02-18-2014 05:53 AM - edited 02-21-2020 07:30 PM
hi, we have a 5510 asa with 9.1(3) firmware, security plus license.
i can't configure sha256 in the ipsec proposal, is there any reason for that?
the only 2 options are md5 and sha1
asa(config-ipsec-proposal)# protocol esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
null set hash null
sha-1 set hash sha-1
asa(config-ipsec-proposal)# protocol esp integrity
02-18-2014 07:57 AM
just to be clear, we are talking about ikev2, here is the error mesage:
IKEv2-PROTO-1: (348): Failed to find a matching policy
IKEv2-PROTO-1: (348): Received Policies:
Proposal 1: AES-CBC-256 SHA256 SHA256 DH_GROUP_2048_MODP/Group 14
IKEv2-PROTO-1: (348): Failed to find a matching policy
IKEv2-PROTO-1: (348): Expected Policies:
Proposal 1: AES-CBC-256 SHA1 SHA256 DH_GROUP_2048_MODP/Group 14
02-19-2014 06:08 AM
Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not offer the possibility to configure
for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals.
is this true?
08-11-2014 12:55 PM
I found this limitation listed in the Cisco documentation.
Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 - Configuring IPSec and ISAKMP - Creating a Basic IPsec Configuration - Note at end of Step 2:
"... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."
Since Cisco has announced the end-of-life date for these older platforms, it may be a good time to evaluate migrating to the newer hardware. The standard sha-1 is plenty of hash for the ipsec sa's for now until systems are replaced with the new gear.
11-18-2014 01:55 AM
Just for the archive:
5505 with 9.2 supports SHA-256 and the quote from 9.1 guide is gone in 9.2:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/vpn/asa-vpn-cli/vpn-ike.html
03-05-2015 11:57 AM
The following legacy models do not support ASA 9.2 (refer to the link at the bottom). That is why in 9.2 guide the note "... SHA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)." was removed. In other words, the following models do not support SHA-2 in IKEv1 or IPsec (but they do support SHA-2 in IKEv2).
ASA 5510, 5520, 5540
ASA 5550
ASA 5580
ASA 1000V
http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html
11-03-2015 06:42 AM
Your link (as of right now) says 9.2 is supported on the 5505 but SHA-2 for ESP integrity is not supported in the 5505 despite what half the documentation says. 9.2 VPN CLI configuration guide page 1-31 says it should support it while page 6-10 says it doesn't support it. SHA-1 it is then it seems
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide