Anyone at Cisco know when this will be release to the public? The last notice I was given was late-July and we are well past that.
I need it especially for SHA-2 ESP hashing for IPSec site-to-site VPN's, a requirement by our regulators.
(CSC forum spam and profanity filter doesn't like your name ....)
Who did you hear about 8.4.3 being out in July? We're targeting it fot Dec 2011.
Now for SHA-2 support parts of it were introduced in 8.4.2:
On my lab ASA 5505 running 8.4.2:
ciscoasa(config)# crypto ikev2 policy 10
ciscoasa(config-ikev2-policy)# integrity ?
ikev2-policy mode commands/options:
md5 set hash md5
sha set hash sha1
sha256 set hash sha256
sha384 set hash sha384
sha512 set hash sha512
I heard it from our SE but this was back in May. Thanks for the December date it gives me scope to plan now.
From reading the release notes for 8.4.2 I understood that SHA-2 was only available for Anyconnect IPSec connections, not site-to-site?
Secure Hash Algorithm SHA-2 Support for IPsec IKEv2 Integrity and PRF
This release supports the Secure Hash Algorithm SHA-2 for increased cryptographic hashing security for IPsec/IKEv2 AnyConnect Secure Mobility Client connections to the ASA. SHA-2 includes hash functions with digests of 256, 384, or 512 bits, to meet U.S. government requirements.
We modified the following commands: integrity, prf, show crypto ikev2 sa detail, show vpn-sessiondb detail remote.
It doesn't mention site-to-site.
I don't think there are changes in this regard planned for 8.4.3 (but then again I have limited scope).
IKEv2 policies are not tied to particular connection type or authentication. In theory there should be no problem to use them also for site-to-site.
Note that IPsec proposal support for sha-2 is not yet there, maybe that's what the SE was referring to.
ciscoasa(config)# crypto ipsec ikev2 ipsec-proposal PRO
ciscoasa(config-ipsec-proposal)# prot esp integrity ?
ipsec-proposal mode commands/options:
md5 set hash md5
sha-1 set hash sha-1