cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1074
Views
0
Helpful
3
Replies
Highlighted

ASA 8.4.3 release date?

Anyone at Cisco know when this will be release to the public?  The last notice I was given was late-July and we are well past that.

I need it especially for SHA-2 ESP hashing for IPSec site-to-site VPN's, a requirement by our regulators.

3 REPLIES 3
Highlighted
Cisco Employee

Mick,

(CSC forum spam and profanity filter doesn't like your name ....)

Who did you hear about 8.4.3 being out in July? We're targeting it fot Dec 2011.

Now for SHA-2 support parts of it were introduced in 8.4.2:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1288622

and

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp432043

On my lab ASA 5505 running 8.4.2:

ciscoasa(config)# crypto ikev2 policy 10

ciscoasa(config-ikev2-policy)# integrity ?

ikev2-policy mode commands/options:

  md5     set hash md5

  sha     set hash sha1

  sha256  set hash sha256

  sha384  set hash sha384

  sha512  set hash sha512

HTH,

Marcin

Highlighted

Hi Marcin.

I heard it from our SE but this was back in May.  Thanks for the December date it gives me scope to plan now.

From reading the release notes for 8.4.2 I understood that SHA-2 was only available for Anyconnect IPSec connections, not site-to-site?

Extract:

Secure Hash Algorithm SHA-2 Support for IPsec IKEv2 Integrity and PRF

This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2 includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government requirements.

We modified the following commands: integrity, prf, show crypto ikev2 sa detail, show vpn-sessiondb detail remote.

It doesn't mention site-to-site.

Highlighted

Michael,

I don't think there are changes in this regard planned for 8.4.3 (but then again I have limited scope).

IKEv2 policies are not tied to particular connection type or authentication. In theory there should be no problem to use them also for site-to-site.

Note that IPsec proposal support for sha-2 is not yet there, maybe that's what the SE was referring to.

ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal PRO

ciscoasa(config-ipsec-proposal)# prot esp integrity ?

ipsec-proposal mode commands/options:

  md5    set hash md5

  sha-1  set hash sha-1

Marcin

Content for Community-Ad