Deprecated IPSec/IKEv2 Algorithms Support

Feature Summary and Revision History

Summary Data

Applicable Product(s) or Functional Area

All products using IKEv2 for IPsec

Applicable Platform(s)

  • ASR 5500

  • VPC-DI

  • VPC-SI

Feature Default

Enabled - Always-on

Related Changes in This Release

Not applicable

Related Documentation

  • Command Line Interface Reference

  • ePDG Administration Guide

Revision History

Revision Details

Release

First introduced.

21.12

Feature Changes

Deprecated algorithms supported removed under IPSec/IKEv2 transform set.

Previous Behavior: Following algorithms are supported under IPSec/IKEv2 transform set:

  • AES-GCM-128 and 64 bit ICV

  • AES-GCM-128 and 96 bit ICV

  • DH Group 5

New Behavior: Following algorithms supported is removed under IPSec/IKEv2 transform set as they are deprecated:

  • AES-GCM-128 and 64 bit ICV

  • AES-GCM-128 and 96 bit ICV

  • DH Group 5


Important

Algorithms support changes are applicable only to the trusted builds.


The following security supplement certificates signing schema are deprecated for the trusted builds:

  • MD2WithRSAEncryption

  • MD4WithRSAEncryption

  • MD5WithRSAEncryption

  • RIPEMD128WithRSAEncryption

  • RIPEMD160WithRSAEncryption

  • RIPEMD256WithRSAEncryption

Command Changes

This section describes the CLI configuration required to configure Certificate Key Size.

crypto template min-key-size

Use the following configuration to set minimum key size.

configure  
   context context_name  
      crypto template crypto_template_name ikev2-dynamic 
      authentication min-key-size min_key_size 
      [ default | no ] authentication min-key-size  
      end 

NOTES:

  • authentication min-key-size min_key_size : Sets minimum certificate key size, min_key_size must be an integer between 255 to 8192.

  • default : Sets default key size. Default is 255

  • no : Disables minimum key size validation feature.

crypto map min-key-size

Use the following configuration to set minimum key size.

configure  
   context context_name  
      crypto map crypto_map_name [ikev2-ipv4 | ikev2-ipv6 ] 
      authentication min-key-size min_key_size 
      [ default | no ] authentication min-key-size 
      end 

NOTES:

  • authentication min-key-size min_key_size : Sets minimum certificate key size, min_key_size must be an integer between 255 to 8192.

  • default : Sets default key size. Default is 255

  • no : Disables minimum key size validation feature.