2611XM w / AIM-VPN/EP

I'll implement router-to-router IOS VPN using the 2611XM VPN, which includes a map AIM-VPN/EP. The tool Advisor software of Cisco, the minimum version of the software supported by train for this card are: 12.2 (11) YT, ZJ 12.2 (15), 12.3 (1). I'm having a hard time waking up the concept of "minimum version". Does that mean I can't run 12.2 (15) T5 ZJ train coming from? Has anyone else successfully run module AIM-VPN/EP on a different version code?

Do not know what is happening with the SW consultant, but the AIM-VPN/EP has been supported since 12.2 (8) T1, so you could certainly run 12.2 (15) T with it.

Tags: Cisco Security

Similar Questions

  • Module AIM-VPN/SSL-2

    Does anyone know if the GRE tunnels can be used with the AIM-VPN/SSL-2 module for the Cisco 2800 series routers?

    Yes, we use it with GRE/IPSec.

    Hope that helps.

  • MODULE AIM-VPN/EP of C2621 in C1841?

    Hello

    For some tests in my lab, I ordered a Council AIM-VPN, on e - bay they guy told me that it works in a C1841.

    When compared to the one I have in my error C2621, they have equal air.

    On the two pcb I can read: CN6I280AAA

    When I put it I get this:

    Smart init is enabled

    Smart init is sizing iomem

    MEMORY_REQ TYPE ID

    Swimming pools public buffer 0X003AA110

    Swimming pools public particle 0 X 00211000

    0002A 0 AIM UNKNOWN

    Pools of crypto module 0 x 00020000

    0X000021B8 embedded USB

    You do that the card works?

    Thank you for your help.

    Best regards

    Didier

    Didier,

    Can you please join out of:

    -show the worm

    -show diag

    -show inv

    -See the logg (if after start)

    -show crypto eli

    -See the cryptographic engine config

    Let's see what is the name of the beast ;-)

    Marcin

  • Problem loading AIM-VPN/HPII on C3745

    I tried last main line and T form without success.  Get the following errors on both 3745 identical routers with 2 identical modules of PURPOSE:

    on the 12.3

    * 00:01:07.419 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: No. ACK for order.., 0 x 80000000(50000 ms)

    * 00:01:07.419 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: do mini_omq failed: 00180010

    * 00:01:07.419 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: firmware download failed

    on 12.4

    * 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: No. ACK for order.., 0 x 80000000(50000 ms)

    * 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: do mini_omq failed: 00180010After mbox fail:

    * 00:01:09.995 Mar 1: base address register is: 3 A 800000

    * 00:01:09.995 Mar 1: versionid = 00140002

    Any suggestion would be appreciated.

    Module AIM location: 1

    Hardware revision: 1.0

    Number of albums part together: 800-18028-01

    Review Board: C0

    Deviation number: 0-0

    Fab Version: 03

    Serial number of PCB: FOC08101AN8

    History of the RMA tests: 00

    RMA number: 0-0-0-0

    RMA history: 00

    Product number (FRU): AIM-VPN/HPII

    Version identifier: v01

    EEPROM 4 format version

    Table of contents EEPROM (hex):

    0 X 00: 0 B 04 FF 40 03 41 01 00 C0 46 03 20 00 46 01 6

    * 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: No. ACK for order.., 0 x 80000000(50000 ms)
    * 00:01:09.995 Mar 1: % VPN_HW-1-INITFAIL: Slot 1: do mini_omq failed: 00180010After mbox fail:
    * 00:01:09.995 Mar 1: base address register is: 3 A 800000
    * 00:01:09.995 Mar 1: versionid = 00140002

    DRAM, to check if the modules of memory have a different ability, I have encountered this problem.

  • AIM-VPN/SSL-2 facility in Cisco 2821

    Hi all

    I have the router cisco 2821 wit IOS version 12.4 (25 d)

    I also have encryption for this router Cisco AIM-VPN/SSL-2 Module.

    I have inserted this module to the location of the 0 OBJECTIVE but can not see.

    I found in KB:

    http://www.Cisco.com/en/us/docs/iOS/12_4t/12_4t11/htvpnssl.html#wp1067692

    but I have no 'cryptographic engine objective' command

    Router #crypto engine (config)?

    Unit? hardware Crypto Accelerator

    Embedded onboard Crypto engine

    software software encryption engine

    When the system starts up, I see:

    0004F4 PURPOSE UNKNOWN

    This who should I change to activate this module?

    Thank you.

    Julie,

    PURPOSE/SSL engines require

    IOS 12.4 (9) T at least while you are running older 12.4 main version.

    http://www.Cisco.com/en/us/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers_ps5853_Products_Data_Sheet.html

    Marcin

  • Throuput VPN on a 2651XM router

    Where can I find this info?

    Also, I got the used router (for nearly nothing $) but I know it's a value of some $$$. Where can I find out what model it is exactly? 'show version' doesn't show much.

    Oh sorry, pasted the link partner. This link doesn't seem to be available on a non-partner unfortunately link, so here's a copy of the relevant pieces of her:

    --------------------------------------

    AIM-VPN/BPII, is only supported in the Cisco 2600XMs. It has support for DES/3DES and AES (optimized for the AES128 only) as well as layer 3 Compression (IPPCP). This module requires ZJ Cisco IOS version 12.2 (15) and later versions.

    AIM-VPN/BPII - MORE is only supported in the Cisco 2600XMs. AIM-VPN/EPII-PLUS is supported in the 2691 and 3725 only. The BPII-PLUS and EPII-PLUS supports DES/3DES and are optimized for all key AES (AES128, AES192 and AES256) with Layer 3 Compression (IPPCP). These modules are supported in 12.3 (5 c), 12.3 (6) and later for the releases of the pipe major and 12.3 (7) T and later for releases of T.

    Q. What is the function executes the VPN Module?

    A. the Module VPN of Cisco 1700, 2600, 3600, and 3700 Series optimizes the platform for the IPSec VPN. Module accelerates not only the triple data standard (3DES) encryption and data (a) standard encryption, advanced encryption standard (AES) algorithms used in IPSec, but it handles many other tasks related to IPSec: hash, key exchange and storage of security associations. In doing so, the VPN module releases the Cisco 1700 series processor, 2600, 3600, and 3700 to run another router, voice and firewall features.

    Q. What is the maximum performance DES/3DES/AES-128 IPSec with packages of 1 400 byte for the Cisco 1700 series, 2600, 3600, and 3700 using the VPN Module?

    A. Cisco 2650/51XM with AIM-VPN/BPII or AIM-VPN/BPII-PLUS will give 10 Mbps throughput with traffic IMIX, 22 Mbpsthroughput with the packet size of 1400bytes and support 800 tunnels.

    Q. What is the maximum performance of the IPSec AES-192/256 with IMIX packages for Cisco 1700 series, 2600, 3600, and 3700 using the VPN Module?

    A. Cisco 2650/51XM with AIM-VPN/BPII will give 8.5 Mbit/s throughput with traffic IMIX for AES-192 and 256. BPII-MORE will give around 10 Mbps performance.

    -----------------------------------------

    In addition, you should know that this card was that EOL would be according to:

    http://www.Cisco.com/en/us/products/HW/routers/ps274/prod_eol_notice0900aecd802d3d0b.html

    It is still supported until 2010 and will work well for you, it is simply not fast enough with AES-192 and AES-256 as the version MORE than the same card, which was hardware-optimized especially for large key sizes. If you use 3DES or AES-128, then there is no difference in performance.

  • EZVPN 2811 router VPN module

    Hi all

    I have a spare 2811 router that would like to use for the temporary easy VPN server.

    the router IOS is already updated security advance 15.0 K9.

    My question is the AIM - VPN a real map/module on the motherboard of the router or just pop up once the router has been upgraded to IOS security?

    SH ve | I have IOS
    Cisco IOS software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 15.0 (1) M8, RELEASE SOFTWARE (fc1)

    #sh inv
    NAME: "2811 chassis', DESCR:"2811 chassis.
    PID: CISCO2811, VID: V02, SN: FTX0911Cxxx

    NAME: ' PVDMII DSP SIMM with a DSP on the Slot 0 SubSlot 4 ', DESCR: 'PVDMII DSP SIMM with a DSP.
    PID: PVDM2-16, VID: V01, SN: FOC13071xx

    NAME: "virtual private network (VPN) on the Slot Module 0 ', DESCR: 'encryption PURPOSE Element '.
    PID: AIM-VPN/EPII-PLUS, VID: v01, SN: FOC09072xx

    You have now two VPN modules in your router:

    1. The module for basic needs
    2. The module see you in "inventory to see the" which is placed in the OBJECTIVE of on-board connector. This module has a flow more and a greater number of tunnel and will be used by default.

    There are many examples of EzVPN configuration guide:

    http://www.Cisco.com/c/en/us/TD/docs/iOS-XML/iOS/sec_conn_esyvpn/configuration/15-Mt/sec-easy-VPN-15-Mt-book/sec-easy-VPN-Srvr.html

    If it is more then a temporary solution, I would also consider using an ASA to remote access VPN. EzVPN is more or less obsolete, and the ASA has many more features with the AnyConnect client. On the router, you can also configure remote access for AnyConnect, but it is much more complicated.

  • IPSec VPN with compression

    Hi all

    I find this compression of supporting IPPCP 2600XM for IPSec VPN. It seems that it is supported only with a VPN module, is it?

    What would you say if I don't have module VPN, but the IPSec VPN configuration and compression for a connection low speed?

    BTW, the IPSec VPN and "compress stac" can co-exist?

    Also, what kind of compression support in 28xx with IPSec VPN?

    Thank you very much.

    MAK

    MAK,

    It depends on the installed vpn module. The previous support compression, but the compression is performed in software, not on the card, which offers only encryption. For this to work, you must run IOS 12.2 (13) T or later.

    If your previous IOS running, you cannot use compression alongside encryption PURPOSE cards at all.

    The latest maps AIM-VPN /? P II IPPC support in hardware.

    More information is here:

    http://www.Cisco.com/en/us/products/HW/routers/ps259/products_data_sheet09186a0080088750.html

    This link displays information related to the release of functionality of software compression of 12.2 (13) T

    http://www.Cisco.com/en/us/products/SW/iosswrel/ps1839/products_feature_guide09186a0080110c00.html#1027177

    Thus, the options you have depend on the IOS and the card BUT you have.

    Beginning IOS and card without compression

    12.2 (13) T and IOS beginning, hardware encryption software compression

    Last map and supporting encryption and hardware compression IOS.

    I'm unsure of the 2800 series, I expected that they support the latest novelty of compression and hardware encryption.

    Andy

  • ICMP is required for the site to site VPN

    Hello

    I'm trying to set up a connection VPN site to site with a Cisco with the AIM-VPN-SSL-1 module 1841 and a NEC IX2015. We use a GRE with IPSec tunnel

    The problem we have is the will of router NEC not repsond to ICMP packets (and it is not a way to get a reaction). This will cause problems with the tunnel?

    Thank you!

    Paul

    Do not think that it will cause no problem. The more you can not do is not able to ping to test connectivity. Other than that, the IPSec LAN-to-LAN tunnel should work just fine.

  • After "without Accelerator crypto engine" No. VPN PLUS

    Hello

    In my test harness, I have a CISCO with a Council AIM-VPN/BPII-PLUS 1841, everything worked well, until I see the difference with and without the accelerator

    Sins as soon as IOS told me he'll change accelerator SW instead of HW Accelerator, I can't make it work anymore.

    I have a copy of the full configuration of work before I did, I put it back on my router but still WITHOUT a VPN.

    Any idea what does not work?

    Here below some information on VPN + SA ISAKMP CRYPTO map:

    Module AIM location: 0

    Serial number of PCB: FOC09081PNE

    Hardware revision: 1.0

    Number of albums part together: 800-24660-01

    Review on board: D0

    Deviation number: 0

    Fab Version: 03

    History of the RMA tests: 00

    RMA number: 0-0-0-0

    RMA history: 00

    CLEI Code: CNS931XAAA

    Product number (FRU): AIM-VPN/BPII-MORE

    Version identifier: NA

    EEPROM 4 format version

    Table of contents EEPROM (hex):

    0 X 00:04 FF C1 8B 4F 46 43 30 39 30 38 31 50 4 45 40

    10: 0X04 6 41 01 00 46 03 20 00 60 54 01 42 44 30 C0

    0x20: 88 00 00 00 00 02 03 03 00 81 00 00 00 00 04 00

    0 X 30: C6 8 A 43 4F 53 39 33 31 58 41 41 41 91 41 49 BC

    0X40: 4 D 56 50 2D 4 42 50 49 49 50 4 55 53 89 2D 2F

    0 X 50 : 20 20 4F 41 FF FF FF FF FF FF FF FF FF FF FF FF

    0 X 60 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

    0 X 70 : FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

    ROUTER1841 #sh card crypto

    Card crypto isakmp-65536-"Head-Tunnel0-0" ipsec

    Profile name: cisco

    Life safety association: 4608000 kilobytes / 120 seconds

    Answering machine-only (Y/N): N

    PFS (Y/N): N

    Transform sets = {}

    solid: {esp-3des esp-md5-hmac},.

    }

    Interfaces using crypto map Tunnel0-head-0:

    Tunnel0

    "Clientmap" ipsec-isakmp crypto map 10

    Dynamic map template tag: dynmap

    Interfaces using map clientmap crypto:

    FastEthernet0/0

    ROUTER1841 #.

    Best regards
    Didier

    You disable the VPN tunnel after disabling the VPN accelerator card?

    You need to do:

    delete the ipsec cry his

    clear the isa cry his

    Then build the interesting traffic again and please share the output of:

    HS cry isa his

    HS cry ipsec his

    If the VPN is not upward, you can enable debug and share the output:

    debugging cry isa

    debugging ipsec cry

  • C1841 without the BUILD - IN Module, Bill VPN is a VPN MODULE?

    Hello

    Yesterday, that I just got a new router found on eBay.

    When I boot it I see 2 FastEthernet Interfaces (this is normal and I see them) BUT it also shows me 1 Module of virtual private network (VPN).

    Before I open this new router I try something like:

    Material SH

    SH crypto multicylindres

    HS cry engine Accelerator stat

    Here below you have the results:

    I opened the ROUTER and I see:

    NO ADDITIONAL MEMORY

    NO VPN MODULE

    Did you do something with a built-in CISCO VPN module

    Thanks in advance for your help

    Best regards

    Didier

    Router hardware #sh

    Cisco IOS Software, 1841 (C1841-ADVSECURITYK9-M), Version 12.4 (24) T1, VERSION of the SOFTWARE (fc3)

    Technical support: http://www.cisco.com/techsupport

    Copyright (c) 1986-2009 by Cisco Systems, Inc.

    Updated Saturday 19 June 09 14:00 by prod_rel_team

    ROM: System Bootstrap, Version 12.4 (13r) T, RELEASE SOFTWARE (fc1)

    The availability of router is 9 hours, 47 minutes

    System to regain the power ROM

    System image file is "flash: c1841-advsecurityk9 - mz.124 - 24.T1.bin".

    This product contains cryptographic features and is under the United States

    States and local laws governing the import, export, transfer and

    use. Delivery of Cisco cryptographic products does not imply

    third party approval to import, export, distribute or use encryption.

    Importers, exporters, distributors and users are responsible for

    compliance with U.S. laws and local countries. By using this product you

    agree to comply with the regulations and laws in force. If you are unable

    to satisfy the United States and local laws, return the product.

    A summary of U.S. laws governing Cisco cryptographic products to:

    http://www.Cisco.com/WWL/export/crypto/tool/stqrg.html

    If you need assistance please contact us by mail at

    [email protected] / * /.

    Cisco 1841 (revision 7.0) with 118784K / 12288K bytes of memory.

    Card processor ID FCZ1217905C

    2 FastEthernet interfaces

    1 module of virtual private network (VPN)

    Configuration of DRAM is 64 bits wide with disabled parity.

    191K bytes of NVRAM memory.

    250880K bytes of ATA CompactFlash (read/write)

    Configuration register is 0 x 3922

    Router #.

    Router #sh crypto multicylindres

    crypto engine name: virtual private network (VPN) Module

    crypto engine type: hardware

    Status: enabled

    Geographical area: 0 on board

    Name of product: edge-VPN

    HW Version: 1.0

    Compression: Yes

    A: Yes

    3 a: Yes

    AES - CBC: Yes (128,192,256)

    AES CNTR: No.

    Maximum length of the buffer: 4096

    Index maximum DH: 0000

    Maximum ITS index: 0000

    Maximum fluidity index: 0300

    The maximum size of the RSA key: 0000

    version of crypto lib: 20.0.0

    engine crypto in the slot: 0

    platform: hardware VPN Accelerator

    version of crypto lib: 20.0.0

    Router #sh cry engine Accelerator stat

    Device: FPGA

    Location: on board: 0

    : Statistics for device encryption since the last clear

    counters 35534 seconds ago

    68607 68607 out packages packages

    49819692 bytes in 50341181 bytes on

    1 paks/s to 1 output paks/s

    11 Kbps in 11 Kbits/sec out

    29298 decrypted packets 39309 encrypted packets

    4074464 bytes before decipher 45745228 encrypted bytes

    2537109 bytes decrypted 47804072 bytes after encrypt

    0 0 packets compressed decompressed packets

    0 bytes before Dang 0 bytes before comp

    0 bytes after Dang 0 bytes after model

    0 packets bypass decompression 0 by-pass compressor packages

    Derivation of 0 bytes 0 bytes decompression work around compressi

    0 packets not unzip 0 uncompressed packages

    0 bytes not decompressed 0 bytes not compressed

    1.0:1 overall compression ratio 1.0:1

    last 5 minutes:

    11 packages into 11 out packets

    0 paks/sec output paks/s 0

    32-bit/s at 28 bits/sec out

    496 bytes decrypted 329 bytes encrypted

    13 decrypted Kbps 8 Kbps encrypted

    1.0:1 overall compression ratio 1.0:1

    FPGA:

    DS: 0x6538DE50 idb:0x6538CD08

    Statistics for virtual private network (VPN) Module:

    68607 68607 out packages packages

    1 paks/s to 1 output paks/s

    11 Kbps in 11 Kbits/sec out

    29298 decrypted packets 39309 encrypted packets

    package overruns: 0 packets output dropped: 0

    tx_hi_drops: 0 fw_failure: 0

    invalid_sa: 0 invalid_flow: 0

    null_ip_error: 0 pad_size_error: 0 out_bound_dh_acc: 0

    esp_auth_fail: 0 ah_auth_failure: 0 crypto_pad_error: 0

    ah_prot_absent: 0 ah_seq_failure: 0 ah_spi_failure: 0

    esp_prot_absent:0 esp_seq_fail: 0 esp_spi_failure: 0

    obound_sa_acc: 0 invalid_sa: 0 out_bound_sa_flow: 0

    invalid_dh: 0 bad_keygroup: 0 out_of_memory: 0

    no_sh_secret: 0 no_skeys: 0 invalid_cmd: 0

    pak_too_big: 0

    tx_lo_queue_size_max 0 cmd_unimplemented: 0

    flow_cfg_mismatch 0 flow_ip_add_mismatch: 0

    unknown_protocol 0 bad_particle_align: 0

    35535 seconds since the last cleaning counters

    Interruptions: Notification = 54892

    Router #.

    vpn module on board can certainly improve VPN performance comparing to pure VPN software, but is not as good as the AIM - VPN module.

    So, this will depend on your vpn traffic load, etc...

  • 1841 VPN Interface module

    Hello

    I would like to know if the AIM-VPN/EPII-PLUS (for the moment installed in SRI 2821) is compatible with modular router 1841?

    Thank you.

    No, unfortunately AIM-VPN/EPII-PLUS is supported only on the 2800 series router 3825.

    In 1841, you need AIM-VPN/BPII-PLUS.

    Here's the Q & A for your reference:

    http://www.Cisco.com/en/us/prod/collateral/routers/ps5854/prod_qas0900aecd80516d81_ps5853_Products_Q_and_A_Item.html

  • Use of bandwidth IPSEC 3Des

    I have 2mbps link we want to enable ipsec 3des on the same if say my 50% of the binding is used at the point and if activate ipsec 3des what bandwidth utilzed after having activated the ipsec.

    3662 w/AIM-VPN/HPII - 2mbps link - 3662 w/AIM-VPN/HPII

    The answer depends on whether you use 3des to encrypt new traffic currently does not flow on your existing binding, such as the establishment of a new remote site location. If the encrypted traffic is new, it's something extra which does not affect the flow of the current, then you will need to analyze the structure of traffic.

    I think that IPsec will add about 50 to 80 bytes for each package, depending on whether it is ah will be used as well as the esp, if WILL be used, and if tunnel mode (new ip headers) must be used too. (Add 24 bytes for AH, 24 bytes for the GRE and 20 bytes for new IP header).

    If the IPSec vpn will be used only for existing traffic, instead of new flows, the util link should not increase that much. It is time CPU more bandwidth, and I see that you unloading encrypt cards.

    Let me know if you need anything that anyone else.

  • 3DES IPSEC, the tunnels on routers

    Can someone give me a limit suggested on the number of IPSEC tunnels can be deleted on Cisco 3745, 2611, 1721? When you recommend the hardware accelerator?

    The load on the routers is minimal. Memory requirements have not been specified. How much influence the memory recommendations?

    Thank you!

    I think I understand your question?

    -Maximum number of encrypted tunnels:

    -Up to 100 tunnel encrypted on a 1700 up to 300 tunnels on

    Cisco 2600 up to 800 for 2650 with aim-vpn / ep up to 800 tunnels

    For the 2600xms of cisco 2691 and 3725 until 800 tunnels on cisco

    3620 and 3640 and up to 2 000 tunnels on cisco 3660 and 3745.

  • 2821 software - AES 256

    Hello

    I'm trying to determine if this router is the AES 256 encryption.

    CISCO2821-HSEC/K9 2821 Bundle w/AIM-VPN/SSL-2, Adv. IP Serv, SSL 10 S28NAISK9 - 12409T Cisco 2800 ADVANCED IP SERVICES 1

    AIM-VPN/SSL-2 a / 3DES / AES / SSL VPN encryption/Compression 1

    Since the Locator functionality of software that I can't determine the level of AES only making AES, can anyone help.

    John,

    AES is part of the Ipsec standard, IOS Ipsec support K9 image should have AES that automatically supports encryption of bit 128,192,256 algorithm.

    To veryfy on router simply do:

    Router (config) #crypto isakmp policy 1

    Router (config-isakmp) #encryption aes?

    Here is a link, it is you want to play as a reference.

    http://www.Cisco.com/en/us/Partner/Tech/tk583/TK372/technologies_tech_note09186a0080094203.shtml#intro

    Rgds

    -Jorge

Maybe you are looking for