09-28-2022 04:50 AM
Hi
Could someone please help me with IKEV1 supported ASA versions? I mean the most recent version that will support IKEV1.
Thanks
Nik
09-28-2022 04:52 AM
I think all ASA ver. support IKEv1
09-28-2022 04:54 AM
@NIKHIL M K IKEv1 the older IKE protocol, but it's supported on the really old ASA versions up to the current latest versions. It's not yet depreciated.
IKEv1 does not support the latest Next Generation Encryption algorithms, if you want those you'll need to use IKEv2.
09-28-2022 05:27 AM - edited 09-28-2022 05:35 AM
yes it is supported IKEV1 but stay away from the DH group 1,2,5,24. they are gone depreciated. the industry use are 19,20,21 DH group.
would highly recommand you to use the IKEV2 as it more secure and scalable.
Here for your reference look on provided document.
09-29-2022 05:53 AM - edited 09-29-2022 05:55 AM
Confirming that all ASA versions as of this writing support IKEv1. Older ciphers, hashes and DH groups were deprecated beginning in ASA 9.13 as listed below. 9.15 was the release that removed support altogether for those:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa915/release/notes/asarn915.html
From the 9.13 release notes:
Low-Security Cipher Deprecation— Several encryption ciphers used by the ASA IKE, IPsec, and SSH modules are considered insecure and have been deprecated. They will be removed in a later release.
IKEv1: The following subcommands are deprecated:
crypto ikev1 policy priority:
hash md5
encryption 3des
encryption des
group 2
group 5
IKEv2: The following subcommands are deprecated:
crypto ikev2 policy priority
integrity md5
prf md5
group 2
group 5
group 24
encryption 3des
encryption des (this command is still available when you have the DES encryption license only)
encryption null
IPsec: The following commands are deprecated:
crypto ipsec ikev1 transform-set name esp-3des esp-des esp-md5-hmac
crypto ipsec ikev2 ipsec-proposal name
protocol esp integrity md5
protocol esp encryption 3des aes-gmac aes-gmac- 192 aes-gmac -256 des
crypto ipsec profile name
set pfs group2 group5 group24
SSH: The following commands are deprecated:
ssh cipher integrity custom hmac-sha1-96:hmac-md5: hmac-md5-96
ssh key-exchange group dh-group1-sha1
SSL: The following commands are deprecated:
ssl dh-group group2
ssl dh-group group5
ssl dh-group group24
Crypto Map: The following commands are deprecated:
crypto map name sequence set pfs group2
crypto map name sequence set pfs group5
crypto map name sequence set pfs group24
crypto map name sequence set ikev1 phase1-mode aggressive group2
crypto map name sequence set ikev1 phase1-mode aggressive group5
In 9.13(1), Diffie-Hellman Group 14 is now the default for the group command under crypto ikev1 policy , ssl dh-group , and crypto ikev2 policy for IPsec PFS using crypto map set pfs , crypto ipsec profile , crypto dynamic-map set pfs , and crypto map set ikev1 phase1-mode . The former default Diffie-Hellman group was Group 2.
When you upgrade from a pre-9.13(1) release, if you need to use the old default (Diffie-Hellman Group 2), then you must manually configure the DH group as group 2 or else your tunnels will default to Group 14. Because group 2 will be removed in a future release, you should move your tunnels to group 14 as soon as possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide