Home

Cisco DES/3DES/AES VPN Encryption Module

1. Cisco 10S Security Configuration Guide 6 _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Command Reference W MIBs MIB MIBs Link No new or modified MIBs are supported by this To locate and download MIBs for selected platforms Cisco IOS feature and support for existing MIBs has not been releases and feature sets use Cisco MIB Locator found at the modified by this feature following URL http www cisco com go mibs RFCs RFC Title No new or modified RFCs are supported by this feature and support for existing RFCs has not been modified by this feature Technical Assistance Description Link The Cisco Technical Support website contains http www cisco com techsupport thousands of pages of searchable technical content including links to products technologies solutions technical tips and tools Registered Cisco com users can log in from this page to access even more content Command Reference This section documents new and modified commands only Modified Commands e show crypto engine e show crypto engine accelerator statistic New Commands e crypto engine aim Commands that may be used with this feature but are not modified in this release For information about commands see the Cisco IOS Security Command Reference a link is provided in the Related Documents subsection of the Additional References section above e cry
2. 10S Security Configuration Guide _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Command show crypto engine accelerator statistic Description debug crypto engine accelerator control Displays each control command as it is given to the crypto engine debug crypto engine accelerator packet Displays information about each packet sent for encryption and decryption show crypto engine accelerator ring Displays the contents of command and transmit rings for the crypto engine show crypto engine accelerator sa database Displays the active in use entries in the crypto engine security association SA database show crypto engine brief Displays a summary of the configuration information for the crypto engine show crypto engine configuration Displays the version and configuration information for the crypto engine show crypto engine connections Displays a list of the current connections maintained by the crypto engine Cisco 10S Security Configuration Guide DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 HI Feature Information for DES 3DES AES VPN Encrytion Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Feature Information for DES 3DES AES VPN Encrytion Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Table 5 lists the release history for this feature Not all command
3. 2 and AIM VPN SSL 3 page 2 e Information About the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 page 2 e How to Configure the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 page 3 Corporate Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA Copyright 2006 Cisco Systems Inc All rights reserved DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 HZ Prerequisites for the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 e Additional References page 6 e Command Reference page 7 e Feature Information for DES 3DES AES VPN Encrytion Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 page 22 Prerequisites for the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Installation Preconditions e Cisco IOS software Release 12 4 9 T amp Note See Table for AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 encryption module support by Cisco IOS release e A working IP network For more information about configuring IP see the Cisco IOS IP configuration guides Release 12 4 which may be accessed at Cisco IOS Software Releases 12 4 Mainline Configuration Guides Restrictions for the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 e Rivest Shamir
4. Length IPSEC Decompression AH ESP seq mismatch AH Header Length AH ICV Incorrect IPCOMP CPI Mismatch Unexpected IPV6 Extensio Dest Buf overflow IPSEC Pkt src count Unwrappable SSL Decompress failure SSL Version Mismatch SSL Conn Modulo SSL Connection closed SSL record header length PPTP Exceed max missed p DF Bit set Unwrappable object Invalid attrribute value Verification Fail Invalid Packet Input Overrun Output buffer overrun Invalid parameter Out of handles Out of memory pkts dropped ao BE oe A a E e SE o E m A a A a A o A o E G a a a o AE a E a E a A E o AE a o E AE gt E o AG a G oa oO oO Warnings sessions_expired 0 packets_fragmented 0 general 0 HSP details hsp_operations 10441 hsp_sessions 1 Tip In Cisco IOS Release 12 2 8 T and later releases you can add a time stamp to show commands using the exec prompt timestamp command in line configuration mode Table 3 show crypto engine accelerator statistic Compression Statistics Descriptions Counter Description packets decompressed Number of packets that were decompressed by the interface packets compressed Number of packets that were compressed by the interface bytes before decomp Number of compressed bytes that were presented to the compression algorithm from the input interface on decrypt bytes before comp Number of uncompressed bytes payload that were presented to the compression algorithm from Cis
5. Live Play and Learn is a service mark of Cisco Systems Inc and Access Registrar Aironet Catalyst CCDA CCDP CCIE CCIP CCNA CCNP CCSP Cisco the Cisco Certified Internetwork Expert logo Cisco IOS Cisco Press Cisco Systems Cisco Systems Capital the Cisco Systems logo Cisco Unity Enterprise Solver EtherChannel EtherFast EtherSwitch Fast Step Follow Me Browsing FormShare GigaDrive HomeLink Internet Quotient IOS iPhone IP TV iQ Expertise the iQ logo iQ Net Readiness Scorecard iQuick Study LightStream Linksys MeetingPlace MGX Networkers Networking Academy Network Registrar PIX ProConnect ScriptShare SMARTnet StackWise The Fastest Way to Increase Your Internet Quotient and TransPath are registered trademarks of Cisco Systems Inc and or its affiliates in the United States and certain other countries All other trademarks mentioned in this document or Website are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other company 0711R Any Internet Protocol IP addresses used in this document are not intended to be actual addresses Any examples command display output and figures included in the document are shown for illustrative purposes only Any use of actual IP addresses in illustrative content is unintentional and coincidental Copyright 2006 Cisco Systems Inc All rights reserved Cisco 10S Security Configuratio
6. VPN SSL 3 Mcast Bcast Frames RX 1586 RX Less 128Bytes 1562 RX Less 512Bytes 452503 RX Less 1KBytes 0 RX Less 9KBytes 0 RX Frames Dropivis s scsi t 0 FRAMES Teini epee LOSD SS Bytes Uh acsaccewswaevaceat 200977246 Mcast Bcast Frames TX 2 TX Less 128Bytes 3 TX Less 512Bytes 753555 TX Less 1KBytes 0 TX Less 9KBytes 0 show crypto engine accelerator statistic Table 4 describes significant fields shown in the display Table 4 Field show crypto engine accelerator statistic IPsec VPN SPA Statistics Descriptions Description Decryption Data Side Path Statistics Packets RX Number of packets received on the decryption side of the IPSec VPN SPA Packets TX Number of packets transmitted by IPSec VPN SPA in the decryption direction IPSec Transport Mode Number of packets in IPSec Transport Mode IPSec Tunnel Mode Number of packets in IPSec Tunnel Mode AH Packets AHs Number of packets with authentication headers ESP Packets Payload ESP headers Number of packets with Encapsulating Security GRE Decapsulations Number of packets that were generic routing encapsulating GRE decapsulated NAT T Decapsulations Number of packets that were Network Address Translation Traversal NAT T decapsulated Clear Number of clear packets received
7. and Adelman RSA encryption supports only 512 1024 1536 and 2048 bit keys e To achieve maximum benefit from hardware assisted IP Payload Compression Protocol IPPCP it is suggested that prefragmentation be disabled if IP compression with the Limpel Zif Stac LZS algorithm is enabled on IP Security IPsec sessions e Hardware acceleration is supported only for clients that are connecting to an SSL VPN gateway using SSL2 0 or SSL3 0 protocols when the rc4 md5 encryption transform is configured on the SSL VPN gateway If aes shal or 3des shal encryption transforms are used those protocols are processed on the router by the Cisco IOS software SSL VPN clients should be configured for version 1 0 of the Transport Layer Security TLS protocol if you are using an encryption algorithm other than rc4 md5 Information About the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Before using the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 you should be familiar with the following concept e Determining Which Encryption Module to Use page 3 Cisco 10S Security Configuration Guide in ee 4 _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 How to Configure the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and W Determining Which Encryption Module to Use Determine which VPN encryption module to use as de
