topic Is AES-256-CBC the same as AES-256-SHA? in Network Security

Is AES-256-CBC the same as AES-256-SHA?

Dean Romanelli — Fri, 21 Feb 2020 16:42:12 GMT

Trying to VPN peer an ASA 5505 to a 3rd party's Palo Alto. The only IKE/IPSec options they have are CBC and GCM. Are either of those the same as the AES256-SHA that the ASA's support or am I out of luck?

Re: Is AES-256-CBC the same as AES-256-SHA?

Rob Ingram — Thu, 24 Jan 2019 19:39:03 GMT

Hi Dean,
AES-CBC is an encryption algorithm, whereas SHA is a hashing algorithm, they are seperate algorithms. AES-GCM algorithm performs both encryption and hashing functions without requiring a seperate hashing algorithm, it is the latest Suite B Next Generation algorithm and probably not supported on as ASA 5505.

So on the ASA you'd define the encryption as AES-CBC 128|192|256 and then hashing as SHA 128|192|256, that should work fine with the PA firewall.

Example:-

crypto ikev1 policy 10
encryption aes-256
hash sha

crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac

HTH

Re: Is AES-256-CBC the same as AES-256-SHA?

Dean Romanelli — Thu, 24 Jan 2019 19:58:17 GMT

Hi,

Thanks for replying. So basically I would just configure the ASA the same way I always have and not worry about the CBC verbiage right? The thing that's throwing me off is on the Palo it is called "AES-256-CBC," whereas on the ASA it is not called "CBC" anywhere.

Re: Is AES-256-CBC the same as AES-256-SHA?

Rob Ingram — Thu, 24 Jan 2019 20:05:22 GMT

Hi, on the ASA it doesn't explictly state it's AES-CBC but it is.

HTH

Re: Is AES-256-CBC the same as AES-256-SHA?

mforbes — Fri, 21 Jun 2024 02:52:00 GMT

Is there Cisco doc reference that specifies that?