Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1170
Views
0
Helpful
3
Replies

ASA 8.4.3 release date?

michaellambert1980
Level 1
Level 1

‎09-28-2011 07:34 AM

Anyone at Cisco know when this will be release to the public?  The last notice I was given was late-July and we are well past that.

I need it especially for SHA-2 ESP hashing for IPSec site-to-site VPN's, a requirement by our regulators.

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-30-2011 08:20 AM

Mick,

(CSC forum spam and profanity filter doesn't like your name ....)

Who did you hear about 8.4.3 being out in July? We're targeting it fot Dec 2011.

Now for SHA-2 support parts of it were introduced in 8.4.2:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1288622

and

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp432043

On my lab ASA 5505 running 8.4.2:

ciscoasa(config)# crypto ikev2 policy 10
ciscoasa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

HTH,

Marcin

0 Helpful

michaellambert1980
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-03-2011 01:16 AM

Hi Marcin.

I heard it from our SE but this was back in May.  Thanks for the December date it gives me scope to plan now.

From reading the release notes for 8.4.2 I understood that SHA-2 was only available for Anyconnect IPSec connections, not site-to-site?

Extract:

Secure Hash Algorithm SHA-2 Support for IPsec IKEv2 Integrity and PRF

This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2 includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government requirements.

We modified the following commands: integrity, prf, show crypto ikev2 sa detail, show vpn-sessiondb detail remote.

It doesn't mention site-to-site.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to michaellambert1980

‎10-03-2011 01:57 AM

Michael,

I don't think there are changes in this regard planned for 8.4.3 (but then again I have limited scope).

IKEv2 policies are not tied to particular connection type or authentication. In theory there should be no problem to use them also for site-to-site.

Note that IPsec proposal support for sha-2 is not yet there, maybe that's what the SE was referring to.

ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal PRO
ciscoasa(config-ipsec-proposal)# prot esp integrity ?
ipsec-proposal mode commands/options:
  md5    set hash md5
  sha-1  set hash sha-1

Marcin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents