Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
35
Helpful
6
Replies

S2S IPSec VPN on ASA5505: Which IOS Image Does Support SHA-2

Go to solution
fntowo2009
Level 1
Level 1

‎02-02-2022 10:52 AM

Hello,

 

Could someone tell me the IOS image I need to support SHA-2 on an ASA5505?

 

Below is some relevant info.

 

Thanks in advance for your input!

 

---- My ASA5505

Cisco Adaptive Security Appliance Software Version 9.1(7)4 

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz,

 

ASA(config-ipsec-proposal)# protocol esp integrity ?

 

ipsec-proposal mode commands/options:

  md5    set hash md5

  null   set hash null

  sha-1  set hash sha-1

 

===  Available Images

 

https://software.cisco.com/download/home/280582808/type/280775065/release

 

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to fntowo2009

‎02-02-2022 11:13 AM

@fntowo2009 ok, looks like you cannot use SHA2 on the older ASA models.

 

"SHA-256 can be used for integrity and PRF to establish IKEv2 tunnels, but it can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html

 

View solution in original post

Go to solution
MHM Cisco World
VIP
VIP

‎02-02-2022 01:21 PM

ASA support for SHA-2 for crypto IPsec and PKI operations part 2
CSCuj67576

 

View solution in original post

6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎02-02-2022 11:01 AM

@fntowo2009 well this Cisco ASA 9.1 guide implies IKEv2 will work on the 5505.

 

Did you specify IKEV2 when creating that IPSec proposal, the output you provided is not clear.

ASA(config)# crypto ipsec ikev2 ipsec-proposal TSET
ASA(config-ipsec-proposal)# protocol esp encryption aes-256

 

 

Go to solution
fntowo2009
Level 1
Level 1

‎02-02-2022 11:09 AM

Rob,

 

Thanks for the prompt feedback!

 

Below is the requested info.

 

====

 

ASA(config)# crypto ipsec ikev2 ipsec-proposal test

ASA(config-ipsec-proposal)# protocol esp integrity ?

 

ipsec-proposal mode commands/options:

  md5    set hash md5

  null   set hash null

  sha-1  set hash sha-1

ASA(config-ipsec-proposal)# protocol esp integrity 

 

Go to solution
Rob Ingram
VIP
VIP
In response to fntowo2009

‎02-02-2022 11:13 AM

@fntowo2009 ok, looks like you cannot use SHA2 on the older ASA models.

 

"SHA-256 can be used for integrity and PRF to establish IKEv2 tunnels, but it can also be used for ESP integrity protection on the newer ASA platforms (and not 5505, 5510, 5520, 5540, or 5550)."

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/vpn/asa_91_vpn_config/vpn_ike.html

 

Go to solution
fntowo2009
Level 1
Level 1
In response to Rob Ingram

‎02-02-2022 12:12 PM

Much appreciated. 

Go to solution
MHM Cisco World
VIP
VIP

‎02-02-2022 01:21 PM

ASA support for SHA-2 for crypto IPsec and PKI operations part 2
CSCuj67576

 

Go to solution
fntowo2009
Level 1
Level 1
In response to MHM Cisco World

‎02-02-2022 01:42 PM

9.4 isn't an option for ASA5505.

Customers Also Viewed These Support Documents