I'm having issues SSH'ing from a Cisco 3925 router to a FIPS enabled and hardened Linux server. The Cisco 3925 is on IOS version 15.7(3).M7.
The Linux server (RHEL 7) is configured with the following defined in its SSH server config:
Ciphers aes128-ctr,aes192-ctr,aes265-ctr
MACs hmac-sha2-256,hmac-sha2-512
My understanding is that the Linux server will not successfully handshake with a client (the Cisco 3925 router) that does not also support those algorithms. When tailing the SSH log file on the server, I see the following error message:
"Unable to negotiate with 172.16.10.1: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group14.sha1 [preauth]"
This seems to indicate that the Cisco 3925 is not configured to or attempting to use an algorithm that is found in the Linux server's config.
Is there a way to adjust the Cisco 3925's configuration such that it will use a stronger encryption or key exchange algorithm?
Thanks!