Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1488
Views
6
Helpful
2
Replies

Supported encryption in FTD 6.7.0

Go to solution
MauryJ
Level 1
Level 1

‎08-06-2021 08:49 AM

We are planning to upgrade from FMC & FTD 6.6.4 to 6.7, however, I'm not clear on what changes there are to supported encryption algorithms for VPN connections.

 

Looking at the release notes:

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

 

Under Deprecated Features in FMC Version 6.7.0, VPN Features, it says support removed for less secure DH groups and hash algorithms, including:

 

  • Encryption algorithms for users who satisfy export controls for strong encryption: DES, 3DES, AES-GMAC, AES-GMAC-192, AES-GMAC-256. DES continues to be supported (and is the only option) for users who do not satisfy export controls.

Can anyone explain what this means?

 

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-06-2021 09:04 AM - edited ‎08-06-2021 09:08 AM

@MauryJ 

It means those algorthims are no longer able to be used in VPN topologies, so if you are upgrading you'll need to migrate to supported algorithms.

 

Refer to the link below to determine what algorithms are supported

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/vpn_overview.html

 

You'll be able to use AES-GCM, AES-CBC for encryption, SHA1 or SHA2 for integrity/hashing and DH groups 14, 15, 16, 19, 20 or 21.

 

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎08-06-2021 09:04 AM - edited ‎08-06-2021 09:08 AM

@MauryJ 

It means those algorthims are no longer able to be used in VPN topologies, so if you are upgrading you'll need to migrate to supported algorithms.

 

Refer to the link below to determine what algorithms are supported

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/vpn_overview.html

 

You'll be able to use AES-GCM, AES-CBC for encryption, SHA1 or SHA2 for integrity/hashing and DH groups 14, 15, 16, 19, 20 or 21.

 

Go to solution
MauryJ
Level 1
Level 1
In response to Rob Ingram

‎08-06-2021 10:13 AM

Thank you Rob!

0 Helpful
Customers Also Viewed These Support Documents