ā05-21-2023 04:49 PM
I am using an isr c921-4p.
The system file is flash:c900-universalk9-mz.SPA.158-3.M6.bin.
I want to upgrade the encryption algorithms so that itās more secure.
I tried to follow this guide, https://community.cisco.com/t5/networking-knowledge-base/configuring-ios-xe-for-strong-security-ssh-sessions/ta-p/4556490 but I donāt see any of the nist encryption algorithms in the terminal.
Does it not exist for my router? What can I do?
ā05-21-2023 05:07 PM
I follow your two pots
use
ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa} <<-
since you use ssh with hostkey (it work with you)
and no need new encryption
ā05-21-2023 06:16 PM
Hi
on the link you followed is written:
"This document will show you how to configure IOS XE to assure the cryptographic primers in use provide the highest level of security. We will do our best to match the strength of the public key exchange algorithm with the security strength of the symmetric ciphe"
So, it does not apply to your router.
ā05-21-2023 09:50 PM
Hello @iewhf02i,
The availability of encryption algorithms may depend on the specific software version installed on your router. However, not all encryption algorithms may be available on all Cisco router platforms due to hardware limitations or software support.
The suggested version for you platform is c900-universalk9-mz.SPA.159-3.M4.bin.
Do you have this command on your router?
ip ssh server algorithm
ā05-21-2023 10:38 PM
M02@rt37 I got the router secondhand and I donāt have a service contract so I canāt update it.
yes I have the command.
ā05-21-2023 10:55 PM
Ok @iewhf02i,
What are the Algo proposed with this command ?
ā05-21-2023 11:10 PM - edited ā05-21-2023 11:11 PM
I have 6 options:
Under authentication -> keyboard password publickey
Under encryption -> 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr
Under hostkey -> ssh-rsa x509v3-ssh-rsa
Under kex -> diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
Under mac -> hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512
Under publickey -> ssh-rsa x509v3-ssh-rsa
ā05-21-2023 11:50 PM - edited ā05-21-2023 11:52 PM
the best you can do as KEX Algo is that: diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1
Best algorithms combinaison:
--KEX: diffie-hellman-group14-sha1
--MAC: hmac-sha2-256 or hmac-sha2-512
ā05-21-2023 11:14 PM
Itās old, but still relevant:
https://community.cisco.com/t5/security-knowledge-base/guide-to-better-ssh-security/ta-p/3133344
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide