Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
35201
Views
21
Helpful
3
Replies

Is AES-256-CBC the same as AES-256-SHA?

Go to solution
Dean Romanelli
Level 4
Level 4

‎01-24-2019 11:25 AM - edited ‎02-21-2020 08:42 AM

Trying to VPN peer an ASA 5505 to a 3rd party's Palo Alto.  The only IKE/IPSec options they have are CBC and GCM.  Are either of those the same as the AES256-SHA that the ASA's support or am I out of luck? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-24-2019 11:39 AM

Hi Dean,
AES-CBC is an encryption algorithm, whereas SHA is a hashing algorithm, they are seperate algorithms. AES-GCM algorithm performs both encryption and hashing functions without requiring a seperate hashing algorithm, it is the latest Suite B Next Generation algorithm and probably not supported on as ASA 5505.

So on the ASA you'd define the encryption as AES-CBC 128|192|256 and then hashing as SHA 128|192|256, that should work fine with the PA firewall.

Example:-

crypto ikev1 policy 10
encryption aes-256
hash sha

crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac

HTH

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎01-24-2019 11:39 AM

Hi Dean,
AES-CBC is an encryption algorithm, whereas SHA is a hashing algorithm, they are seperate algorithms. AES-GCM algorithm performs both encryption and hashing functions without requiring a seperate hashing algorithm, it is the latest Suite B Next Generation algorithm and probably not supported on as ASA 5505.

So on the ASA you'd define the encryption as AES-CBC 128|192|256 and then hashing as SHA 128|192|256, that should work fine with the PA firewall.

Example:-

crypto ikev1 policy 10
encryption aes-256
hash sha

crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac

HTH

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Rob Ingram

‎01-24-2019 11:58 AM

Hi,

 

Thanks for replying. So basically I would just configure the ASA the same way I always have and not worry about the CBC verbiage right? The thing that's throwing me off is on the Palo it is called "AES-256-CBC," whereas on the ASA it is not called "CBC" anywhere. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Dean Romanelli

‎01-24-2019 12:05 PM

Hi, on the ASA it doesn't explictly state it's AES-CBC but it is.

HTH
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card