Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1073
Views
0
Helpful
3
Replies
Highlighted
michaellambert1980
Beginner
Beginner
‎09-28-2011 07:34 AM
‎09-28-2011 07:34 AM

ASA 8.4.3 release date?

Anyone at Cisco know when this will be release to the public?  The last notice I was given was late-July and we are well past that.

I need it especially for SHA-2 ESP hashing for IPSec site-to-site VPN's, a requirement by our regulators.

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
Marcin Latosiewicz
Cisco Employee
Cisco Employee
‎09-30-2011 08:20 AM
‎09-30-2011 08:20 AM

Mick,

(CSC forum spam and profanity filter doesn't like your name ....)

Who did you hear about 8.4.3 being out in July? We're targeting it fot Dec 2011.

Now for SHA-2 support parts of it were introduced in 8.4.2:

http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/anyconnect30rn.html#wp1288622

and

http://www.cisco.com/en/US/docs/security/asa/asa84/release/notes/asarn84.html#wp432043

On my lab ASA 5505 running 8.4.2:

ciscoasa(config)# crypto ikev2 policy 10
ciscoasa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
  md5     set hash md5
  sha     set hash sha1
  sha256  set hash sha256
  sha384  set hash sha384
  sha512  set hash sha512

HTH,

Marcin

0 Helpful
Reply
Highlighted
michaellambert1980
Beginner
Beginner
In response to Marcin Latosiewicz
‎10-03-2011 01:16 AM
‎10-03-2011 01:16 AM

Hi Marcin.

I heard it from our SE but this was back in May.  Thanks for the December date it gives me scope to plan now.

From reading the release notes for 8.4.2 I understood that SHA-2 was only available for Anyconnect IPSec connections, not site-to-site?

Extract:

Secure Hash Algorithm SHA-2 Support for IPsec IKEv2 Integrity and PRF

This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2 includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government requirements.

We modified the following commands: integrity, prf, show crypto ikev2 sa detail, show vpn-sessiondb detail remote.

It doesn't mention site-to-site.

0 Helpful
Reply
Highlighted
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to michaellambert1980
‎10-03-2011 01:57 AM
‎10-03-2011 01:57 AM

Michael,

I don't think there are changes in this regard planned for 8.4.3 (but then again I have limited scope).

IKEv2 policies are not tied to particular connection type or authentication. In theory there should be no problem to use them also for site-to-site.

Note that IPsec proposal support for sha-2 is not yet there, maybe that's what the SE was referring to.

ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal PRO
ciscoasa(config-ipsec-proposal)# prot esp integrity ?
ipsec-proposal mode commands/options:
  md5    set hash md5
  sha-1  set hash sha-1

Marcin

0 Helpful
Reply
Latest Contents
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:46 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
No cts dot1x command in interface configuration mode
Created by tanzhy on 01-14-2021 01:49 AM
3
0
3
0
Anyone know why there are no cts dot1x command in interface configure mode?I  just find cts manual and cts role-based command      Hardware is  C9300-48PSoftware is   Cisco IOS XE Software, Version 16.12.04License i... view more
Content for Community-Ad