1. Home
  2. Cisco Systems
  3. Cisco 1711 VPN hardware module support for AES ???

Cisco 1711 VPN hardware module support for AES ???

Trying to enable AES encryption on a Cisco 1711 router running IOS

12.3(11)T3 which has a VPN hardwre module.

The following message does not look promising:

crypto isakmp policy 10 encr aes ! Policy disabled because algorithm not supported by encryption hardware authentication pre-share group 2 lifetime 120

#sh ver | inc IOS Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version

12.3(11)T3, RELEASE SOFTWARE (fc4)

#sh diag ...

Slot 3: Virtual Private Network (VPN) Module Port adapter, 1 port Port adapter is analyzed Port adapter insertion time unknown EEPROM contents at hardware discovery: Hardware Revision : 2.1 Part Number : 73-4586-02 Board Revision : C0 Deviation Number : 0-0 Fab Version : 03 PCB Serial Number : FOC084834QY RMA Test History : 00 RMA Number : 0-0-0-0 RMA History : 00 Product (FRU) Number : MOD1700-VPN= EEPROM format version 4 EEPROM contents (hex): 0x00: 04 FF 40 01 79 41 02 01 82 49 11 EA 02 42 43 30 0x10: 80 00 00 00 00 02 03 C1 8B 46 4F 43 30 38 34 38 0x20: 33 34 51 59 03 00 81 00 00 00 00 04 00 FF FF FF 0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

Anyone using AES on a Cisco 1710 ?

Reply to
Merv
Loading thread data ...

had a similar issue with 1760 (which uses the same VPN accelerators i think) - the feature navigator only has 1 AES enabled encryption accelerator, and that only supports 1841 / 26xx / 28xx / 38xx boxes.

when we asked cisco around a year back about AES and 1760 they would not make any committments about hardware to support this.

if you can swap hardware you might want to look at 1841 instead - i think that also has AES support for the onboard encryption chip, so you may not need an AIM depending on the throughput you need.

Reply to
stephen

I can get AES to run on two 1841 and a 2811, but no joy with the 1711

Reply to
Merv

~ I can get AES to run on two 1841 and a 2811, but no joy with the 1711

There is no hardware support for AES on the 1700s, but AES in SW has been tested and should work OK. Expect pps performance in the 3-figures range. In fact you can see an example that was done with 1721s at

formatting link
Cheers,

Aaron

Reply to
Aaron Leonard

Does that mean that I have to remove the VPN module from the 1711 in order to use AES software-base encyption ???

Reply to
Merv

Or is there anyway to disable the 1711 VPN hardware encyption via IOS configuration ???

Reply to
Merv

Disabling Hardware Encryption

If your Cisco 1700 series router is equipped with an optional Virtual Private Network (VPN) module, it provides hardware 3DES encryption by default. If you wish, you can disable the VPN module and use Cisco IOS software encryption/decryption instead.

The command that disables the VPN module is as follows:

no crypto engine accelerator

The command is executed in configuration mode. The following is an example of its use:

Router(config)#no crypto engine accelerator Warning! all current connections will be torn down. Do you want to continue? [yes/no]: yes . Crypto accelerator in slot 0 disabled . switching to IPsec crypto engine

After this command is executed, the following procedure must be performed to bring up all encryption tunnels appropriately.

Reply to
Merv

Merv wrote: [snip]

[snip]

Watch your CPU as IPSec takes a toll on the router w/o the AIM card. also, reboot it a few times to make sure the above command doesn't disappear dynamically (due to a bug)

Reply to
Hansang Bae

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.