08-06-2021 08:49 AM
We are planning to upgrade from FMC & FTD 6.6.4 to 6.7, however, I'm not clear on what changes there are to supported encryption algorithms for VPN connections.
Looking at the release notes:
Under Deprecated Features in FMC Version 6.7.0, VPN Features, it says support removed for less secure DH groups and hash algorithms, including:
Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.
Can anyone explain what this means?
Thanks
Solved! Go to Solution.
08-06-2021 09:04 AM - edited 08-06-2021 09:08 AM
It means those algorthims are no longer able to be used in VPN topologies, so if you are upgrading you'll need to migrate to supported algorithms.
Refer to the link below to determine what algorithms are supported
You'll be able to use AES-GCM, AES-CBC for encryption, SHA1 or SHA2 for integrity/hashing and DH groups 14, 15, 16, 19, 20 or 21.
08-06-2021 09:04 AM - edited 08-06-2021 09:08 AM
It means those algorthims are no longer able to be used in VPN topologies, so if you are upgrading you'll need to migrate to supported algorithms.
Refer to the link below to determine what algorithms are supported
You'll be able to use AES-GCM, AES-CBC for encryption, SHA1 or SHA2 for integrity/hashing and DH groups 14, 15, 16, 19, 20 or 21.
08-06-2021 10:13 AM
Thank you Rob!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide