Cisco ASA 5525 - Key exchange algorithms

RS19 · ‎02-01-2024

Hi

This is regarding Cisco ASA 5525. I have 2 firewalls with IOS version 9.4(4)22 & 9.8(4)20

In these firewalls wanted to check, if it can support any of the below.

diffie-hellman-group-exchange-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group14-sha256

My understanding is that by default sha1 is support. I wanted to know along with sha1 can any one of the above can be supported.
Pls let me know. I dont want to repalce sha1 but wanted to have both.

Rob Ingram · ‎02-01-2024

@RS19 according to the docs support for DH group 14 was added in 8.4/9.1(2) - so your ASA versions should at least support DH group 14 for SSH.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.html?bookSearch=true

RS19 · ‎02-01-2024

But will it be only SHA1 or it can support SHA256 & 512

Rob Ingram · ‎02-01-2024

@RS19 from the ASA 9.8 guide above, it looks like only DH group 14 SHA1

If you want Dh group 14 SHA256 then you would need to upgrade. Your ASA 5525 supports up to 9.14 (nothing newer), which does support DH group 14 SHA256. https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/admin-management.html

MHM Cisco World · ‎02-01-2024

this key exchange is use for
VPN or SSH ?
MHM

RS19 · ‎02-01-2024

for SSH

RS19 · ‎02-03-2024

It is for ssh. If it is for SSH any difference ?

Rob Ingram · ‎02-04-2024

@RS19 the DH group information supported by the ASA version is for SSH/ssh (no difference).

Or did you mean VPN? The DH group used for VPNs the command syntax is completely different from your example.

RS19 · ‎02-05-2024

It is for SSH

engineer467 · ‎06-25-2024

Hello Rob,

My asa 5515x is on 9.12 version, yet in crypto ikev1 i only dh group 2, 5 and 7. My other firewall do not support these and hence I am unable to configurew a site to site vpn. Any idea which version should i install on 5515x to have dh group 14?

Thanks in advance.

Rob Ingram · ‎06-25-2024

@engineer467 I assume the other ASA's are running 9.13 or newer, as weak crypto was depreciated in 9.13, hence why they do not support it. Version 9.12 appears to be the latest version available for the 5515-X, so you cannot upgrade.

I would recommend replacing the 5515-X hardware to ensure you have support for the latest crypto, the Firepower 1000 series would be similar performance to the 5515-X. https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html

engineer467 · ‎06-26-2024

Got it. Thanks so much for your reply. I was checking other options today and saw that DH group 14 is supported in ikev2. I think I will try to set up the tunnel using ikev2 and see if that works.