2611XM w / AIM-VPN/EP
I'll implement router-to-router IOS VPN using the 2611XM VPN, which includes a map AIM-VPN/EP. The tool Advisor software of Cisco, the minimum version of the software supported by train for this card are: 12.2 (11) YT, ZJ 12.2 (15), 12.3 (1). I'm having a hard time waking up the concept of "minimum version". Does that mean I can't run 12.2 (15) T5 ZJ train coming from? Has anyone else successfully run module AIM-VPN/EP on a different version code?
Do not know what is happening with the SW consultant, but the AIM-VPN/EP has been supported since 12.2 (8) T1, so you could certainly run 12.2 (15) T with it.
Tags: Cisco Security
Similar Questions
-
Does anyone know if the GRE tunnels can be used with the AIM-VPN/SSL-2 module for the Cisco 2800 series routers?
Yes, we use it with GRE/IPSec.
Hope that helps.
-
MODULE AIM-VPN/EP of C2621 in C1841?
Hello
For some tests in my lab, I ordered a Council AIM-VPN, on e - bay they guy told me that it works in a C1841.
When compared to the one I have in my error C2621, they have equal air.
On the two pcb I can read: CN6I280AAA
When I put it I get this:
Smart init is enabled
Smart init is sizing iomem
MEMORY_REQ TYPE ID
Swimming pools public buffer 0X003AA110
Swimming pools public particle 0 X 00211000
0002A 0 AIM UNKNOWN
Pools of crypto module 0 x 00020000
0X000021B8 embedded USB
You do that the card works?
Thank you for your help.
Best regards
Didier
Didier,
Can you please join out of:
-show the worm
-show diag
-show inv
-See the logg (if after start)
-show crypto eli
-See the cryptographic engine config
Let's see what is the name of the beast ;-)
Marcin
-
Problem loading AIM-VPN/HPII on C3745
I tried last main line and T form without success. Get the following errors on both 3745 identical routers with 2 identical modules of PURPOSE:
on the 12.3
* 00:01:07.419 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: No. ACK for order.., 0 x 80000000(50000 ms)
* 00:01:07.419 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: do mini_omq failed: 00180010
* 00:01:07.419 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: firmware download failed
on 12.4
* 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: No. ACK for order.., 0 x 80000000(50000 ms)
* 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: do mini_omq failed: 00180010After mbox fail:
* 00:01:09.995 Mar 1: base address register is: 3 A 800000
* 00:01:09.995 Mar 1: versionid = 00140002
Any suggestion would be appreciated.
Module AIM location: 1
Hardware revision: 1.0
Number of albums part together: 800-18028-01
Review Board: C0
Deviation number: 0-0
Fab Version: 03
Serial number of PCB: FOC08101AN8
History of the RMA tests: 00
RMA number: 0-0-0-0
RMA history: 00
Product number (FRU): AIM-VPN/HPII
Version identifier: v01
EEPROM 4 format version
Table of contents EEPROM (hex):
0 X 00: 0 B 04 FF 40 03 41 01 00 C0 46 03 20 00 46 01 6
* 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: No. ACK for order.., 0 x 80000000(50000 ms)
* 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: do mini_omq failed: 00180010After mbox fail:
* 00:01:09.995 Mar 1: base address register is: 3 A 800000
* 00:01:09.995 Mar 1: versionid = 00140002DRAM, to check if the modules of memory have a different ability, I have encountered this problem.
-
AIM-VPN/SSL-2 facility in Cisco 2821
Hi all
I have the router cisco 2821 wit IOS version 12.4 (25 d)
I also have encryption for this router Cisco AIM-VPN/SSL-2 Module.
I have inserted this module to the location of the 0 OBJECTIVE but can not see.
I found in KB:
http://www.Cisco.com/en/us/docs/iOS/12_4t/12_4t11/htvpnssl.html#wp1067692
but I have no 'cryptographic engine objective' command
Router #crypto engine (config)?
Unit? hardware Crypto Accelerator
Embedded onboard Crypto engine
software software encryption engine
When the system starts up, I see:
0004F4 PURPOSE UNKNOWN
This who should I change to activate this module?
Thank you.
Julie,
PURPOSE/SSL engines require
IOS 12.4 (9) T at least while you are running older 12.4 main version.
Marcin
-
Throuput VPN on a 2651XM router
Where can I find this info?
Also, I got the used router (for nearly nothing $) but I know it's a value of some $$$. Where can I find out what model it is exactly? 'show version' doesn't show much.
Oh sorry, pasted the link partner. This link doesn't seem to be available on a non-partner unfortunately link, so here's a copy of the relevant pieces of her:
--------------------------------------
AIM-VPN/BPII, is only supported in the Cisco 2600XMs. It has support for DES/3DES and AES (optimized for the AES128 only) as well as layer 3 Compression (IPPCP). This module requires ZJ Cisco IOS version 12.2 (15) and later versions.
AIM-VPN/BPII - MORE is only supported in the Cisco 2600XMs. AIM-VPN/EPII-PLUS is supported in the 2691 and 3725 only. The BPII-PLUS and EPII-PLUS supports DES/3DES and are optimized for all key AES (AES128, AES192 and AES256) with Layer 3 Compression (IPPCP). These modules are supported in 12.3 (5 c), 12.3 (6) and later for the releases of the pipe major and 12.3 (7) T and later for releases of T.
Q. What is the function executes the VPN Module?
A. the Module VPN of Cisco 1700, 2600, 3600, and 3700 Series optimizes the platform for the IPSec VPN. Module accelerates not only the triple data standard (3DES) encryption and data (a) standard encryption, advanced encryption standard (AES) algorithms used in IPSec, but it handles many other tasks related to IPSec: hash, key exchange and storage of security associations. In doing so, the VPN module releases the Cisco 1700 series processor, 2600, 3600, and 3700 to run another router, voice and firewall features.
Q. What is the maximum performance DES/3DES/AES-128 IPSec with packages of 1 400 byte for the Cisco 1700 series, 2600, 3600, and 3700 using the VPN Module?
A. Cisco 2650/51XM with AIM-VPN/BPII or AIM-VPN/BPII-PLUS will give 10 Mbps throughput with traffic IMIX, 22 Mbpsthroughput with the packet size of 1400bytes and support 800 tunnels.
Q. What is the maximum performance of the IPSec AES-192/256 with IMIX packages for Cisco 1700 series, 2600, 3600, and 3700 using the VPN Module?
A. Cisco 2650/51XM with AIM-VPN/BPII will give 8.5 Mbit/s throughput with traffic IMIX for AES-192 and 256. BPII-MORE will give around 10 Mbps performance.
-----------------------------------------
In addition, you should know that this card was that EOL would be according to:
http://www.Cisco.com/en/us/products/HW/routers/ps274/prod_eol_notice0900aecd802d3d0b.html
It is still supported until 2010 and will work well for you, it is simply not fast enough with AES-192 and AES-256 as the version MORE than the same card, which was hardware-optimized especially for large key sizes. If you use 3DES or AES-128, then there is no difference in performance.
-
Hi all
I have a spare 2811 router that would like to use for the temporary easy VPN server.
the router IOS is already updated security advance 15.0 K9.
My question is the AIM - VPN a real map/module on the motherboard of the router or just pop up once the router has been upgraded to IOS security?
SH ve | I have IOS
Cisco IOS software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.0 (1) M8, RELEASE SOFTWARE (fc1)#sh inv
NAME: "2811 chassis', DESCR:"2811 chassis.
PID: CISCO2811, VID: V02, SN: FTX0911CxxxNAME: ' PVDMII DSP SIMM with a DSP on the Slot 0 SubSlot 4 ', DESCR: 'PVDMII DSP SIMM with a DSP.
PID: PVDM2-16, VID: V01, SN: FOC13071xxNAME: "virtual private network (VPN) on the Slot Module 0 ', DESCR: 'encryption PURPOSE Element '.
PID: AIM-VPN/EPII-PLUS, VID: v01, SN: FOC09072xxYou have now two VPN modules in your router:
- The module for basic needs
- The module see you in "inventory to see the" which is placed in the OBJECTIVE of on-board connector. This module has a flow more and a greater number of tunnel and will be used by default.
There are many examples of EzVPN configuration guide:
If it is more then a temporary solution, I would also consider using an ASA to remote access VPN. EzVPN is more or less obsolete, and the ASA has many more features with the AnyConnect client. On the router, you can also configure remote access for AnyConnect, but it is much more complicated.
-
Hi all
I find this compression of supporting IPPCP 2600XM for IPSec VPN. It seems that it is supported only with a VPN module, is it?
What would you say if I don't have module VPN, but the IPSec VPN configuration and compression for a connection low speed?
BTW, the IPSec VPN and "compress stac" can co-exist?
Also, what kind of compression support in 28xx with IPSec VPN?
Thank you very much.
MAK
MAK,
It depends on the installed vpn module. The previous support compression, but the compression is performed in software, not on the card, which offers only encryption. For this to work, you must run IOS 12.2 (13) T or later.
If your previous IOS running, you cannot use compression alongside encryption PURPOSE cards at all.
The latest maps AIM-VPN /? P II IPPC support in hardware.
More information is here:
http://www.Cisco.com/en/us/products/HW/routers/ps259/products_data_sheet09186a0080088750.html
This link displays information related to the release of functionality of software compression of 12.2 (13) T
Thus, the options you have depend on the IOS and the card BUT you have.
Beginning IOS and card without compression
12.2 (13) T and IOS beginning, hardware encryption software compression
Last map and supporting encryption and hardware compression IOS.
I'm unsure of the 2800 series, I expected that they support the latest novelty of compression and hardware encryption.
Andy
-
ICMP is required for the site to site VPN
Hello
I'm trying to set up a connection VPN site to site with a Cisco with the AIM-VPN-SSL-1 module 1841 and a NEC IX2015. We use a GRE with IPSec tunnel
The problem we have is the will of router NEC not repsond to ICMP packets (and it is not a way to get a reaction). This will cause problems with the tunnel?
Thank you!
Paul
Do not think that it will cause no problem. The more you can not do is not able to ping to test connectivity. Other than that, the IPSec LAN-to-LAN tunnel should work just fine.
-
After "without Accelerator crypto engine" No. VPN PLUS
Hello
In my test harness, I have a CISCO with a Council AIM-VPN/BPII-PLUS 1841, everything worked well, until I see the difference with and without the accelerator
Sins as soon as IOS told me he'll change accelerator SW instead of HW Accelerator, I can't make it work anymore.
I have a copy of the full configuration of work before I did, I put it back on my router but still WITHOUT a VPN.
Any idea what does not work?
Here below some information on VPN + SA ISAKMP CRYPTO map:
Module AIM location: 0
Serial number of PCB: FOC09081PNE
Hardware revision: 1.0
Number of albums part together: 800-24660-01
Review on board: D0
Deviation number: 0
Fab Version: 03
History of the RMA tests: 00
RMA number: 0-0-0-0
RMA history: 00
CLEI Code: CNS931XAAA
Product number (FRU): AIM-VPN/BPII-MORE
Version identifier: NA
EEPROM 4 format version
Table of contents EEPROM (hex):
0 X 00:04 FF C1 8B 4F 46 43 30 39 30 38 31 50 4 45 40
10: 0X04 6 41 01 00 46 03 20 00 60 54 01 42 44 30 C0
0x20: 88 00 00 00 00 02 03 03 00 81 00 00 00 00 04 00
0 X 30: C6 8 A 43 4F 53 39 33 31 58 41 41 41 91 41 49 BC
0X40: 4 D 56 50 2D 4 42 50 49 49 50 4 55 53 89 2D 2F
0 X 50 : 20 20 4F 41 FF FF FF FF FF FF FF FF FF FF FF FF
0 X 60 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0 X 70 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
ROUTER1841 #sh card crypto
Card crypto isakmp-65536-"Head-Tunnel0-0" ipsec
Profile name: cisco
Life safety association: 4608000 kilobytes / 120 seconds
Answering machine-only (Y/N): N
PFS (Y/N): N
Transform sets = {}
solid: {esp-3des esp-md5-hmac},.
}
Interfaces using crypto map Tunnel0-head-0:
Tunnel0
"Clientmap" ipsec-isakmp crypto map 10
Dynamic map template tag: dynmap
Interfaces using map clientmap crypto:
FastEthernet0/0
ROUTER1841 #.
Best regardsDidierYou disable the VPN tunnel after disabling the VPN accelerator card?
You need to do:
delete the ipsec cry his
clear the isa cry his
Then build the interesting traffic again and please share the output of:
HS cry isa his
HS cry ipsec his
If the VPN is not upward, you can enable debug and share the output:
debugging cry isa
debugging ipsec cry
-
C1841 without the BUILD - IN Module, Bill VPN is a VPN MODULE?
Hello
Yesterday, that I just got a new router found on eBay.
When I boot it I see 2 FastEthernet Interfaces (this is normal and I see them) BUT it also shows me 1 Module of virtual private network (VPN).
Before I open this new router I try something like:
Material SH
SH crypto multicylindres
HS cry engine Accelerator stat
Here below you have the results:
I opened the ROUTER and I see:
NO ADDITIONAL MEMORY
NO VPN MODULE
Did you do something with a built-in CISCO VPN module
Thanks in advance for your help
Best regards
Didier
Router hardware #sh
Cisco IOS Software, 1841 (C1841-ADVSECURITYK9-M), Version 12.4 (24) T1, VERSION of the SOFTWARE (fc3)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Updated Saturday 19 June 09 14:00 by prod_rel_team
ROM: System Bootstrap, Version 12.4 (13r) T, RELEASE SOFTWARE (fc1)
The availability of router is 9 hours, 47 minutes
System to regain the power ROM
System image file is "flash: c1841-advsecurityk9 - mz.124 - 24.T1.bin".
This product contains cryptographic features and is under the United States
States and local laws governing the import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third party approval to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. laws and local countries. By using this product you
agree to comply with the regulations and laws in force. If you are unable
to satisfy the United States and local laws, return the product.
A summary of U.S. laws governing Cisco cryptographic products to:
http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html
If you need assistance please contact us by mail at
Cisco 1841 (revision 7.0) with 118784K / 12288K bytes of memory.
Card processor ID FCZ1217905C
2 FastEthernet interfaces
1 module of virtual private network (VPN)
Configuration of DRAM is 64 bits wide with disabled parity.
191K bytes of NVRAM memory.
250880K bytes of ATA CompactFlash (read/write)
Configuration register is 0 x 3922
Router #.
Router #sh crypto multicylindres
crypto engine name: virtual private network (VPN) Module
crypto engine type: hardware
Status: enabled
Geographical area: 0 on board
Name of product: edge-VPN
HW Version: 1.0
Compression: Yes
A: Yes
3 a: Yes
AES - CBC: Yes (128,192,256)
AES CNTR: No.
Maximum length of the buffer: 4096
Index maximum DH: 0000
Maximum ITS index: 0000
Maximum fluidity index: 0300
The maximum size of the RSA key: 0000
version of crypto lib: 20.0.0
engine crypto in the slot: 0
platform: hardware VPN Accelerator
version of crypto lib: 20.0.0
Router #sh cry engine Accelerator stat
Device: FPGA
Location: on board: 0
: Statistics for device encryption since the last clear
counters 35534 seconds ago
68607 68607 out packages packages
49819692 bytes in 50341181 bytes on
1 paks/s to 1 output paks/s
11 Kbps in 11 Kbits/sec out
29298 decrypted packets 39309 encrypted packets
4074464 bytes before decipher 45745228 encrypted bytes
2537109 bytes decrypted 47804072 bytes after encrypt
0 0 packets compressed decompressed packets
0 bytes before Dang 0 bytes before comp
0 bytes after Dang 0 bytes after model
0 packets bypass decompression 0 by-pass compressor packages
Derivation of 0 bytes 0 bytes decompression work around compressi
0 packets not unzip 0 uncompressed packages
0 bytes not decompressed 0 bytes not compressed
1.0:1 overall compression ratio 1.0:1
last 5 minutes:
11 packages into 11 out packets
0 paks/sec output paks/s 0
32-bit/s at 28 bits/sec out
496 bytes decrypted 329 bytes encrypted
13 decrypted Kbps 8 Kbps encrypted
1.0:1 overall compression ratio 1.0:1
FPGA:
DS: 0x6538DE50 idb:0x6538CD08
Statistics for virtual private network (VPN) Module:
68607 68607 out packages packages
1 paks/s to 1 output paks/s
11 Kbps in 11 Kbits/sec out
29298 decrypted packets 39309 encrypted packets
package overruns: 0 packets output dropped: 0
tx_hi_drops: 0 fw_failure: 0
invalid_sa: 0 invalid_flow: 0
null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0
esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0
ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0
esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0
obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0
invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0
no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0
pak_too_big: 0
tx_lo_queue_size_max 0 cmd_unimplemented: 0
flow_cfg_mismatch 0 flow_ip_add_mismatch: 0
unknown_protocol 0 bad_particle_align: 0
35535 seconds since the last cleaning counters
Interruptions: Notification = 54892
Router #.
vpn module on board can certainly improve VPN performance comparing to pure VPN software, but is not as good as the AIM - VPN module.
So, this will depend on your vpn traffic load, etc...
-
Hello
I would like to know if the AIM-VPN/EPII-PLUS (for the moment installed in SRI 2821) is compatible with modular router 1841?
Thank you.
No, unfortunately AIM-VPN/EPII-PLUS is supported only on the 2800 series router 3825.
In 1841, you need AIM-VPN/BPII-PLUS.
Here's the Q & A for your reference:
-
I have 2mbps link we want to enable ipsec 3des on the same if say my 50% of the binding is used at the point and if activate ipsec 3des what bandwidth utilzed after having activated the ipsec.
3662 w/AIM-VPN/HPII - 2mbps link - 3662 w/AIM-VPN/HPII
The answer depends on whether you use 3des to encrypt new traffic currently does not flow on your existing binding, such as the establishment of a new remote site location. If the encrypted traffic is new, it's something extra which does not affect the flow of the current, then you will need to analyze the structure of traffic.
I think that IPsec will add about 50 to 80 bytes for each package, depending on whether it is ah will be used as well as the esp, if WILL be used, and if tunnel mode (new ip headers) must be used too. (Add 24 bytes for AH, 24 bytes for the GRE and 20 bytes for new IP header).
If the IPSec vpn will be used only for existing traffic, instead of new flows, the util link should not increase that much. It is time CPU more bandwidth, and I see that you unloading encrypt cards.
Let me know if you need anything that anyone else.
-
3DES IPSEC, the tunnels on routers
Can someone give me a limit suggested on the number of IPSEC tunnels can be deleted on Cisco 3745, 2611, 1721? When you recommend the hardware accelerator?
The load on the routers is minimal. Memory requirements have not been specified. How much influence the memory recommendations?
Thank you!
I think I understand your question?
-Maximum number of encrypted tunnels:
-Up to 100 tunnel encrypted on a 1700 up to 300 tunnels on
Cisco 2600 up to 800 for 2650 with aim-vpn / ep up to 800 tunnels
For the 2600xms of cisco 2691 and 3725 until 800 tunnels on cisco
3620 and 3640 and up to 2 000 tunnels on cisco 3660 and 3745.
-
Hello
I'm trying to determine if this router is the AES 256 encryption.
CISCO2821-HSEC/K9 2821 Bundle w/AIM-VPN/SSL-2, Adv. IP Serv, SSL 10 S28NAISK9 - 12409T Cisco 2800 ADVANCED IP SERVICES 1
AIM-VPN/SSL-2 a / 3DES / AES / SSL VPN encryption/Compression 1
Since the Locator functionality of software that I can't determine the level of AES only making AES, can anyone help.
John,
AES is part of the Ipsec standard, IOS Ipsec support K9 image should have AES that automatically supports encryption of bit 128,192,256 algorithm.
To veryfy on router simply do:
Router (config) #crypto isakmp policy 1
Router (config-isakmp) #encryption aes?
Here is a link, it is you want to play as a reference.
Rgds
-Jorge
Maybe you are looking for
-
support for the improvement of a dc7800 sff with a QC 8400
Hello I bought my HP DC7800 desktop from a broker who got a point on HP desktop computers get a bankruptcy in 09. Now I got a copy of Vista Business x 64 and 4 GB of ram DDR2 of Z OC-)
-
My Tecra A11 - 11K new comes with w7-64 bit, but I need w7 32bits
My Tecra A11 - 11K new comes with w7-64 bit, but I need w7 32-bit because of an old program that I use for professional use. I bougth a w7 32 and 64 b license. My question is how to install w7-32 more than 64. I think that it is as easy as plug-and -
-
My MacBook Pro retina does not work on battery backup?
Cannot run if I plugged the AC adapter, if I check battery heath it shows 29% charged and its normal state.
-
Volume lost on the taskbar, icon can not find download in Add / Remove programs
-
Printers and copiers have always been the bane of my existence! Last summer, I replaced my old Epson with a new 4630 OfficeJet to gives me a few years peace. Peace lasted for about 9 months, and then he fell just the network. I made a few weak att