Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
2
Helpful
8
Replies

Upgrade Cisco ssh server encryption on IOS c921-4p

iewhf02i
Level 1
Level 1

‎05-21-2023 04:49 PM

I am using an isr c921-4p. 

The system file is flash:c900-universalk9-mz.SPA.158-3.M6.bin.

I want to upgrade the encryption algorithms so that it’s more secure.

 

I tried to follow this guide, https://community.cisco.com/t5/networking-knowledge-base/configuring-ios-xe-for-strong-security-ssh-sessions/ta-p/4556490 but I don’t see any of the nist encryption algorithms in the terminal.

Does it not exist for my router? What can I do?

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎05-21-2023 05:07 PM

I follow your two pots 
use 
ip ssh server algorithm hostkey {x509v3-ssh-rsa | ssh-rsa} <<- 
since you use ssh with hostkey (it work with you)
and no need new encryption 

0 Helpful

Flavio Miranda
VIP
VIP

‎05-21-2023 06:16 PM

Hi

 on the link you followed is written:

"This document will show you how to configure IOS XE to assure the cryptographic primers in use provide the highest level of security. We will do our best to match the strength of the public key exchange algorithm with the security strength of the symmetric ciphe"

So,  it does not apply to your router.

0 Helpful

M02@rt37
VIP
VIP

‎05-21-2023 09:50 PM

Hello @iewhf02i,

The availability of encryption algorithms may depend on the specific software version installed on your router. However, not all encryption algorithms may be available on all Cisco router platforms due to hardware limitations or software support.

The suggested version for you platform is c900-universalk9-mz.SPA.159-3.M4.bin.

Do you have this command on your router?

ip ssh server algorithm

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

iewhf02i
Level 1
Level 1
In response to M02@rt37

‎05-21-2023 10:38 PM

M02@rt37 I got the router secondhand and I don’t have a service contract so I can’t update it.

yes I have the command.

0 Helpful

M02@rt37
VIP
VIP
In response to iewhf02i

‎05-21-2023 10:55 PM

Ok @iewhf02i,

What are the Algo proposed with this command ?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

iewhf02i
Level 1
Level 1
In response to M02@rt37

‎05-21-2023 11:10 PM - edited ‎05-21-2023 11:11 PM

I have 6 options:

Under authentication -> keyboard password publickey

Under encryption -> 3des-cbc aes128-cbc aes128-ctr aes192-cbc aes192-ctr aes256-cbc aes256-ctr

Under hostkey -> ssh-rsa x509v3-ssh-rsa

Under kex -> diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

Under mac -> hmac-sha1 hmac-sha1-96 hmac-sha2-256 hmac-sha2-512

Under publickey -> ssh-rsa x509v3-ssh-rsa

0 Helpful

M02@rt37
VIP
VIP
In response to iewhf02i

‎05-21-2023 11:50 PM - edited ‎05-21-2023 11:52 PM

@iewhf02i,

the best you can do as KEX Algo is that:  diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1

Best algorithms combinaison:

--KEX: diffie-hellman-group14-sha1

--MAC: hmac-sha2-256 or hmac-sha2-512

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card