Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2439
Views
5
Helpful
5
Replies

Cisco ASA 5508 and SHA-512 on IKEv1?

testag
Level 1
Level 1

‎06-03-2021 11:42 PM

Hi,

 

we are facing the issue, that one one End there is the Cisco ASA 5508 and on the other a Sophos UTM 9.6x We need to establish a site 2 site VPN Ipsec connection. I am on the end with the Sophos. Sophos defintely is not capable of Ikev2, as the Cisco is. BUT: I can configure an Ipsec Host connection, whre I am able to chose SHA-512 as IKE authentication algorithm and as IPsec authentication algorithm. On the other end the person is telling me, that he can only select sha-1 when editing the Ike policy.

 

So we are in a dead end here? I really don't want to use sha-1 and cannot belief, that the Cisco capabilities are limited to sha-1.

 

Any ideas?

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-04-2021 12:29 AM

@testag

If the ASA is using IKEv1, then only MD5 or SHA-1 hashing algorithm is supported. If using IKEv2, then yes the ASA supports the latest NGE algorithms - SHA-256, 384 and 512 etc.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/asdm714/vpn/asdm-714-vpn-config/vpn-asdm-ike.html

 

I'm not familar with Sophos, but this guide says IKEv2 is supported - will it not work on your Sophos UTM hardware?

https://support.sophos.com/support/s/article/KB-000036987?language=en_US

 

If you cannot upgrade the Sophos for whatever reason to support IKEv2, then you've no real alternative then to use IKEv1 with SHA-1?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-04-2021 08:53 PM - edited ‎06-04-2021 08:55 PM

Like, @Rob Ingram said. Here's a quote from the United States National Security Agency (NSA) public guidelines for configuring IPsec VPNs:

 

For Cisco ASA devices, NSA recommends IKEv2, since the IKEv1 implementation only supports SHA1.


IKEv2:
crypto ikev2 policy 1
encryption [aes-256|aes-gcm-256]
integrity [sha384|sha512]
group [16|20]
IPsec:
crypto ipsec ikev2 ipsec-proposal <proposal name>
protocol esp encryption [aes-256|aes-gcm-256]
protocol esp integrity [sha-384|sha512]

0 Helpful

Damura
Level 1
Level 1
In response to Marvin Rhoads

‎08-24-2022 08:37 AM

Hi Marvin

With a Cisco ASA5508-K9 device, is it possible to use IKEv2 with those parameters?

0 Helpful

MHM Cisco World
VIP
VIP

‎08-24-2022 09:00 AM - edited ‎08-24-2022 09:02 AM

Asa support ikev2 but are Sophos support it ?

https://community.sophos.com/utm-firewall/f/general-discussion/120674/ikev2

This link say no. 

But make double check.

0 Helpful
Customers Also Viewed These Support Documents