which device and version are you using? Not all devices support SHA2 for all functionality.

Hi Karsten,

Mady — Sat, 23 Jan 2016 23:07:59 GMT

Hi Karsten,

We want to migrate our site-to-site VPN. We have Cisco ASA 5525 with 8.6.1 version.

Regards,

Mady

ASA5525 supports SHA2, but I

Karsten Iwen — Sun, 24 Jan 2016 11:59:05 GMT

ASA5525 supports SHA2, but I don't remember if it was supported from day one. But 8.6 is EOL anyway.

I would upgrade to the newest 9.2 or even better to the newest 9.4 where SHA2 is available.

But you don't have to stop with SHA2, the 5525 also supports Next-generation crypto like esp-gcm which you can use for your VPNs (if your peers support that).

Edit: Forgot to mention that SHA2 on the ASA is only available when you use IKEv2, not with IKEv1.

Hi Karsten,

Mady — Mon, 25 Jan 2016 06:27:50 GMT

Hi Karsten,

Does ASA5580 also support sha256?

Thank you very much.

Regards,

Mady

hi,

johnlloyd_13 — Mon, 25 Jan 2016 06:53:41 GMT

hi,

as karsten mentioned SHA256 is available on IKEv2. if your 5580 image is 8.4 or above, then it's supported.

see helpful link:

http://ccnpsecuritywannabe.blogspot.com/2014/08/ikev2-ipsec-site-to-site-vpns.html

Hi johnlloyd_13,

Mady — Mon, 25 Jan 2016 06:58:45 GMT

Hi johnlloyd_13,

I'm just confuse on below statement.

Currently Sha256 is supported in newer ASA platforms (X-Gen Firewalls) like 5585. It is not supported in 5505, 5510, 5520, 5540 and 5550, platforms. Please check the below link.

From ASA IPsec and Isakmp release notes.

"SHA-256 can be used for integrity and PRF to establish IKEv2 tunnels, but it can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#pgfId-1042794

https://tools.cisco.com/bugsearch/bug/CSCus79188/?reffering_site=dumpcr

hi,

johnlloyd_13 — Mon, 25 Jan 2016 07:23:10 GMT

hi,

some cisco docs could be inaccurate.

i'm running ASA version 9.x on some of my 5505 and 5510 and could see an option for IKEv2.

Cisco Adaptive Security Appliance Software Version 9.0(4)
Device Manager Version 7.5(1)

Compiled on Wed 04-Dec-13 08:33 by builders
System image file is "disk0:/asa904-k8.bin"
Config file at boot was "startup-config"

5510 up 96 days 7 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

5510(config)# crypto ipsec ?

configure mode commands/options:
df-bit                Set IPsec DF policy
fragmentation         Set IPsec fragmentation policy
ikev1                 Set IKEv1 settings
ikev2                 Set IKEv2 settings
security-association Set security association parameters

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08

Cisco Adaptive Security Appliance Software Version 9.0(1)

5505(config)# crypto ?

configure mode commands/options:
ca           Certification authority
dynamic-map Configure a dynamic crypto map
ikev1        Configure IKEv1 policy
ikev2        Configure IKEv2 policy
ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
isakmp       Configure ISAKMP
key          Long term key operations
map          Configure a crypto map

IKEv2 is available on all

Karsten Iwen — Mon, 25 Jan 2016 07:46:02 GMT

IKEv2 is available on all ASAs, but using better crypto than sha1 isn't. For that you need one of the newer -X ASAs.

I never used a 5580, but I assume that SHA2 is only available for session-establishment, but not for ESP.