UPDATE - sorry I may be mistaken. I just tested in my lab and, as far as I can tell, my 3925E router doesn't support SHA256 MAC for ssh (either as client or server).
This is shown even in the latest command reference (for IOS through 15.5(2)).
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s6.html#wp3333084566
|
-m {hmac-md5-128 | hmac-md5-96 | hmac-sha1-160 |hmac-sha1-96}
|
(Optional) Specifies a Hashed Message Authentication Code (HMAC) algorithm.
-
SSH Version 1 does not support HMACs.
-
If you do not specify the -m keyword, the remote device sends all the supported HMAC algorithms during negotiation. If you specify the -m keyword and the server does not support the algorithm that you have shown (hmac-md5-128, hmac-md5-96, hmac-sha1-160, and hmac-sha1-96), the remote device closes the connection.
|
Check your RSA key. It may have been generated with a short (1024-bit) key length. Also check that your client software is both capable of and set to negotiate using the stronger algorithms.
Generally most modern router IOS (i.e 15.2 or later) can be configured to support strong hash algorithms (assuming you have the Universal crypto image loaded).
See the release notes here:
http://www.cisco.com/c/en/us/td/docs/ios/15_2m_and_t/release/notes/15_2m_and_t/152-4MNEWF.html#pgfId-83129
...and the configuration guide here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-deploy-rsa-pki.html#GUID-CADC5B64-EAD4-4D41-B852-DA8FE9B078AE
