Field Notice: FN - 72510 - Cisco IOS XE SW: Weak Cryptographic Algorithms Are Not Allowed by Default for IPsec Configuration in Cisco IOS XE Release 17.11.1 and Later - Configuration Change Recommended

Available Languages

Updated:April 11, 2023

Document ID:FN72510

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Notice

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision	Publish Date	Comments
1.2	10-Apr-23	Updated the Problem Description and Problem Symptom Sections
1.1	15-Mar-23	Updated the Workaround/Solution Section
1.0	07-Mar-23	Initial Release

Products Affected

Affected OS Type	Affected Software Product	Affected Release	Affected Release Number	Comments
NON-IOS	IOSXE	17	17.11.1, 17.11.1a

Defect Information

Defect ID	Headline
CSCwc72588	Router should not allow weak cryptographic algorithms to be configured for IPsec

Problem Description

In releases earlier than Cisco IOS^® XE Release 17.11.1, weak crypto algorithms, including integrity, encryption, and Diffie-Hellman group algorithms, can be configured for IPsec protocol negotiation as well as data plane traffic protection.

In Cisco IOS XE Release 17.11.1 and later, weak crypto algorithms are no longer allowed by default due to their weak cryptographic properties. Cisco strongly recommends the use of stronger cryptographic algorithms in their place. In order to continue to use such weak algorithms, explicit configuration is required. Otherwise, IPsec tunnel negotiation will fail and cause service disruption as a result.

This table lists the IPsec configuration components and algorithms affected by this change:

IPsec Configuration	Command	Keyword Deprecated
IKEv1 Policy	crypto isakmp policy priority	encryption {des \| 3des} hash md5 group {1 \| 2 \| 5}
IKEv2 Proposal	crypto ikev2 proposal name	encryption {des \| 3des} integrity md5 group {1 \| 2 \| 5}
IPsec Transform-set	crypto ipsec transform-set name	ah-md5-hmac esp-gmac esp-des esp-3des esp-null esp-md5-hmac
IPsec Profile	crypto ipsec profile name	set pfs {group1 \| group2 \| group5}

This field notice affects these routing platforms that run Cisco IOS XE software: 1000 Series Aggregation Services Routers (ASR 1000), 4000 Series Integrated Services Routers (ISR 4000), Catalyst 8000 Series, and 1100 Integrated Services Routers (ISR 1100).

Background

In Cisco IOS XE Release Benaluru 17.6.1 and later, configuration of the IPsec protocol with a weak crypto algorithm generates a warning as shown in this example:

Device(config)#crypto isakmp policy 10

Device(config-isakmp)#encryption des

%Warning: weaker encryption algorithm is deprecated

However, the command is accepted and the weak algorithm can still be used for protocol negotiation for IPsec.

In Cisco IOS XE Release 17.11.1 and later, such weak crypto algorithms will be rejected by default and require explicit configuration to be allowed.

Problem Symptom

If the IPsec configuration is not updated to use strong cryptographic algorithms prior to the Cisco IOS XE Release 17.11.1 software upgrade, IPsec tunnel negotiation will fail and cause service disruption as a result.

Workaround/Solution

Recommended Solution

Update the configuration to use strong cryptographic algorithms for IPsec.

Workaround (Not Recommended)

Enter this configuration command for IPsec in order to continue to function with the weak algorithms after an upgrade to Cisco IOS XE Release 17.11.1:

Device(config)#crypto engine compliance shield disable

Note: This command is only available in Cisco IOS XE Release 17.7.1 and later and will only take effect after a reboot. Cisco does NOT recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

My Notifications—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)