Field Notice: FN72510 - Cisco IOS XE Software: Weak Cryptographic Algorithms Are Not Allowed by Default for IPsec Configuration in Certain Cisco IOS XE Software Releases - Configuration Change Recommended
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Router should not allow weak cryptographic algorithms to be configured for IPsec
In releases earlier than the Cisco IOS XE Software releases that are listed in the table in the Workaround/Solution section of this field notice, weak crypto algorithms, including integrity, encryption, and Diffie-Hellman group algorithms, can be configured for IPsec protocol negotiation as well as data plane traffic protection.
In the Cisco IOS XE Software releases that are listed in the table in the Workaround/Solution section of this field notice, weak crypto algorithms are no longer allowed by default due to their weak cryptographic properties. Cisco strongly recommends the use of stronger cryptographic algorithms in their place. To continue to use such weak algorithms, explicit configuration is required. Otherwise, IPsec tunnel negotiation will fail and cause service disruption as a result.
The following table lists the IPsec configuration components and algorithms that are affected by this change:
In Cisco IOS XE Software releases Benaluru 17.6.1 and later, configuration of the IPsec protocol with a weak crypto algorithm generates a warning as shown in this example:
Device(config)#crypto isakmp policy 10
%Warning: weaker encryption algorithm is deprecated
However, the command is accepted and the weak algorithm can still be used for protocol negotiation for IPsec.
In the Cisco IOS XE Software releases that are listed in the table in the Workaround/Solution section of this field notice, such weak crypto algorithms will be rejected by default and require explicit configuration to be allowed.
If the IPsec configuration is not updated to use strong cryptographic algorithms before upgrading to one of the Cisco IOS XE Software releases that is listed in the table in the Workaround/Solution section of this field notice, IPsec tunnel negotiation will fail, resulting in service disruption.
Update the configuration to use strong cryptographic algorithms for IPsec.
Workaround (Not Recommended)
Enter the following configuration command for IPsec to continue to function with the weak algorithms after upgrading to one of the Cisco IOS XE Software releases that is listed in the table below:
Note: This command is only available in Cisco IOS XE Software releases 17.7.1 and later and will only take effect after a reboot. Cisco does not recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort.
Affected Cisco IOS XE Software Release
ASR1000 series ISR4000 series ISR1100 series Catalyst 8000 series
Receive Email Notification About New Field Notices
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications