Solved: Cipher error on WS-C2950G-24-EI switch |

Amol_Telore · ‎10-08-2018

Hi Team,

im trying to ssh switch but getting below error

ssh dduser@XX.XX.XX.XX

Unable to negotiate with 172.19.12.4 port 22: no matching cipher found. Their offer: 3des-cbc

if i used below cmd will get access.

ssh -c 3des-cbc dduser@XX.XX.XX.XX

Please let me know this switches (WS-C2950G-24-EI )can support algorithm encryption aes128-cbc ?

With 12.1(22)EA13 veersion.

Seb Rupik · ‎10-08-2018

Run that command from a host CLI which has nmap installed. Not the switch.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎10-08-2018

Hi there,

The images released for the 2950G are of such a vintage that I doubt these ‘next-generation’ ciphers are available.

This document:

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

…dated 2012 recommends replacing 3DES with AES. So it is probably safe to assume the 2950G image builds were not around when Cisco was making this transition.

Nmap has a built in script you run against your switches to determine ciphersuite:

nmap --script ssh2-enum-algos -sV -p <port> <host>

cheers,

Seb.

Amol_Telore · ‎10-08-2018

HI Sep,

thanks for the reply...

how do i run below script on switch ?

nmap --script ssh2-enum-algos -sV -p <port> <host>

Regards,

Amol

Seb Rupik · ‎10-08-2018

Run that command from a host CLI which has nmap installed. Not the switch.

cheers,

Seb.