09-08-2014 07:18 AM - edited 03-11-2019 09:43 PM
Hi All,
ASA version 9 now includes the next generation (suite B) for encryption.
I have found the following Q&A:
Q. Is next generation encryption available on all ASA platforms?
A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.
But cant actually find a definitive list of what is actually available on the ASA 5505.
For example, could it run aes-gcm?
Any help/information would be greatly appreciated.
Thanks,
Solved! Go to Solution.
09-08-2014 07:55 AM
I do not have a complete documentation on that, but at least the encryption is quite limited. Here is what my 5505 supports:
asa(config)# sh version
Cisco Adaptive Security Appliance Software Version 9.1(3)
asa(config)# crypto ikev1 policy 10
asa(config-ikev1-policy)# encryption ?
ikev1-policy mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
asa(config-ikev1-policy)# hash ?
ikev1-policy mode commands/options:
md5 set hash md5
sha set hash sha1
asa(config-ikev1-policy)# group ?
ikev1-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7 (DEPRECATED)
asa(config)# crypto ikev2 policy 10
asa(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
asa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
asa(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
14 Diffie-Hellman group 14
19 Diffie-Hellman group 19
2 Diffie-Hellman group 2
20 Diffie-Hellman group 20
21 Diffie-Hellman group 21
24 Diffie-Hellman group 24
5 Diffie-Hellman group 5
asa(config-ikev2-policy)# prf ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
asa(config)# cry ipsec ikev1 transform-set TEST ?
configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
asa(config)# crypto ipsec ikev2 ipsec-proposal TEST
asa(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
asa(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
null set hash null
sha-1 set hash sha-1
09-08-2014 07:55 AM
I do not have a complete documentation on that, but at least the encryption is quite limited. Here is what my 5505 supports:
asa(config)# sh version
Cisco Adaptive Security Appliance Software Version 9.1(3)
asa(config)# crypto ikev1 policy 10
asa(config-ikev1-policy)# encryption ?
ikev1-policy mode commands/options:
3des 3des encryption
aes aes-128 encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
asa(config-ikev1-policy)# hash ?
ikev1-policy mode commands/options:
md5 set hash md5
sha set hash sha1
asa(config-ikev1-policy)# group ?
ikev1-policy mode commands/options:
1 Diffie-Hellman group 1
2 Diffie-Hellman group 2
5 Diffie-Hellman group 5
7 Diffie-Hellman group 7 (DEPRECATED)
asa(config)# crypto ikev2 policy 10
asa(config-ikev2-policy)# encryption ?
ikev2-policy mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
asa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
asa(config-ikev2-policy)# group ?
ikev2-policy mode commands/options:
1 Diffie-Hellman group 1
14 Diffie-Hellman group 14
19 Diffie-Hellman group 19
2 Diffie-Hellman group 2
20 Diffie-Hellman group 20
21 Diffie-Hellman group 21
24 Diffie-Hellman group 24
5 Diffie-Hellman group 5
asa(config-ikev2-policy)# prf ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
asa(config)# cry ipsec ikev1 transform-set TEST ?
configure mode commands/options:
esp-3des esp 3des encryption
esp-aes esp aes 128 encryption
esp-aes-192 esp aes 192 encryption
esp-aes-256 esp aes 256 encryption
esp-des esp des encryption
esp-md5-hmac esp md5 authentication
esp-none esp no authentication
esp-null esp null encryption
esp-sha-hmac esp sha authentication
asa(config)# crypto ipsec ikev2 ipsec-proposal TEST
asa(config-ipsec-proposal)# protocol esp encryption ?
ipsec-proposal mode commands/options:
3des 3des encryption
aes aes encryption
aes-192 aes-192 encryption
aes-256 aes-256 encryption
des des encryption
null null encryption
asa(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
null set hash null
sha-1 set hash sha-1
09-08-2014 01:09 PM
Hi, Thanks for the reply.
That is the same encryption algorithms that I am seeing on my device.
It looks as though the actual next generation encryption algorithms are not available on the 5505, but there is the option for a higher DH group to be set and some SHA-2 support
I have just scoured the release notes and there is a one liner:
– Hardware supported only on multi-core platforms
I guess this rules out the 5505 :-)
Cisco could have make it a bit clearer...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide