Re: Cisco 1711 VPN hardware module support for AES ???

Discussion in 'Cisco' started by stephen, Mar 18, 2005.

  1. stephen

    stephen Guest

    "Merv" <> wrote in message
    news:...
    >
    > Trying to enable AES encryption on a Cisco 1711 router running IOS
    > 12.3(11)T3 which has a VPN hardwre module.
    >
    >
    > The following message does not look promising:
    >
    > crypto isakmp policy 10
    > encr aes
    > ! Policy disabled because algorithm not supported by encryption
    > hardware
    > authentication pre-share
    > group 2
    > lifetime 120


    had a similar issue with 1760 (which uses the same VPN accelerators i
    think) - the feature navigator only has 1 AES enabled encryption
    accelerator, and that only supports 1841 / 26xx / 28xx / 38xx boxes.

    when we asked cisco around a year back about AES and 1760 they would not
    make any committments about hardware to support this.

    if you can swap hardware you might want to look at 1841 instead - i think
    that also has AES support for the onboard encryption chip, so you may not
    need an AIM depending on the throughput you need.
    >
    > #sh ver | inc IOS
    > Cisco IOS Software, C1700 Software (C1700-ADVSECURITYK9-M), Version
    > 12.3(11)T3,
    > RELEASE SOFTWARE (fc4)
    >
    >
    > #sh diag
    > ...
    >
    > Slot 3:
    > Virtual Private Network (VPN) Module Port adapter, 1 port
    > Port adapter is analyzed
    > Port adapter insertion time unknown
    > EEPROM contents at hardware discovery:
    > Hardware Revision : 2.1
    > Part Number : 73-4586-02
    > Board Revision : C0
    > Deviation Number : 0-0
    > Fab Version : 03
    > PCB Serial Number : FOC084834QY
    > RMA Test History : 00
    > RMA Number : 0-0-0-0
    > RMA History : 00
    > Product (FRU) Number : MOD1700-VPN=
    > EEPROM format version 4
    > EEPROM contents (hex):
    > 0x00: 04 FF 40 01 79 41 02 01 82 49 11 EA 02 42 43 30
    > 0x10: 80 00 00 00 00 02 03 C1 8B 46 4F 43 30 38 34 38
    > 0x20: 33 34 51 59 03 00 81 00 00 00 00 04 00 FF FF FF
    > 0x30: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    > 0x40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    > 0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    > 0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    > 0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    >
    >
    > Anyone using AES on a Cisco 1710 ?

    --
    Regards

    Stephen Hope - return address needs fewer xxs
     
    stephen, Mar 18, 2005
    #1
    1. Advertising

  2. stephen

    Merv Guest

    I can get AES to run on two 1841 and a 2811, but no joy with the 1711
     
    Merv, Mar 18, 2005
    #2
    1. Advertising

  3. Aaron Leonard, Mar 18, 2005
    #3
  4. stephen

    Merv Guest

    Does that mean that I have to remove the VPN module from the 1711 in
    order to use AES software-base encyption ???
     
    Merv, Mar 18, 2005
    #4
  5. stephen

    Merv Guest

    Merv wrote:
    > Does that mean that I have to remove the VPN module from the 1711 in
    > order to use AES software-base encyption ???


    Or is there anyway to disable the 1711 VPN hardware encyption via IOS
    configuration ???
     
    Merv, Mar 18, 2005
    #5
  6. stephen

    Merv Guest

    Merv wrote:
    > Merv wrote:
    > > Does that mean that I have to remove the VPN module from the 1711

    in
    > > order to use AES software-base encyption ???

    >
    > Or is there anyway to disable the 1711 VPN hardware encyption via IOS
    > configuration ???


    >From Cisco doc:


    Disabling Hardware Encryption

    If your Cisco 1700 series router is equipped with an optional Virtual
    Private Network (VPN) module, it provides hardware 3DES encryption by
    default. If you wish, you can disable the VPN module and use Cisco IOS
    software encryption/decryption instead.

    The command that disables the VPN module is as follows:

    no crypto engine accelerator

    The command is executed in configuration mode. The following is an
    example of its use:

    Router(config)#no crypto engine accelerator
    Warning! all current connections will be torn down.
    Do you want to continue? [yes/no]: yes
    ..
    Crypto accelerator in slot 0 disabled
    ..
    switching to IPsec crypto engine


    After this command is executed, the following procedure must be
    performed to bring up all encryption tunnels appropriately.
     
    Merv, Mar 19, 2005
    #6
  7. stephen

    Hansang Bae Guest

    Merv wrote:
    [snip]
    > The command that disables the VPN module is as follows:
    >
    > no crypto engine accelerator
    >

    [snip]

    Watch your CPU as IPSec takes a toll on the router w/o the AIM card.
    also, reboot it a few times to make sure the above command doesn't
    disappear dynamically (due to a bug)


    --

    hsb


    "Somehow I imagined this experience would be more rewarding" Calvin
    **************************ROT13 MY ADDRESS*************************
    Due to the volume of email that I receive, I may not not be able to
    reply to emails sent to my account. Please post a followup instead.
    ********************************************************************
     
    Hansang Bae, Mar 19, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Christensen

    Cisco 1711, VPN and tunnels

    Lars Christensen, Sep 17, 2004, in forum: Cisco
    Replies:
    1
    Views:
    891
  2. daniel
    Replies:
    2
    Views:
    3,734
    daniel
    Apr 11, 2005
  3. max

    WPA AES & WPA2 AES

    max, Feb 13, 2007, in forum: Wireless Networking
    Replies:
    3
    Views:
    10,161
    Jack \(MVP-Networking\).
    Feb 14, 2007
  4. Giuen
    Replies:
    0
    Views:
    1,540
    Giuen
    Sep 12, 2008
  5. andrew_grafik

    PIX-515-UR-BUN how to enable VPN-DES: , VPN-3DES-AES:

    andrew_grafik, Oct 10, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    2,022
    andrew_grafik
    Oct 10, 2009
Loading...

Share This Page