Cisco ASA Series Cli Configuration Manual page 84
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
New Features
Table 1-5
New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued)
Feature
Next Generation Encryption
Cisco ASA Series CLI Configuration Guide
1-22
Description
The National Standards Association (NSA) specified a set of cryptographic
algorithms that devices must support to meet U.S. federal standards for
cryptographic strength. RFC 6379 defines the Suite B cryptographic suites.
Because the collective set of algorithms defined as NSA Suite B are becoming
a standard, the AnyConnect IPsec VPN (IKEv2 only) and public key
infrastructure (PKI) subsystems now support them. The next generation
encryption (NGE) includes a larger superset of this set adding cryptographic
algorithms for IPsec V3 VPN, Diffie-Hellman Groups 14 and 24 for IKEv2,
and RSA certificates with 4096 bit keys for DTLS and IKEv2.
The following functionality is added to ASA to support the Suite B algorithms:
•
AES-GCM/GMAC support (128-, 192-, and 256-bit keys)
–
IKEv2 payload encryption and authentication
–
ESP packet encryption and authentication
–
Hardware supported only on multi-core platforms
•
SHA-2 support (256-, 384-, and 512-bit hashes)
–
ESP packet authentication
–
Hardware and software supported only on multi-core platforms
•
ECDH support (groups 19, 20, and 21)
–
IKEv2 key exchange
–
IKEv2 PFS
–
Software only supported on single- or multi-core platforms
•
ECDSA support (256-, 384-, and 521-bit elliptic curves)
–
IKEv2 user authentication
–
PKI certificate enrollment
–
PKI certificate generation and verification
–
Software only supported on single- or multi-core platforms
New cryptographic algorithms are added for IPsecV3.
Note
Suite B algorithm support requires an AnyConnect Premium license
for IKEv2 remote access connections, but Suite B usage for other
connections or purposes (such as PKI) has no limitations. IPsecV3 has
no licensing restrictions.
We introduced or modified the following commands: crypto ikev2 policy,
crypto ipsec ikev2 ipsec-proposal, crypto key generate, crypto key zeroize,
show crypto key mypubkey, show vpn-sessiondb.
We introduced or modified the following screens:
Monitor > VPN > Sessions
Monitor > VPN > Encryption Statistics
Configuration > Site-to-Site VPN > Certificate Management > Identity
Certificates
Configuration > Site-to-Site VPN > Advanced > System Options
Configuration > Remote Access VPN > Network (Client) Access > Advanced
> IPsec > Crypto Maps
Chapter 1
Introduction to the Cisco ASA
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
