Cisco VPN AIM: is really needed for me?

Hello

according to this document:

formatting link

I have two networks:

SITE A:

C2650 32F/128D IOS 12.4(17a) ADV SECURITY network link1 : shdsl (wic-SHDSL) (4096/4096 - MCR 200kbps) network link2 - backup: adsl (WIC-ADSL) (2048/512 - MCR 200kbps) int fast0/0 integrated: public /29 range for my servers int fast0/1 (NM1FETX) : private lan 192.168.0.*

SITE B:

actually: C2611 16F/64D IOS 12.3(24) IP FRW PLUS 3DES network link1: adsl (WIC-ADSL) 640/256 (MCR 200kbps) eth0/0: private lan eth0/1: public /29 range for my servers

I wuold like to establish a VPN Tunnel from site A to site B:

I would like to establish the tunnel from the site A (using network link 2) to the site B:

I am not sure if I will use 3DES 168 or AES. I would like to offload the vpn encryption work from the cpu of the router, using an AIM VPN Module to do the job. In the SITE A I could use on the C2650 a AIM-VPN/BP or a AIM-VPN/EP; on the

2611 on the site B I could use a AIM-VPN/BP.

Both cards encrypt via Hardware the 3DES algorithm.

------------------ I now am thinking that I could use a C2621XM (48F/256D) as core router for the site A, thus enabling the use of AIM-VPN/BPII that also support via hardware the AES algorithm.

What do you suggest to use, 3DES or AES? I would like to offload all I can on AIM hardware, to free up the cpu power. I could achieve that using the 3DES on the tunnel.

Since I am paranoid for security, I could replace on site A the 2650 with the 2621XM (reducing global pps but enabling the use of the AIM wich supports AES); on the site B I could replace the 2611 (dual ethernet) with the C2650 from the site A (integrated fasteth + fasteth on NM).

What do you suggest me?

Please note that I would like to have a secure tunnel just to link the two networks: no file sharing, no netbios in it, just some RDP, ssh connections and SNMP traffic; I just use that to access site A from B and vice-versa for remote administration.

Thank you for your answers.

Mr. Spadoni Network Administrator

Thank you

Reply to
Elia Spadoni
Loading thread data ...

use 2800s instead.

Note your 2600s are end of life from Cisco and may even not get s/w support any longer (you can look the models up on cisco.com to check).

lack of software support would mean no more software patches for newly discovered security issues, and if you are "paranoid for security" then you should periodically check that.

2800s have built in encryption hardware - the low end 2801 will handle more than 2 Mbps of encryption without needing an AIM.

and AFAIR they support AES as well.

Note you dont have to run the encryption on the Internet connected router if you terminate the tunnel further into your network - eg on a 2nd router, or on a server.

connections

If performance is not an issue then you probably dont need the AIM at all. Might be a good idea to set it up now, stress it a bit and make sure the processor load and memory use stays reasonable.

Reply to
stephen

Hello, thank you for your answer:

"stephen" ha scritto nel messaggio news:eByyj.19661$ snipped-for-privacy@newsfe1-gui.ntli.net...

I dont have 2800 available.

I dont bother the fact that are EOL, since that are wonderful machines, replaced by the 2600XM series just for marketing purposes. The latest IOS officially supported is 12.3(xx), that is still a GD IOS (as

12.2). Unofficially it is supported the 12.4 series (as you see, I have a 2650 with 12.4(17))

on the SITE A: I will need to terminate it on the perimetral router since I would like to use the adsl link, and the adsl link does NAT with a FE interface with LAN PCs. on the SITE B I have only one router (one 2611) that on one eth has the lan interface, so I will terminate on both "perimetral" router.

Since I am a little paranoid and I could have the AIM at a very little price, It could be a good idea. I just need to know If I could use AES or 3DES...

Reply to
Elia Spadoni

The 2600 series also supports 3DES VPN without the AIM card. The AIM only offloads the encryption and the only benefit is lower CPU utilization. On high bandwidth VPN links, you will run out of CPU before you can fill up the pipe, but your links are low bandwidth so you should be fine without the AIM. As far as security goes, the 2600 series is supported on 12.4 code, so as long as 12.4 code is supported (which will be a very long time) the 2600 will receive security updates.

Reply to
Thrill5

"I dont bother the fact that are EOL, since that are wonderful machines, replaced by the 2600XM series just for marketing purposes. "

I seem to recall that the CPU was a lot faster.

I have implemented a 3des VPN with a 2600 (I now forget exactly which one but 2611/21 (maybe XM)). It was maxed out with DSL level traffic. The router at the other end was 857/877 which has of course crypto offload processor.

You will find a 2611 has a very poor crypto performance. It's easy enough to test.

