IPSec Negotiation IKE Protocols

IOS and IOS-XE NGE Support Product Tech Note

Document ID: 116055

Updated: Jul 22, 2015

Contributed by Wen Zhang and Anthony Grieco, Cisco TAC Engineers.



This document describes Next Generation Encryption (NGE) support on Cisco IOS® and IOS-XE platforms.



There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco IOS, multiple versions as noted in the table
  • Cisco IOS-XE, multiple versions as noted in the table
  • Multiple Cisco platforms as noted in the table

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

NGE Algorithms

The algorithms that make up NGE are the result of more than 30 years of global advances and evolution in cryptography. Each component of NGE has its own history, which depicts the diverse history of the NGE algorithms and their longstanding academic and community review. NGE comprises globally created, globally reviewed, and publicly available algorithms.

NGE algorithms are integrated into Internet Engineering Task Force (IETF), IEEE, and other international standards. As a result, NGE algorithms have been applied to the most recent and highly-secure protocols that protect user data, such as Internet Key Exchange Version 2 (IKEv2).

Types of cryptographic algorithms include:

  • Symmetric encryption -128-bit or 256-bit Advanced Encryption Standard (AES) in GCM (Galois/Counter mode)

  • Hash - Secure Hash Algorithms (SHA)-2 (SHA-256, SHA-384, and SHA-512) 

  • Digital signatures -Elliptic Curve Digital Signature Algorithm (ECDSA)

  • Key agreement - Elliptic Curve Diffie-Hellman (ECDH)

NGE Support on IOS and IOS-XE Platforms

This table summarizes NGE support on Cisco IOS-based and IOS-XE-based platforms.

PlatformsCrypto Engine TypeSupported by NGEFirst Version of Cisco IOS/IOS-XE to Support NGE
All platforms that run IOS classicIOS software crypto engineYes 15.1(2)T
ISR G2 2951, 3925, 3945Onboard1Yes15.1(3)T
ISR G2 (excludes 3925E/3945E)VPN-ISM1Yes15.2(1)T1
ISR G2 1900, 2901, 2911, 2921, 2951, 3925, 3945, 3925E, 3945EOnboard1Yes15.2(4)M
ISR G2 CISCO87xSoftware / HardwareNoN/A
ISR G2 CISCO86x/C86xSoftware2Yes15.1(2)T
ISR G2 C812/C819Software / HardwareYesDay 1


Software / Hardware3Yes15.1(2)T

ISR G2 C88x

Software / Hardware4YesDay 1
ASR 1000OnboardYesNote5
ISR 4451-XOnboardYesIOS-XE 3.9 (15.3(2)S)
ISR 4321, 4331, 4351, 4431OnboardYesIOS-XE 3.13 (15.4(3)S)
CSR 1000vSoftwareYesIOS-XE 3.12 (15.4(2)S)

Note 1: On ISR G2 platform, if ECDH/ECDSA is configured, these cryptographic operations will be run in software irrespective of the cryptographic engine.

Note 2: ISR G2 CISCO86x/C86x does not have NGE support in the hardware crypto engine.

Note 3: ISR G2 CISCO88x/CISCO89x has hardware support for SHA-256 ONLY with Version 15.2(4)M3 or later.

Note 4: These C88x SKUs have no hardware support for NGE: C881SRST-K9, C881SRSTW-GN-A-K9, C881SRSTW-GN-E-K9, C881-CUBE-K9, C881-V-K9, C881G-U-K9, C881G-S-K9, C881G-V-K9, C881G-B-K9, C881G+7-K9, C881G+7-A-K9,  C886SRST-K9, C886SRSTW-GN-E-K9, C886VA-CUBE-K9, C886VAG+7-K9, C887SRST-K9, C887SRSTW-GN-A-K9, C887SRSTW-GN-E-K9, C887VSRST-K9, C887VSRSTW-GNA-K9, C887VSRSTW-GNE-K9, C887VA-V-K9, C887VA-V-W-E-K9, C887VA-CUBE-K9, C887VAG-S-K9, C887VAG+7-K9, C887VAMG+7-K9, C888SRSTW-GN-A-K9, C888SRSTW-GN-E-K9,  C888SRST-K9, C888ESRST-K9, C888ESRSTW-GNA-K9, C888ESRSTW-GNE-K9, C888-CUBE-K9, C888E-CUBE-K9, and C888EG+7-K9.

Note 5: Support for NGE control plane (ECDH and ECDSA) has been introduced with Version XE3.7 (15.2(4)S). Control plane SHA-2 support is for IKEv2 only, with IKEv1 support added in Version XE3.10 (15.3(3)S). Dataplane support is added in Version XE3.8 (15.3(1)S) for Octeon based platforms only (ASR1001-X, ASR1002-X, ESP-100, and ESP-200); dataplane support is not available for other ASR platforms.

Other NGE Feature Support

GETVPN Support for NGE

  • Cisco IOS software support on ISR G2 platforms starts with Version 15.2(4)M.
  • ASR support starts with Cisco IOS-XE software, Version 3.10S (15.3(3)S).
Updated: Jul 22, 2015
Document ID: 116055