VPN Encryption Module

Answered Question
Nov 19th, 2009
User Badges:

Hi


Show version on router shows this output, but we didnt purchase VPN Encryption Module.

Why it shows 2 VPN Module,If I get VPN module how to move the encryption from software to hardware.

Are there any tools to check difference between software and hardware encryption for Cisco 2851Box



Cisco 2851 (revision 22.50) with 249856K/12288K bytes of memory.
Processor board ID FCZ3313122Y
2 Gigabit Ethernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

Correct Answer by Richard Burts about 7 years 7 months ago

I believe that the most clear way to understand precisely what is in the router for encryption modules is to use the command show crypto engine brief. The output here clearly shows both the optional VPN module AIM-VPN/SSL1 in slot0 and the built in module Onboard-VPN (in location onboard 0).


sh crypto eng brief
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  aim 0
        VPN Module in slot:  0
              Product Name:  AIM-VPN/SSL-1
         Software Serial #:  55AA
                 Device ID:  001F - revision 0000
                 Vendor ID:  0000
               Revision No:  0x001F0000
              VSK revision:  0
              Boot version:  255
               DPU version:  0
               HSP version:  3.4(1) (PRODUCTION)
              Time running:  1w5d
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  1000
          Maximum SA index:  1000
        Maximum Flow index:  2000
      Maximum RSA key size:  2048


        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Disabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN
                HW Version:  1.0
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  0000
          Maximum SA index:  0000
        Maximum Flow index:  0300
      Maximum RSA key size:  0000


        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  35C2FA40
       crypto engine state:  installed
     crypto engine in slot:  N/A


HTH


Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Fri, 11/20/2009 - 01:54
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

The 2800 series router comes with a VPN module built in and your show version is pretty clear that this router has the second optional module. You could use the show diag command to see more details about the VPN module.


When the VPN module is present the OS automatically move the encryption from software to hardware. There is not a need for specific commands to activate it.


HTH


Rick

slmansfield Fri, 11/20/2009 - 11:17
User Badges:
  • Silver, 250 points or more

I was curious about this issue, so I looked at one of our 2821's with the security bundle in it.  Sure enough, it shows in the output of SHOW VERSION that there are two VPN modules.  However, in the output of SHOW DIAG I only see one VPN module in slot 0.

I then checked this document.  https://www.cisco.com/en/US/docs/routers/access/2800/hardware/installation/guide/10_hw.html#wp1109723


In the section on verifying the AIM installation, the output of SHOW VERSION shows that there is only one VPN module.


It also says in several places the following stipulation:
Cisco 2811, Cisco 2821, and Cisco 2851 routers have two AIM connectors—AIM slot 0 and AIM slot 1. You can install a virtual private network (VPN) encryption AIM or a voice-mail AIM in either slot, but not in both slots. You can install voice and data compression AIMs and ATM AIMs in both slots.

paolo bevilacqua Fri, 11/20/2009 - 12:14
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Post the full "show diag" here.

You can edit SN # if worried about that.

There are "show crypto" commnds that tell you which HW is being used.

slmansfield Fri, 11/20/2009 - 12:25
User Badges:
  • Silver, 250 points or more

#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 23-Mar-07 18:35 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

xxxxx uptime is x weeks, x days, x hours, x minutes
System returned to ROM by power-on
System restarted at 12:55:27 CDT Wed Jun 17 2009
System image file is "flash:c2800nm-advipservicesk9-mz.124-9.T3.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
[email protected].

Cisco 2821 (revision 53.51) with 249856K/12288K bytes of memory.
Processor board ID xxxxxxx
2 Gigabit Ethernet interfaces
2 Serial interfaces
2 Channelized T1/PRI ports
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102


sh diag
Slot 0:
        C2821 Motherboard with 2GE and integrated VPN Port adapter, 2 ports
        Port adapter is analyzed
        Port adapter insertion time unknown
        Onboard VPN             : v2.2.0
        EEPROM contents at hardware discovery:
        PCB Serial Number        : xxxxxxxxxxx
        Hardware Revision        : 1.0
        Top Assy. Part Number    : 800-26921-02
        Board Revision           : A0
        Deviation Number         : 0
        Fab Version              : 03
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Processor type           : 87
        Hardware date code       : 20070329
        Chassis Serial Number    : xxxxxxxxxx
        Chassis MAC Address      : xxxxxxxxxx
        MAC Address block size   : 32
        CLEI Code                : COM3D00BRA
        Product (FRU) Number     : CISCO2821
        Part Number              : 73-8853-04
        Version Identifier       : V03
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF C1 8B 46 4F 43 31 31 31 31 32 48 4B 34 40
          0x10: 03 E8 41 01 00 C0 46 03 20 00 69 29 02 42 41 30
          0x20: 88 00 00 00 00 02 03 03 00 81 00 00 00 00 04 00
          0x30: 09 87 83 01 32 3F B9 C2 8B 46 54 58 31 31 31 37
          0x40: 41 33 53 46 C3 06 00 1B 54 44 77 B0 43 00 20 C6
          0x50: 8A 43 4F 4D 33 44 30 30 42 52 41 CB 8F 43 49 53
          0x60: 43 4F 32 38 32 31 20 20 20 20 20 20 82 49 22 95
          0x70: 04 89 56 30 33 20 D9 02 40 C1 FF FF FF FF FF FF

        WIC Slot 0:
        VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1
        Hardware Revision        : 0.0
        Top Assy. Part Number    : 800-22629-05
        Board Revision           : B0
        Deviation Number         : 0
        Fab Version              : 04
        PCB Serial Number        : xxxxxxxxxxxxx
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Product (FRU) Number     : VWIC2-2MFT-T1/E1
        Version Identifier       : V01
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF 40 03 FC 41 00 00 C0 46 03 20 00 58 65 05
          0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31
          0x20: 31 31 36 34 4D 41 41 03 00 81 00 00 00 00 04 00
          0x30: CB 90 56 57 49 43 32 2D 32 4D 46 54 2D 54 31 2F
          0x40: 45 31 89 56 30 31 20 D9 02 40 C1 FF FF FF FF FF
          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

        AIM Module in slot: 0
        Hardware Revision        : 1.0
        Top Assy. Part Number    : 800-27059-01
        Board Revision           : A0
        Deviation Number         : 0-0
        Fab Version              : 02
        PCB Serial Number        : xxxxxxxxxxx
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Product (FRU) Number     : AIM-VPN/SSL-2
        Version Identifier       : V01
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF 40 04 F4 41 01 00 C0 46 03 20 00 69 B3 01
          0x10: 42 41 30 80 00 00 00 00 02 02 C1 8B 46 4F 43 31
          0x20: 31 31 32 33 56 52 37 03 00 81 00 00 00 00 04 00
          0x30: CB 8D 41 49 4D 2D 56 50 4E 2F 53 53 4C 2D 32 89
          0x40: 56 30 31 00 D9 02 40 C1 FF FF FF FF FF FF FF FF
          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

paolo bevilacqua Fri, 11/20/2009 - 13:28
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

You have an optional VPN module installed:


AIM Module in slot: 0

        Hardware Revision        : 1.0

        Top Assy. Part Number    : 800-27059-01

        Board Revision           : A0

        Deviation Number         : 0-0

        Fab Version              : 02

        PCB Serial Number        : xxxxxxxxxxx

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : AIM-VPN/SSL-2


Please remember to rate useful posts with the scrollbox below.

Leo Laohoo Sat, 11/21/2009 - 14:59
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Can you please post the result of sh inventory and sh crypto engine acc?  Thanks.

paolo bevilacqua Sat, 11/21/2009 - 17:40
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

What for? Show diag above is clear enough.

Leo Laohoo Sun, 11/22/2009 - 13:26
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Paolo,

If I read this correctly, the router has TWO (2) AIM-VPN, is this correct? 





paolo bevilacqua Sun, 11/22/2009 - 13:37
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

No, it has one.

Correct Answer
Richard Burts Mon, 11/23/2009 - 12:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I believe that the most clear way to understand precisely what is in the router for encryption modules is to use the command show crypto engine brief. The output here clearly shows both the optional VPN module AIM-VPN/SSL1 in slot0 and the built in module Onboard-VPN (in location onboard 0).


sh crypto eng brief
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  aim 0
        VPN Module in slot:  0
              Product Name:  AIM-VPN/SSL-1
         Software Serial #:  55AA
                 Device ID:  001F - revision 0000
                 Vendor ID:  0000
               Revision No:  0x001F0000
              VSK revision:  0
              Boot version:  255
               DPU version:  0
               HSP version:  3.4(1) (PRODUCTION)
              Time running:  1w5d
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  1000
          Maximum SA index:  1000
        Maximum Flow index:  2000
      Maximum RSA key size:  2048


        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Disabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN
                HW Version:  1.0
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  0000
          Maximum SA index:  0000
        Maximum Flow index:  0300
      Maximum RSA key size:  0000


        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  35C2FA40
       crypto engine state:  installed
     crypto engine in slot:  N/A


HTH


Rick

paolo bevilacqua Tue, 11/24/2009 - 02:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

You are welcome.


Please remember to rate useful posts with the scrollbox below.

Actions

This Discussion