Hi Karsten,

We want to migrate our site-to-site VPN. We have Cisco ASA 5525 with 8.6.1 version.

Regards,

Mady

ASA5525 supports SHA2, but I don't remember if it was supported from day one. But 8.6 is EOL anyway.

I would upgrade to the newest 9.2 or even better to the newest 9.4 where SHA2 is available.

But you don't have to stop with SHA2, the 5525 also supports Next-generation crypto like esp-gcm which you can use for your VPNs (if your peers support that).

Edit: Forgot to mention that SHA2 on the ASA is only available when you use IKEv2, not with IKEv1.

Hi Karsten,

Does ASA5580 also support sha256?

Thank you very much.

Regards,

Mady

hi,

as karsten mentioned SHA256 is available on IKEv2. if your 5580 image is 8.4 or above, then it's supported.

see helpful link:

http://ccnpsecuritywannabe.blogspot.com/2014/08/ikev2-ipsec-site-to-site-vpns.html

Hi johnlloyd_13,

I'm just confuse on below statement. 

Currently Sha256 is supported in newer ASA platforms (X-Gen Firewalls) like 5585. It is not supported in 5505, 5510, 5520, 5540 and 5550, platforms. Please check the below link.

From ASA IPsec and Isakmp release notes.

"SHA-256 can be used for integrity and PRF to establish IKEv2 tunnels, but it can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."   

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html#pgfId-1042794

https://tools.cisco.com/bugsearch/bug/CSCus79188/?reffering_site=dumpcr

hi,

some cisco docs could be inaccurate.

i'm running ASA version 9.x on some of my 5505 and 5510 and could see an option for IKEv2.

Cisco Adaptive Security Appliance Software Version 9.0(4)
Device Manager Version 7.5(1)

Compiled on Wed 04-Dec-13 08:33 by builders
System image file is "disk0:/asa904-k8.bin"
Config file at boot was "startup-config"
              
5510 up 96 days 7 hours

Hardware:   ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz,
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xfff00000, 1024KB

5510(config)# crypto ipsec ?    

configure mode commands/options:
  df-bit                Set IPsec DF policy
  fragmentation         Set IPsec fragmentation policy
  ikev1                 Set IKEv1 settings
  ikev2                 Set IKEv2 settings
  security-association  Set security association parameters


Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
                             Boot microcode        : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode     : CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode       : CNlite-MC-IPSECm-MAIN-2.08

Cisco Adaptive Security Appliance Software Version 9.0(1)

5505(config)# crypto ?

configure mode commands/options:
  ca           Certification authority
  dynamic-map  Configure a dynamic crypto map
  ikev1        Configure IKEv1 policy
  ikev2        Configure IKEv2 policy
  ipsec        Configure transform-set, IPSec SA lifetime, and fragmentation
  isakmp       Configure ISAKMP
  key          Long term key operations
  map          Configure a crypto map

IKEv2 is available on all ASAs, but using better crypto than sha1 isn't. For that you need one of the newer -X ASAs.

I never used a 5580, but I assume that SHA2 is only available for session-establishment, but not for ESP.