1-22
Cisco ASA Series CLI Configuration Guide
Chapter 1 Introduction to the Cisco ASA
New Features
Next Generation Encryption The National Standards Association (NSA) specified a set of cryptographic
algorithms that devices must support to meet U.S. federal standards for
cryptographic strength. RFC 6379 defines the Suite B cryptographic suites.
Because the collective set of algorithms defined as NSA Suite B are becoming
a standard, the AnyConnect IPsec VPN (IKEv2 only) and public key
infrastructure (PKI) subsystems now support them. The next generation
encryption (NGE) includes a larger superset of this set adding cryptographic
algorithms for IPsec V3 VPN, Diffie-Hellman Groups 14 and 24 for IKEv2,
and RSA certificates with 4096 bit keys for DTLS and IKEv2.
The following functionality is added to ASA to support the Suite B algorithms:
• AES-GCM/GMAC support (128-, 192-, and 256-bit keys)
–
IKEv2 payload encryption and authentication
–
ESP packet encryption and authentication
–
Hardware supported only on multi-core platforms
• SHA-2 support (256-, 384-, and 512-bit hashes)
–
ESP packet authentication
–
Hardware and software supported only on multi-core platforms
• ECDH support (groups 19, 20, and 21)
–
IKEv2 key exchange
–
IKEv2 PFS
–
Software only supported on single- or multi-core platforms
• ECDSA support (256-, 384-, and 521-bit elliptic curves)
–
IKEv2 user authentication
–
PKI certificate enrollment
–
PKI certificate generation and verification
–
Software only supported on single- or multi-core platforms
New cryptographic algorithms are added for IPsecV3.
Note Suite B algorithm support requires an AnyConnect Premium license
for IKEv2 remote access connections, but Suite B usage for other
connections or purposes (such as PKI) has no limitations. IPsecV3 has
no licensing restrictions.
We introduced or modified the following commands: crypto ikev2 policy,
crypto ipsec ikev2 ipsec-proposal, crypto key generate, crypto key zeroize,
show crypto key mypubkey, show vpn-sessiondb.
We introduced or modified the following screens:
Monitor > VPN > Sessions
Monitor > VPN > Encryption Statistics
Configuration > Site-to-Site VPN > Certificate Management > Identity
Certificates
Configuration > Site-to-Site VPN > Advanced > System Options
Configuration > Remote Access VPN > Network (Client) Access > Advanced
> IPsec > Crypto Maps
Table 1-5 New Features for ASA Version 9.0(1)/ASDM Version 7.0(1) (continued)
Feature Description
To Next Page
Loading...