8. comp 0 bytes after decomp 0 bytes after comp 0 packets bypass decompr 0 packets bypass compres 0 bytes bypass decompres 0 bytes bypass compressi 0 packets not decompress 0 packets not compressed 0 bytes not decompressed 0 bytes not compressed 1 0 1 compression ratio 1 0 1 overall 10426 commands out 10426 commands acknowledged Last 5 minutes 0 packets in 0 packets out 0 paks sec in 0 paks sec out 0 bits sec in 0 bits sec out 0 bytes decrypted 0 bytes encrypted 0 Kbits sec decrypted 0 Kbits sec encrypted 1 0 1 compression ratio 1 0 1 overall Errors ppq full errors 0 ppq rx errors 0 cmdq full errors 0 cmdq rx errors 0 Cisco 10S Security Configuration Guide DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine accelerator statistic ppa down errors no buffer dest overflow PSEC ESP Modulo nexpected Protocol PSEC Pkt is fragment Invalid IP Version SSL Output overrun SSL BAD Decomp History SSL Input overrun SSL Input Underrun HaQH SSL Unrecognised content PPTP Duplicate packet RNG self test fail Hash Miscompare Missing attribute Bad Attribute Decrypt Failure Invalid Key Input Underrun Bad handle value Bad function code Access denied NR overflow oooocoocoooqcoooqcooo0qcooocooococoocococooo cmdq down errors replay errors authentication errors Other error Raw Input Underrun IPSEC Unsupported Option IPV4 Header Length ESP Pad
9. A Note The standby IPSec VPN SPA is not supposed to receive packets Hard Life Drop Number of packet drops due to SA hard life expiration Invalid SA Number of packet drops due to invalid SA Reassembly Frag RX Number of packets that required reassembly processing Clear Fragments Number of clear fragments Clear Reasm Done Number of clear fragments reassembled Datagrams Drop Number of reassembled datagrams dropped Fragments Drop Number of fragments dropped Cisco 10S Security Configuration Guide E DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Related Commands show crypto engine accelerator statistic Table 4 show crypto engine accelerator statistic IPsec VPN SPA Statistics Descriptions Continued Field Description Encryption Side Controller Statistics Frames RX Number of frames received Bytes RX Number of bytes received Mcast Bcast Frames RX Number of multicast broadcast frames received RX Less 128Bytes Number of frames less than 128 bytes RX Less 512Bytes Number of frames with size greater than or equal to 128 bytes and less than 512 bytes RX Less 1 KBytes Number of frames with size greater than or equal to 512 bytes and less than KB RX Less 9KBytes Number of frames with size greater than or equal to 1 KB and less than 9 KBs RX Frames Drop Number of
10. Contents Cisco SYSTEMS DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 First Published June 19 2006 Last Updated May 30 2006 The DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 feature describes how to configure virtual private network VPN encryption hardware advanced integration modules AIM in Cisco IOS Release 12 4 9 T Finding Feature Information in This Module Your Cisco IOS software release may not support all of the features documented in this module To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported use the Feature Information for DES 3DES AES VPN Encrytion Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 section on page 22 Finding Support Information for Platforms and Cisco IOS Software Images Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support Access Cisco Feature Navigator at http www cisco com go fn You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear e Prerequisites for the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 page 2 e Restrictions for the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL
11. ICMP Number of Internet Control Message Protocol ICMP packets received Packets Drop Number of packet drops Authentication Errors Number of authentication errors Decryption Errors Number of decryption errors Replay Check Failed Number of replay check errors Policy Check Failed Number of policy check errors Ilegal Clear Packet Number of illegal clear packets GRE Errors Number of GRE errors due to invalid packets or invalid security associations SAs Cisco 10S Security Configuration Guide DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine accelerator statistic Table 4 show crypto engine accelerator statistic IPsec VPN SPA Statistics Descriptions Continued Field Description SPD Errors Number of Security Policy Database SPD errors HA Standby Drop Number of packet drops on a High Availability HA standby IPSec VPN SPA Note The standby IPSec VPN SPA is not supposed to receive packets Hard Life Drop Number of packet drops due to SA hard life expiration Invalid SA Number of packet drops due to invalid SA SPI No Match Number of packet drops due to SPI mismatch Destination No Match Number of packet drops due to destination no match Protocol No Match Number of packet drops due to protocol no match Reassembly Frag RX Numb
12. S VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 HZ show crypto engine accelerator statistic show crypto engine accelerator statistic To display IP Security IPsec encryption statistics and error counters for the onboard hardware accelerator of the router or the IPsec Virtual Private Network VPN Shared Port Adapter SPA use the show crypto engine accelerator statistic command in privileged EXEC mode show crypto engine accelerator statistic IPsec VPN SPA show crypto engine accelerator statistic slot slot subslot all detail Syntax Description slot slot subslot IPsec VPN SPA only Optional Chassis slot number and secondary slot number on the SPA Interface Processor SIP where the SPA is installed Refer to the appropriate hardware manual for slot information For SIPs refer to the platform specific SPA hardware installation guide or the corresponding Identifying Slots and Subslots for SIPs and SPAs topic in the platform specific SPA software configuration guide Displays platform statistics for the corresponding IPsec VPN SPA This output will not include network interface controller statistics all IPsec VPN SPA only Optional Displays platform statistics for all IPsec VPN SPAs on the router This output will not include network interface controller statistics detail IPsec VPN SPA only Optional Displays platform statistics for the IPsec VPN SPA and network interface con
13. c VPN SPA The following example shows the platform statistics for the IPSec VPN SPA in slot 1 subslot 0 and also displays the network interface controller statistics Router show crypto engine accelerator statistic slot 1 0 detail VPN module in slot 1 0 Decryption Side Data Path Statistics Packets RX 2 062222 454260 Packets TX 20002222 452480 IPSec Transport Mode 0 IPSec Tunnel Mode 452470 AH Packets 0 ESP Packets 452470 GRE Decapsulations 0 NAT T Decapsulations 0 NAT Soy ects eaa eci e ieh cuore 8 TEMP EaD EEEE EDEN 0 Packets Drop eiatedd daaa 93 Authentication Errors 0 Decryption Errors 0 Replay Check Failed 0 Policy Check Failed 0 Illegal CLear Packet 0 GRE BECO S a aay eae eases SPD ECOPS iis ses ese snus eee 0 HA Standby Drop 0 Hard Life Drop 0 invalid SAv ws 4acasanew ease LOL SPI No Match 0 Destination No Match 0 Protocol No Match 0 Cisco 10S Security Configuration Guide DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine accelerator statistic Reassembly Frag RX 0 IPSec Fragments 0 IPSec Reasm Done 0 Clear Fragments 0 Clear Reasm Done 0 Datagrams Drop 0 Fragments Drop 0 Decrypt
14. c VPN SPA on Cisco 7600 series routers and Catalyst 6500 series switches Output was added for the AIM VPN Secure Sockets Layer SSL encryption module Release 12 2 33 SRA 12 4 9 T No specific usage guidelines apply to the hardware accelerators IPsec VPN SPA Enter the slot keyword to display platform statistics for the corresponding IPSec VPN SPA This output will not include network interface controller statistics Enter the all keyword to display platform statistics for all IPSec VPN SPAs on the router This output will not include network interface controller statistics Enter the detail keyword to display platform statistics for the IPSec VPN SPA and network interface controller statistics Note that the controller statistics contain L2 counters Hardware VPN Module The following example displays compression statistics for a hardware VPN module Router show crypto engine accelerator statistic Device AIM VPN SSL 3 Location AIM Slot 0 Virtual Private Network VPN Module in slot 0 Statistics for Hardware VPN Module since the last clear of counters 85319 seconds ago 560 packets in 560 packets out 95600 bytes in 124720 bytes out 0 paks sec in 0 paks sec out 0 Kbits sec in 0 Kbits sec out 0 packets decrypted 560 packets encrypted 0 bytes before decrypt 124720 bytes encrypted 0 bytes decrypted 95600 bytes after encrypt 0 packets decompressed 0 packets compressed 0 bytes before decomp 0 bytes before
15. co IOS on encrypt bytes after decomp Number of decompressed bytes that were sent to Cisco IOS by the compression algorithm on decrypt bytes after comp Number of compressed bytes that were forwarded to Cisco IOS by the algorithm on encrypt Cisco 10S Security Configuration Guide 14 _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine accelerator statistic i Table 3 show crypto engine accelerator statistic Compression Statistics Descriptions Counter Description packets bypass compres Number of packets that were not compressed because they were too small lt 128 bytes packets not compressed Number of packets that were not compressed because the packets are expanded rather than compressed compression ratio Ratio of compression and decompression of packets presented to the compression algorithm that were successfully compressed or decompressed This statistic measures the efficiency of the algorithm for all packets that were compressed or decompressed overall Ratio of compression and decompression of packets presented to the compression algorithm including those that were not compressed due to expansion too small This ratio indicates whether the data traffic on this interface is suitable for compression A ratio of 1 1 would imply that no successful compression is being performed on this data traffic IPse
16. crypto engine brief crypto engine name Virtual Private Network VPN Module crypto engine type hardware State Enabled Location aim 0 Cisco 10S Security Configuration Guide DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine VPN Module in slot 0 Product Name AIM VPN SSL 3 Software Serial 55AA Device ID 001F revision 0000 Vendor ID 0000 Revision No 0x001F0000 VSK revision 0 Boot version 255 DPU version 0 HSP version 3 3 18 PRODUCTION Time running 23 39 30 Compression Yes DES Yes 3 DES Yes AES CBC Yes 128 192 256 AES CNTR No Maximum buffer length 4096 Maximum DH index 3500 Maximum SA index 3500 Maximum Flow index 7000 Maximum RSA key size 2048 crypto engine name crypto engine type serial number crypto engine state crypto engine in slot Cisco VPN Software Implementation software CAD4FCE1 installed N A The following example of the show crypto engine command shows IPv6 information Router show crypto engine connections ID Interface Type Algorithm Encrypt Decrypt IP Address 1 Et2 0 TPsec MD5 0 46 FE80 A8BB CCFF FE01 2C02 2 Et2 0 TPsec MD5 41 0 FE80 A8BB CCFF FE01 2C02 5 Tud IPsec SHA DES 0 0 3FFE 2002 A8BB CCFF FE01 2C02 6 Tud IPsec SHA DES 0 0 3FFE 2002 A8BB CCFF FE01 2C02 1001 Tu0 IKE SHA DES 0 0 3FFE 2002 A8BB CCFF FE01 2C02 Table 1 describes significant fiel
17. ds shown in the display Table 2 show crypto engine brief Field Descriptions Field Description crypto engine name Name of the crypto engine as assigned with the key name argument in the crypto key generate dss command crypto engine type If software is listed the crypto engine resides in either the Route Switch Processor RSP the Cisco IOS crypto engine or in a second generation Versatile Interface Processor VIP2 If crypto card or ESA is listed the crypto engine is associated with an Encryption Service Adapter ESA Cisco 10S Security Configuration Guide 10 _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Related Commands show crypto engine W Table 2 show crypto engine brief Field Descriptions Continued Field Description crypto engine state The state installed indicates that a crypto engine is located in the given slot but it is not configured for encryption The state dss key generated indicates the crypto engine found in that slot has DSS keys already generated crypto engine in slot Chassis slot number of the crypto engine For the Cisco IOS crypto engine this is the chassis slot number of the RSP Command Description crypto engine accelerator Enables the use of the onboard hardware accelerator for IPSec encryption Cisco 10S Security Configuration Guide DES 3DES AE
18. er of packets that required reassembly processing IPSec Fragments Number of IPSec fragments IPSec Reasm Done Number of IPSec fragments reassembled Clear Fragments Number of clear fragments Clear Reasm Done Number of clear fragments reassembled Datagrams Drop Number of reassembled datagrams dropped Fragments Drop Number of fragments dropped Decryption Side Controller Statistics Frames RX Number of frames received Bytes RX Number of bytes received Mcast Bcast Frames RX Number of multicast broadcast frames received RX Less 128Bytes Number of frames less than 128 bytes RX Less 512Bytes Number of frames with size greater than or equal to 128 bytes and less than 512 bytes RX Less 1 KBytes Number of frames with size greater than or equal to 512 bytes and less than kilobyte KB RX Less 9KBytes Number of frames with size greater than or equal to 1KB and less than 9 KBs RX Frames Drop Number of frames dropped Frames TX Number of frames transmitted Bytes TX Number of bytes transmitted Mcast Bcast Frames TX Number of multicast broadcast frames transmitted TX Less 128Bytes Number of frames less than 128 bytes Cisco 10S Security Configuration Guide _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine accelerato
19. frames dropped Frames TX Number of frames transmitted Bytes TX Number of bytes transmitted Mcast Bcast Frames TX Number of multicast broadcast frames transmitted TX Less 128Bytes Number of frames less than 128 bytes TX Less 512Bytes Number of frames with size greater than or equal to 128 bytes and less than 512 bytes TX Less 1KBytes Number of frames with size greater than or equal to 512 bytes and less than KB TX Less 9KBytes Number of frames with size greater than or equal to 1 KB and less than 9 KBs Command Description clear crypto engine accelerator counter Resets the statistical and error counters for the hardware accelerator to zero crypto ca Defines the parameters for the certification authority used for a session crypto cisco Defines the encryption algorithms and other parameters for a session crypto dynamic map Creates a dynamic map crypto configuration for a session crypto engine accelerator Enables the use of the onboard hardware accelerator of the Cisco uBR905 and Cisco uBR925 routers for IPSec encryption crypto ipsec Defines the IPsec SAs and transformation sets crypto isakmp Enables and defines the IKE protocol and its parameters crypto key Generates and exchanges keys for a cryptographic session crypto map Creates and modifies a crypto map for a session Cisco
20. ion Side Controller Statistics 756088 63535848 2341 RX Less 128Bytes 756025 RX Less 512Bytes 58 RX Less 1KBytes 2 RX Less 9KBytes 3 RX Frames Drop 0 Frames TX oessa oau au es aaa 2523965 Bytes TX scsescscecs esst 38001544 Mcast Bcast Frames TX 9 TX Less 128Bytes 452343 TX Less 512Bytes 22 TX Less 1KBytes 0 TX Less 9KBytes 0 Encryption Side Data Path Statistics Packets RX cerere sere rewi 156344 Packets UXvewivixaneuaxaet O88 IPSec Transport Mode 0 IPSec Tunnel Mode 753869 GRE Encapsulations 0 NAT T Encapsulations 0 LAF prefragmented 0 Fragmented 663 0 Clear eee ee Ree Peers 753904 ECM ited atick sity Marte lanetiontelantet ante tertotante lout 0 Packets Drop 123 TKE TED DEOD 4 0 Souk aaa 27 Authentication Errors 0 Encryption Errors 0 HA Standby Drop 0 Hard Life Drop 0 Tmyvalid SA 44 8eR eee eee eet ASL Reassembly Frag RX 0 Clear Fragments 0 Clear Reasm Done 0 Datagrams Drop 0 Fragments Drop 0 Encryption Side Controller Statistics Frames RX 2 3 454065 Bytes RX rororo wae eee OL68274 Cisco 10S Security Configuration Guide _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM
21. n Guide
22. pto engine accelerator Cisco 10S Security Configuration Guide 7 DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 W crypto engine aim crypto engine aim To reenable an advanced integration module AIM encryption module use the crypto engine aim command in global configuration mode To disable an AIM encryption module use the no form of this command crypto engine aim aim slot number no crypto engine aim aim slot number Syntax Description aim slot number Slot number to which an AIM module is to be reenabled or disabled Defaults An AIM module is not reenabled or disabled Command Modes Global configuration Command History _ Release Modification 12 3 11 T This command was introduced Examples The following example shows that the AIM module in slot 0 is to be reenabled crypto engine aim 0 The following example shows that the AIM module in slot 0 is to be disabled no crypto engine aim 0 Cisco 10S Security Configuration Guide 8 _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 show crypto engine Syntax Description Command Modes Command History Usage Guidelines Examples show crypto engine W To display a summary of the configuration information for the crypto engines use the show crypto engine command in privileged EXEC mode show crypto engine accelerator brief configuration connection
23. r statistic i Table 4 show crypto engine accelerator statistic IPsec VPN SPA Statistics Descriptions Continued Field Description TX Less 512Bytes Number of frames with size greater than or equal to 128 bytes and less than 512 bytes TX Less 1KBytes Number of frames with size greater than or equal to 512 bytes and less than KB TX Less 9KBytes Number of frames with size greater than or equal to 1 KB and less than 9 KBs Encryption Side Data Path Statistics Packets RX Number of packets received on the encryption side of the IPSec VPN SPA Packets TX Number of packets transmitted by the IPSec VPN SPA in the encryption direction IPSec Transport Mode Number of packets in IPSec Transport Mode IPSec Tunnel Mode Number of packets in IPSec Tunnel Mode GRE Encapsulations Number of packets that were GRE encapsulated NAT T Encapsulations Number of packets that were NAT T encapsulated LAF prefragmented Number of packets with Look Ahead Fragmentation set and that were prefragmented Fragmented Number of packets fragmented Clear Number of clear packets ICMP Number of ICMP packets Packets Drop Number of packet drops IKE TED Drop Number of packet drops because SA has not been set up Authentication Errors Number of authentication errors Encryption Errors Number of Encryption errors HA Standby Drop Number of packet drops on a HA standby IPSec VPN SP
24. s qos accelerator Optional Displays crypto accelerator information brief Optional Displays a summary of the configuration information for the crypto engine configuration Optional Displays the version and configuration information for the crypto engine connections Optional Displays information about the crypto engine connections qos Optional Displays quality of service QoS information e This keyword has a null output if any advanced integration module AIM except AIM VPN SSL 1 is used The command line interface CLI will accept the command but there will be no output Privileged EXEC Release Modification 11 2 This command was introduced on the Cisco 7200 RSP7000 and 7500 series routers 12 2 15 ZJ This command was implemented for the AIM VPN BPII on the following platforms Cisco 2610XM Cisco 2611XM Cisco 2620XM Cisco 2621XM Cisco 2650XM and Cisco 2651XM 12 3 4 T This command was integrated into Cisco IOS Release 12 3 4 T 12 4 4 T IPv6 address information was added to command output 12 4 9 T AIM VPN SSL 3 encryption module information was added to command output 12 2 33 SRA This command was integrated into Cisco IOS release 12 33 SRA This command displays all crypto engines and displays the AIM VPN product name The following example of the show crypto engine command and the brief keyword shows typical crypto engine summary information Router show
25. s may be available in your Cisco IOS software release For release information about a specific command see the command reference documentation Cisco IOS software images are specific to a Cisco IOS software release a feature set and a platform Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support Access Cisco Feature Navigator at http www cisco com go fn You must have an account on Cisco com If you do not have an account or have forgotten your username or password click Cancel at the login dialog box and follow the instructions that appear Note Table 5 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train Unless noted otherwise subsequent releases of that Cisco IOS software release train also support that feature Table 5 Feature Information for DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Feature Name Releases Feature Information DES 3DES AES VPN Encryption Module 12 4 9 T The DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 AIM VPN SSL 3 feature describes how to configure virtual private network VPN encryption hardware advanced integration modules AIM CCVP the Cisco logo and Welcome to the Human Network are trademarks of Cisco Systems Inc Changing the Way We Work
26. scribed in Table 1 Table 1 AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Encryption Module Support by Cisco IOS Release Platform Cisco 10S Release 12 4 9 T Cisco 1841 AIM VPN SSL 1 Cisco 2691 AIM VPN SSL 2 Cisco 2801 AIM VPN SSL 2 Cisco 2811 AIM VPN SSL 2 Cisco 2821 AIM VPN SSL 2 Cisco 2851 AIM VPN SSL 2 Cisco 3725 AIM VPN SSL 3 Cisco 3745 AIM VPN SSL 3 Cisco 3825 AIM VPN SSL 3 Cisco 3845 AIM VPN SSL 3 How to Configure the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 There are no configuration tasks that are specific to the encryption hardware Both software based and hardware based encryption are configured in the same way The system automatically detects the presence of the encryption hardware at bootup and uses it to encrypt data If no encryption hardware is detected software is used to encrypt data This section includes the following procedures e Disabling an AIM Encryption Module on a Specific Slot page 3 e Reenabling an AIM Encryption Module on a Specific Slot page 4 e Clearing the Statistical and Error Counters page 5 e Verifying AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Encryption Information page 5 Disabling an AIM Encryption Module on a Specific Slot To disable an AIM encryption module on a specific slot perform the following steps SUMMARY STEPS 1 enable 2 configure terminal 3 no crypto engine aim aim slo
27. t number Cisco 10S Security Configuration Guide DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 HZ How to Configure the DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 DETAILED STEPS Command Purpose Step1 enable Enables privileged EXEC mode e Enter your password if prompted Example Router gt enable Step2 configure terminal Enters global configuration mode Example Router configure terminal Step3 no crypto engine aim aim slot number Disables an AIM encryption module on a specific slot Example Router config no crypto engine aim 0 Reenabling an AIM Encryption Module on a Specific Slot To reenable an AIM encryption module on a specific slot perform the following steps SUMMARY STEPS 1 enable 2 configure terminal 3 crypto engine aim aim slot number DETAILED STEPS Command Purpose Step1 enable Enables privileged EXEC mode e Enter your password if prompted Example Router gt enable Step2 configure terminal Enters global configuration mode Example Router configure terminal Step3 crypto engine aim aim slot number Reenables an AIM encryption module on a specific slot Example Router config crypto engine aim 0 Cisco 10S Security Configuration Guide 4 _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 How to Configure the DES 3DES AES VPN Encryp
28. tion Module AIM VPN SSL 1 AIM VPN SSL 2 and W Clearing the Statistical and Error Counters To clear the statistical and error counters of the hardware accelerator of a router perform the following steps SUMMARY STEPS 1 enable 2 clear crypto engine accelerator counter DETAILED STEPS Command Purpose Step1 enable Enables privileged EXEC mode e Enter your password if prompted Example Router gt enable Step2 clear crypto engine accelerator counter Resets the statistical and error counters for the hardware accelerator of a router to zero Example Router clear crypto engine accelerator counter Verifying AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Encryption Information To verify AIM VPN encryption information perform the following steps SUMMARY STEPS 1 enable 2 show crypto engine brief 3 show crypto engine accelerator statistic DETAILED STEPS Command Purpose Step1 enable Enables privileged EXEC mode e Enter your password if prompted Example Router gt enable Step2 show crypto engine brief Displays a summary of the configuration information for the crypto engines Example Router show crypto engine brief Cisco 10S Security Configuration Guide a DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Hs Additional References Command Purpose Step3 show crypto engine accelerator statistic Displays the statistics and error co
29. troller statistics Note that the controller statistics contain Layer 2 L2 counters Command Modes Privileged EXEC Command History _ Release Modification 12 1 1 XC This command was introduced for the Cisco 1700 series router and other Cisco routers that support hardware accelerators for IPsec encryption 12 1 3 XL This command was implemented on the Cisco uBR905 cable access router 12 2 2 KA Support was added for the Cisco uBR925 cable access router 12 2 13 T This command was integrated into Cisco IOS Release 12 2 13 T and implemented for the AIM VPN EPII and AIM VPN HPI on the following platforms Cisco 2691 Cisco 3660 Cisco 3725 and Cisco 3745 In addition the output for this show command was enhanced to display compression Statistics 12 2 15 ZJ This command was implemented for the AIM VPN BPII on the following platforms Cisco 2610XM Cisco 2611XM Cisco 2620XM Cisco 2621XM Cisco 2650XM and Cisco 2651XM 12 3 4 T The AIM VPN BPII was integrated into Cisco IOS Release 12 3 4 T on the following platforms Cisco 2610XM Cisco 2611XM Cisco 2620XM Cisco 2621XM Cisco 2650XM and Cisco 2651XM Cisco 10S Security Configuration Guide EE _DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Usage Guidelines Examples show crypto engine accelerator statistic i Modification This command was integrated into Cisco IOS Release 12 2 33 SRA to support the IPse
30. unters for the onboard hardware accelerator of the router for IPsec encryption Example Router show crypto engine accelerator statistic Additional References The following sections provide references related to DES 3DES AES VPN Encryption Module AIM VPN SSL 1 AIM VPN SSL 2 and AIM VPN SSL 3 Related Documents Related Topic Document Title Installation of VPN encryption modules e Installing and Upgrading Internal Modules in Cisco 1800 Series Routers Modular e Installing Advanced Integration Modules in Cisco 2600 Series Cisco 3600 Series and Cisco 3700 Series Routers e Installing and Upgrading Internal Modules in Cisco 2800 Series Routers e Installing and Upgrading Internal Components in Cisco 3800 Series Routers Cisco 1800 series Cisco 2600 series Cisco 2800 Cisco 1800 Series Integrated Service Routers Cisco 2600 Series series Cisco 3700 series and Cisco 3800 series routers Multiservice Platforms Cisco 2800 Series Integrated Service Routers Cisco 3700 Series Multiservice Access Routers and Cisco 3800 Series Integrated Service Routers Routers Support documentation index on Cisco com Cisco IOS references e Cisco IOS Security Configuration Guide Release 12 4 e Cisco IOS Security Command Reference Release 12 4T Standards Standard Title No new or modified standards are supported by this feature and support for existing standards has not been modified by this feature

Cisco DES/3DES/AES VPN Encryption Module

Contents

Download Pdf Manuals

Related Search

Related Contents