Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
38659
Views
21
Helpful
4
Replies

Is AES-256-CBC the same as AES-256-SHA?

Go to solution
Dean Romanelli
Level 4
Level 4

‎01-24-2019 11:25 AM - edited ‎02-21-2020 08:42 AM

Trying to VPN peer an ASA 5505 to a 3rd party's Palo Alto.  The only IKE/IPSec options they have are CBC and GCM.  Are either of those the same as the AES256-SHA that the ASA's support or am I out of luck? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-24-2019 11:39 AM

Hi Dean,
AES-CBC is an encryption algorithm, whereas SHA is a hashing algorithm, they are seperate algorithms. AES-GCM algorithm performs both encryption and hashing functions without requiring a seperate hashing algorithm, it is the latest Suite B Next Generation algorithm and probably not supported on as ASA 5505.

So on the ASA you'd define the encryption as AES-CBC 128|192|256 and then hashing as SHA 128|192|256, that should work fine with the PA firewall.

Example:-

crypto ikev1 policy 10
encryption aes-256
hash sha

crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac

HTH

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎01-24-2019 11:39 AM

Hi Dean,
AES-CBC is an encryption algorithm, whereas SHA is a hashing algorithm, they are seperate algorithms. AES-GCM algorithm performs both encryption and hashing functions without requiring a seperate hashing algorithm, it is the latest Suite B Next Generation algorithm and probably not supported on as ASA 5505.

So on the ASA you'd define the encryption as AES-CBC 128|192|256 and then hashing as SHA 128|192|256, that should work fine with the PA firewall.

Example:-

crypto ikev1 policy 10
encryption aes-256
hash sha

crypto ipsec ikev1 transform-set VPN-TRANSFORM esp-aes-256 esp-sha-hmac

HTH

Go to solution
Dean Romanelli
Level 4
Level 4
In response to Rob Ingram

‎01-24-2019 11:58 AM

Hi,

 

Thanks for replying. So basically I would just configure the ASA the same way I always have and not worry about the CBC verbiage right? The thing that's throwing me off is on the Palo it is called "AES-256-CBC," whereas on the ASA it is not called "CBC" anywhere. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Dean Romanelli

‎01-24-2019 12:05 PM

Hi, on the ASA it doesn't explictly state it's AES-CBC but it is.

HTH

Go to solution
mforbes
Level 1
Level 1
In response to Rob Ingram

‎06-20-2024 07:52 PM

Is there Cisco doc reference that specifies that?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card