Solved: hay there...

Vishnu Ravindranath · ‎06-08-2016

Hi Team,

I tried to configure SHA256 as integrity for IKEV2 IPSEC proposal and SHA256 was not available there, the version we are running is 9.0(3). The ASA model is 5540 (Legacy). Could someone please help us to identify whether the same will support in Legacy firewalls if we upgrade the IOS into 9.1(6) as this is the latest version available for the box.

ASA(config-ipsec-proposal)# protocol esp integrity ?

ipsec-proposal mode commands/options:

md5 set hash md5

null set hash null

sha-1 set hash sha-1

Thank you,

Vishnu

ansarjavaid54 · ‎06-08-2016

hay there...

Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 - Configuring IPSec and ISAKMP - Creating a Basic IPsec Configuration - Note at end of Step 2:

HA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550).

Since Cisco has announced the end-of-life date for these older platforms

View solution in original post

ansarjavaid54 · ‎06-08-2016

hay there...

Book 3: Cisco ASA Series VPN CLI Configuration Guide, 9.1 - Configuring IPSec and ISAKMP - Creating a Basic IPsec Configuration - Note at end of Step 2:

HA-256 ... can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550).

Since Cisco has announced the end-of-life date for these older platforms

Vishnu Ravindranath · ‎06-08-2016

Dear Ansar,

Thanks for the revert, So the SHA 256 cant be used for ESP integrity even in the Latest Version on the Legacy Firewalls ( 5520, 5540, 5550 ....... )

Thank you,

Vishnu

ansarjavaid54 · ‎06-09-2016

You welcome and tyx for rating....

ASA SHA256 Integrity for IKEV2 IPSEC Proposal