Worth choosing a crypto method that is easier on CPU. AES is apparently better than 3des for same level of security. DES also uses less CPU that 3DES but can not now be considered secure.

Reply to
Bod43

The 2600's are so much slower than the 2800, its a world of difference in what they can push through. Even the 1841 can outpace the 2600 in just about everything.

The 2600XM doubles your memory capacity over the 2600. Since the newer images suck so much more memory, its really needed. Thats the main reason 12.4(x) can't run on a non-XM 2610/2620. I wouldn't say that was a marketing purpose only distinction. Cisco saw they needed lots more memory, they built a box 8 years ago with more memory.

You can run any crypto algorithm with any hardware, but if the offload engine doesn't support it, it has to run in software. On the 2600, you'll see less than stellar results, certainly less than T1 speeds of throughput if your crypto algorithm has to run in software.

3DES is most likely just fine. I still deploy stuff using 3DES depending on the situation.
Reply to
Doug McIntyre

Hello

"Doug Mc>>I dont bother the fact that are EOL, since that are wonderful machines,

I agree. I have available the 2600 series (just one 2621XM I have here,

48F/256D) I have availables the 2610/11 and the 2650 (32F/128D) that still have 37kpps performance.

If I still continue tu use the 2600 series (not XM) I could help a lot the cpu using the AIM card. Using 3DES (accellerated via hardware) in wich % can help the CPU ?

Reply to
Elia Spadoni

"I dont bother the fact that are EOL, since that are wonderful machines, replaced by the 2600XM series just for marketing purposes. "

I seem to recall that the CPU was a lot faster.

You are right, but on site A I will have 4mbit symmetric link and a 2048/512 dsl. Using just as perimetral router, I think that the pps will be enough (37kpps on the 2650)

I have implemented a 3des VPN with a 2600 (I now forget exactly which one but 2611/21 (maybe XM)). It was maxed out with DSL level traffic. The router at the other end was 857/877 which has of course crypto offload processor.

For this reason I would like to use the AIM card.

You will find a 2611 has a very poor crypto performance. It's easy enough to test.

Reply to
Elia Spadoni

you probably found that number here

formatting link
formatting link
the bad news is - that is simple IPv4 forwarding without any bells and whistles.

dont be surprised if the IPsec performance is a small fraction of that as encryption involves a lot more processing, and you are also tunnelling the packet

there is some numbers for VPN thruput - but all the 2600 numbers (XM only) are measured with an AIM

formatting link

1 way to estimate is take a VPN perf number for a non hardware accelerated router, and scale by the relative IP thruput - this will at least tell you roughly how many zeros are in the answer :)

So an 830 can do 2 Mbps of VPN, 8.5 pps, and a 2650 37.5 kpps - so 1st guess is 8 Mbps of VPN on the 2650. With say 1000+ byte frames that is only 1 to

2k pps for VPN

note these are "best case" numbers, so no fragmentation, big packets to get high bandwidth, and total thruput.

So - a new 18xx router with its hardware encryption may be a lot faster than your more expensive 2650 - its already twice the raw IP forwarding thruput.

And - an 1801 is cheaper than a modern VPN AIM last time i checked (although the old ones for 2600s may be cheaper if you can still find them, but they are out of production)

Reply to
stephen

The main thing with the 2600 vs. 2600XM is memory (both DRAM and Flash), the CPU difference is minuscule.

The AIM/VPN cards offload crypto only. If the router can't offload the crypto to the card, the CPU load goes very high even for moderate througput?

Ie. if the crypto algorithm you pick is done in software, pushing 700kbps through a 2600 without the crypto offload card in can max out CPU. Pushing 2Mbps through a 2600 with the proper AIM/VPN to handle what you want would give moderate CPU (40-60%?) depending on whatelse you are doing.

Its all about how much you are pushing, and recogizing the 2600 was designed to drive a few T1s worth of bandwdith..

Reply to
Doug McIntyre

Hello, thanks again for your answer.

"Doug Mc>>If I still continue tu use the 2600 series (not XM) I could help a lot the

It is perfect for me. In the site I plan to use the 2611 I have at the moment one DSL 640/256 (MCR 100) in the near future is possibile we will install a second leased line like a T1 (1,5Mb/1,5Mb symmetric). I plan to use the AIM/VPN card on the 2611. If in the near future I need more horspower, I could replace the 2611 with a 2650 (adding a NM-1FE-TX on the NM slot to add the second LAN) In that site in the future I won't have more than a DSL and a T1like connection. Since in the 2611 I could offload just DES and 3DES with the hardware AIM, I will use 3DES.

If I find another 2600 (but now XM series), I will install the BPII AIM CARD, I could offload also AES, and I will then switch my VPN to AES.

Reply to
Elia Spadoni

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.