Cisco AIM-VPN - DES/3DES VPN Data Encryption AIM Module, DES, 3DES, AES User Manual

DES/3DES/AES VPN Encryption Module
(AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII
Family)

The DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII
Family) feature describes how to configure virtual private network (VPN) encryption hardware advanced
integration modules (AIM) and network modules (NM) in Cisco IOS Release 12.3(7)T.

Feature Specifications for the VPN Encryption Module

Feature History

Release Modification

12.2(13)T This feature was introduced on the Cisco 2691, Cisco 3660, Cisco 3725,
and Cisco 3745.

12.2(15)ZJ This feature was introduced on the AIM-VPN/BPII on the following
platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM,
Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T This feature was integrated into Cisco IOS Release 12.3(4)T.

12.3(5) This feature was revised to include support for the AIM-VPN/EPII,
AIM-VPN/HPII family of encryption modules and was integrated into
Cisco IOS Release 12.3(5).

12.3(6) This feature was revised to include support for the AIM-VPN/BPII-Plus on
the 2600XM encryption modules and was integrated into Cisco IOS
Release 12.3(6).

12.3(7)T This feature was revised to include support for the AIM-VPN/BPII-Plus
family of encryption modules and was integrated into Cisco IOS Release

12.3(7)T.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.

Corporate Headquarters:
Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright © 2004 Cisco Systems, Inc. All rights reserved.

DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII Family)

Contents

Contents

• Prerequisites for DES/3DES/AES VPN Encryption Module, page 2

• How to Configure DES/3DES/AES VPN Encryption Module, page 3

• Additional References, page 3

• Command Reference, page 5

• Glossary, page 23

Prerequisites for DES/3DES/AES VPN Encryption Module

Installation Preconditions

• Cisco IOS Release 12.2(13)T or later.

Note See Table 1 for AIM/VPN Encryption Module support by Cisco IOS Release.

• A working IP network

For more information about configuring IP, refer to the Cisco IOS IP Configuration Guide, Release 12.3.

Choice of Encryption Module

Determine which VPN encryption module to use, as described in Tab le 1.

Table 1 AIM/VPN Encryption Module Support by Cisco IOS Release

Platform Encryption Module Support by Cisco IOS Release

12.2(13)T 12.3(4)T 12.3(5) 12.3(6) 12.3(7)T

Cisco 831 Software-based AES

Cisco 1710

Cisco 1711

Cisco 1721

Cisco 1751

Cisco 1760

Cisco 2600 XM — AIM-VPN/BPII-Plus Hardware Encryption

Cisco 2611 XM

Cisco 2621 XM

Cisco 2651 XM

Cisco 2691 XM AIM-VPN/EPII Hardware Encryption Module AIM-VPN/EPII-Plus

Software-based AES

Module

— AIM-VPN/BPII Hardware Encryption Module AIM-VPN/BPII-Plus

Hardware Encryption
Module

Hardware Encryption
Module

Cisco IOS Release 12.3(7)T

2

DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII Family)

Restrictions for DES/3DES/AES VPN Encryption Module

Table 1 AIM/VPN Encryption Module Support by Cisco IOS Release

Platform Encryption Module Support by Cisco IOS Release

12.2(13)T 12.3(4)T 12.3(5) 12.3(6) 12.3(7)T

Cisco 3725 AIM-VPN/EPII Hardware Encryption

Module

Cisco 3660

Cisco 3745

AIM-VPN/HPII Hardware Encryption
Module

AIM-VPN/EPII-Plus Hardware Encryption Module

AIM-VPN/HPII-Plus Hardware Encryption Module

Restrictions for DES/3DES/AES VPN Encryption Module

• Rivest-Shamir-Adelman (RSA) manual keying is not supported.

• To achieve maximum benefit from hardware-assisted IP Payload Compression Protocol (IPPCP), it

is suggested that prefragmentation be disabled if IP compression with the Limpel Zif Stac (LZS)
algorithm is enabled on IP Security (IPSec) sessions.

How to Configure DES/3DES/AES VPN Encryption Module

There are no configuration tasks specific to the encryption hardware. Both software-based and
hardware-based encryption are configured in the same way. The system automatically detects the
presence of an encryption module at bootup and uses it to encrypt data. If no encryption hardware is
detected, software is used to encrypt data.

Additional References

The following sections provide additional references pertaining to VPN Encryption Modules.

Related Documents

Related Topic Document Title

Installation of VPN encryption modules Installing Advanced Integration Modules in Cisco 2600 Series,

Cisco 3600 Series, and Cisco 3700 Series Routers

ISDN configuration Cisco IOS ISDN Voice Configuration Guide, Release 12.3

Cisco 2600 series Cisco 2600 series routers documentation index on Cisco.com

Cisco IOS References Cisco IOS Security Configuration Guide, Release 12.3

Cisco IOS Security Command Reference, Release 12.3

Cisco IOS Release 12.3(7)T

3

DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII Family)

Additional References

Standards

Standards Title

No new or modified standards are supported by this
feature, and support for existing standards has not been
modified by this feature.

—

MIBs

MIBs MIBs Link

No new or modified MIBs are supported by this
feature, and support for existing MIBs has not been
modified by this feature.

To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use Cisco MIB Locator found at the
following URL:

http://www.cisco.com/go/mibs

RFCs

RFCs Title

2401–2410 IPSec AH, ESP

2401–2411 IPsec/IKE

2401–2451 IPsec/IKE

AES (NIST) Advanced Encryption Standard and The National Institute of

Standards and Technology

Technical Assistance

Description Link

Technical Assistance Center (TAC) home page,
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.

http://www.cisco.com/public/support/tac/home.shtml

Cisco IOS Release 12.3(7)T

4

DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII Family)

Command Reference

This section documents modified commands. All other commands used with this feature are documented
in the Cisco IOS Release 12.3 command reference publications.

• clear crypto engine accelerator counter

• crypto engine accelerator

• show crypto engine

• show crypto engine accelerator statistic

• show crypto engine accelerator ring

• show diag

Command Reference

Cisco IOS Release 12.3(7)T

5

DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII Family)

clear crypto engine accelerator counter

clear crypto engine accelerator counter

To reset the statistical and error counters for a router’s hardware accelerator to zero, use the clear crypto
engine accelerator counter command in privileged EXEC mode.

clear crypto engine accelerator counter

Syntax Description This command has no arguments or keywords.

Defaults No default behavior or values

Command Modes Privileged EXEC

Command History

Examples The following example shows the router’s statistical and error counters being cleared to zero:

Related Commands

Release Modification

12.1(3)XL This command was introduced for the Cisco uBR905 cable access router.

12.2(2)XA Support was added for the Cisco uBR925 cable access router.

12.2(13)T This command was integrated into Cisco IOS Release 12.2(13)T and
implemented for the AIM-VPN/EPII & AIM-VPN/HPII on the following
platforms: Cisco 2691, Cisco 3660, Cisco 3725, and Cisco 3745.

12.2(15)ZJ This command was implemented for the AIM-VPN/BPII on the following
platforms: Cisco 2610XM, Cisco 2611XM, Cisco 2620XM,
Cisco 2621XM, Cisco 2650XM, and Cisco 2651XM.

12.3(4)T This command was integrated into Cisco IOS Release 12.3(4)T.

Router# clear crypto engine accelerator counter

Command Description

crypto ca Defines the parameters for the certification authority used for a

session.

crypto cisco Defines the encryption algorithms and other parameters for a

session.

crypto dynamic-map Creates a dynamic map crypto configuration for a session.

crypto engine accelerator Enables the use of the onboard hardware accelerator for IPSec

encryption.

crypto ipsec Defines the IPSec security associations and transformation sets.

crypto isakmp Enables and defines the IKE protocol and its parameters.

crypto key Generates and exchanges keys for a cryptographic session.

crypto map Creates and modifies a crypto map for a session.

Cisco IOS Release 12.3(7)T

6

DES/3DES/AES VPN Encryption Module (AIM-VPN/EPII, AIM-VPN/HPII, AIM-VPN/BPII Family)

Command Description

debug crypto engine accelerator
control

debug crypto engine accelerator
packet

show crypto engine accelerator
ring

show crypto engine accelerator

Displays each control command as it is given to the crypto
engine.

Displays information about each packet sent for encryption and
decryption.

Displays the contents of command and transmits rings for the
crypto engine.

Displays the active entries in the crypto engine SA database.

sa-database

show crypto engine accelerator
statistic

Displays the current run-time statistics and error counters for
the crypto engine.

show crypto engine brief Displays a summary of the configuration information for the

crypto engine.

show crypto engine configuration Displays the version and configuration information for the

crypto engine.

show crypto engine connections Displays a list of the current connections maintained by the

crypto engine.

clear crypto engine accelerator counter

Cisco IOS Release 12.3(7)T

7