CASA-VN-000230 - The Cisco ASA must be configured to use FIPS-validated SHA-2 at 384 bits or higher for Internet Key Exchange (IKE) Phase 1 - IKE Phase 1.


Without cryptographic integrity protections, information can be altered by unauthorized users without detection.

Although allowed by SP800-131Ar2 for some applications, SHA-1 is considered a compromised hashing standard and is being phased out of use by industry and government standards. Unless required for legacy use, DOD systems should not be configured to use SHA-2 for integrity of remote access sessions.


Configure the ASA to use FIPS-validated SHA-2 at 384 bits or higher for IKE Phase 1 as shown in the example below.

ASA2(config)# crypto ikev2 policy 1
ASA2(config-ikev2-policy)# integrity sha384

See Also

Item Details


References: 800-53|IA-7, CAT|II, CCI|CCI-000803, Rule-ID|SV-239958r916134_rule, STIG-ID|CASA-VN-000230, Vuln-ID|V-239958

Plugin: Cisco

Control ID: fb450166d5c0011d96f258a2530c9e5dfc3e89c0ef01a9319cdc2d837762ecf0