Field Notice: FN – 72510 – Cisco IOS XE SW: Weak Cryptographic Algorithms Are Not Allowed by Default for IPsec Configuration in Cisco IOS XE Release 17.11.1 and Later – Configuration Change Recommended

Problem Description
In releases earlier than Cisco IOS® XE Release 17.11.1, weak crypto algorithms, including integrity, encryption, and Diffie-Hellman group algorithms, can be configured for IPsec protocol negotiation as well as data plane traffic protection.

In Cisco IOS XE Release 17.11.1 and later, weak crypto algorithms are no longer allowed by default due to their weak cryptographic properties. Cisco strongly recommends the use of stronger cryptographic algorithms in their place. In order to continue to use such weak algorithms, explicit configuration is required. Otherwise, IPsec tunnel negotiation will fail and cause service disruption as a result.

This advisory can be found at the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *