Field Notice: FN72510 - Cisco IOS XE Software: Weak Cryptographic Algorithms Are Not Allowed by Default for IPsec Configuration in Certain Cisco IOS XE Software Releases - Configuration Change Recommended
Available Languages
Notice
THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.
Products Affected
| Affected Software Product | Affected Release | Affected Release Number | Comments |
|---|---|---|---|
| IOS XE Software | 17 | 17.11.1, 17.11.1a, 17.12.1, 17.13.1, 17.14.1, 17.15.1 |
Defect Information
| Defect ID | Headline |
| CSCwc72588 | Router should not allow weak cryptographic algorithms to be configured for IPsec |
Problem Description
In releases earlier than the Cisco IOS XE Software releases that are listed in the table in the Workaround/Solution section of this field notice, weak crypto algorithms, including integrity, encryption, and Diffie-Hellman group algorithms, can be configured for IPsec protocol negotiation as well as data plane traffic protection.
In the Cisco IOS XE Software releases that are listed in the table in the Workaround/Solution section of this field notice, weak crypto algorithms are no longer allowed by default due to their weak cryptographic properties. Cisco strongly recommends the use of stronger cryptographic algorithms in their place. To continue to use such weak algorithms, explicit configuration is required. Otherwise, IPsec tunnel negotiation will fail and cause service disruption as a result.
The following table lists the IPsec configuration components and algorithms that are affected by this change:
| IPsec Configuration | Command | Keyword Deprecated |
|---|---|---|
| IKEv1 Policy | crypto isakmp policy priority | encryption {des | 3des} hash md5 group {1 | 2 | 5} |
| IKEv2 Proposal | crypto ikev2 proposal name | encryption {des | 3des} integrity md5 group {1 | 2 | 5 | 24} |
| IPsec Transform-set | crypto ipsec transform-set name | ah-md5-hmac esp-gmac esp-des esp-3des esp-null esp-md5-hmac |
| IPsec Profile | crypto ipsec profile name | set pfs {group1 | group2 | group5 | group24} |
Background
In Cisco IOS XE Software releases Benaluru 17.6.1 and later, configuration of the IPsec protocol with a weak crypto algorithm generates a warning as shown in this example:
Device(config)#crypto isakmp policy 10
Device(config-isakmp)#encryption des
%Warning: weaker encryption algorithm is deprecated
However, the command is accepted and the weak algorithm can still be used for protocol negotiation for IPsec.
In the Cisco IOS XE Software releases that are listed in the table in the Workaround/Solution section of this field notice, such weak crypto algorithms will be rejected by default and require explicit configuration to be allowed.
Problem Symptom
If the IPsec configuration is not updated to use strong cryptographic algorithms before upgrading to one of the Cisco IOS XE Software releases that is listed in the table in the Workaround/Solution section of this field notice, IPsec tunnel negotiation will fail, resulting in service disruption.
Workaround/Solution
Solution (Recommended)
Update the configuration to use strong cryptographic algorithms for IPsec.
Workaround (Not Recommended)
Enter the following configuration command for IPsec to continue to function with the weak algorithms after upgrading to one of the Cisco IOS XE Software releases that is listed in the table below:
Device(config)#crypto engine compliance shield disable
Note: This command is only available in Cisco IOS XE Software releases 17.7.1 and later and will only take effect after a reboot. Cisco does not recommend this option as these weak cryptographic algorithms are insecure and do not provide adequate protection from modern threats. This command should only be used as a last resort.
| Technology | Cisco Product | Affected Cisco IOS XE Software Release |
|---|---|---|
| Enterprise Routing | ASR1000 series ISR4000 series ISR1100 series Catalyst 8000 series |
17.11.1a and later |
| Wireless | Catalyst 9800 Series Wireless Controller Catalyst CG418-E Cellular Gateway Catalyst CG522-E Cellular Gateway Catalyst 9115AX Access Points (APs) Catalyst 9117AX APs Catalyst 9120AX APs Catalyst 9130AX APs |
17.13.1 and later |
| SP Access | ASR920 ASR903 NCS520 NCS4200 |
17.12.1 and later |
| Switching | Catalyst 9200 Series Catalyst 9300 Series Catalyst 9400 Series Catalyst 9500 Series |
17.15.1 and later |
| IoT Routing | IR1101 IR8140H IR1800 Series IR8340 ESR6300 |
17.14.1 and later |
Revision History
| Version | Description | Section | Date |
| 1.4 | Updated affected releases. | Problem Description, Background, Problem Symptom, Workaround/Solution | 2024-JAN-10 |
| 1.3 | Updated the table in Problem Description to include group 24 under IKEv2 Proposal. | Problem Description | 2023-NOV-21 |
| 1.2 | Updated the Problem Description and Problem Symptom Sections. | — | 2023-APR-10 |
| 1.1 | Updated the Workaround/Solution Section. | — | 2023-MAR-15 |
| 1.0 | Initial Release | — | 2023-MAR-07 |
For More Information
For further assistance or for more information about this field notice, contact the Cisco Technical Assistance Center (TAC) using one of the following methods:
Receive Email Notification About New Field Notices
To receive email updates about Field Notices (reliability and safety issues), Security Advisories (network security issues), and end-of-life announcements for specific Cisco products, set up a profile in My Notifications
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)
This Document Applies to These Products
- 1100 Integrated Services Router
- 1100 Terminal Services Gateway
- 4221 Integrated Services Router
- 4321 Integrated Services Router
- 4331 Integrated Services Router
- 4351 Integrated Services Router
- 4431 Integrated Services Router
- 4451-X Integrated Services Router
- 4461 Integrated Services Router
- ASR 1000 Series IOS XE SD-WAN
- CSR 1000V Series IOS XE SD-WAN
- Catalyst 1101 Rugged Router
- Catalyst 8000V Edge Software
- Catalyst 8300 Edge Platform
- Catalyst 9606R Switch
- Catalyst 9800-CL Wireless Controller for Cloud
- ESR6300 Embedded Series Router
- ISR 1000 Series IOS XE SD-WAN
- ISR 4000 Series IOS XE SD-WAN
- Integrated Services Virtual Router
- Network Convergence System 520
Unleash the Power of TAC's Virtual Assistance