09-28-2011 07:34 AM
Anyone at Cisco know when this will be release to the public? The last notice I was given was late-July and we are well past that.
I need it especially for SHA-2 ESP hashing for IPSec site-to-site VPN's, a requirement by our regulators.
09-30-2011 08:20 AM
Mick,
(CSC forum spam and profanity filter doesn't like your name ....)
Who did you hear about 8.4.3 being out in July? We're targeting it fot Dec 2011.
Now for SHA-2 support parts of it were introduced in 8.4.2:
and
http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp432043
On my lab ASA 5505 running 8.4.2:
ciscoasa(config)# crypto ikev2 policy 10
ciscoasa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
HTH,
Marcin
10-03-2011 01:16 AM
Hi Marcin.
I heard it from our SE but this was back in May. Thanks for the December date it gives me scope to plan now.
From reading the release notes for 8.4.2 I understood that SHA-2 was only available for Anyconnect IPSec connections, not site-to-site?
Extract:
It doesn't mention site-to-site.
10-03-2011 01:57 AM
Michael,
I don't think there are changes in this regard planned for 8.4.3 (but then again I have limited scope).
IKEv2 policies are not tied to particular connection type or authentication. In theory there should be no problem to use them also for site-to-site.
Note that IPsec proposal support for sha-2 is not yet there, maybe that's what the SE was referring to.
ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal PRO
ciscoasa(config-ipsec-proposal)# prot esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide