How do I tell? Is there an IOS command to show? Can it be configured? If there's an option for SHA-1 or SHA-256, how do I make sure I'm only using the latter.

Thanks!

Leam

Hi,

I'm not aware of an IOS command that will show this, but you can easily tell if the SHA2 capabilities are supported by trying to configure it under either the isakmp policy or ipsec transform-set. Eg.,

router#config t

Enter configuration commands, one per line.  End with CNTL/Z.

*Jan 19 11:45:57.975: %SYS-5-CONFIG_I: Configured from console by consolet

router(config)#crypto ipsec transform-set test ?

  ....snip....

  esp-sha-hmac     ESP transform using HMAC-SHA auth

  esp-sha256-hmac  ESP transform using HMAC-SHA256 auth

  esp-sha384-hmac  ESP transform using HMAC-SHA384 auth

  esp-sha512-hmac  ESP transform using HMAC-SHA512 auth

I don't seem to have that capability. We are using  12.2.(53) (IPSERVICESK9-M) and 12.2(55).

Still looking...

Leam

Wen, thanks!

Is there an expected time SHA-2 will get to the 12.2 line? I can't see the "partner" website you sent, we're only on a customer support level.

Leam

Hi, Leam:

Try this link instead:

http://www.cisco.com/en/US/docs/ios/15_1/release/notes/151TNEWF.html#wp1094818

No I don't know if/when SHA-2 support will be added to the 12.2S train. You may want to check with your cisco account rep on that.

Thanks,

Wen