cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
707
Views
0
Helpful
5
Replies

CPU overloaded on a 2611XM due to ipsec

mathieuploton
Level 1
Level 1

Hello,

On my 2611XM (c2600-advsecurityk9-mz.123-11.T2.bin) with no vpn hardware module, my cpu is very overloaded due to the encrypt proc.

I know that the solution is to upgrade this box (or to purchase a vpn module). But I would like to know if there is any tuning to decrease the cpu waiting for this upgrade ?

For the moment, it has three gre/ipsec tunnels to reach other offices in my company. The transform set is esp-3des esp-sha-hmac .

Do you have any idea how i can decrease the cpu like changing the encryption algorithm ?

5 Replies 5

spremkumar
Level 9
Level 9

Hi

Instead of changing the encryption method, i would suggest to check whether you are allowing the required interesting traffic to be encrypted rather than all the traffic between the sites.

Using a particular encryption method may be an architecture decision and may not comply if you change the same.

regds

This vpn router is used only to encrypt the relevant traffic. The other traffic is going to a PIX.

I can change on the remote location to fit the encryption. I just need to know if there is an encryption algorythm that require less ressources. Any other tip will be helpful.

Thank you

The encryption mechanisms that you can choose from are DES/3DES or AES.

If the encryption is done in hardware you won't notice any difference.

If the encryption is done in software, then might want to go with DES (not really recommended for security reasons) since 3DES or AES are more processor-demanding.

Federico.

Hello Federico,

As I said, unfortunatelly, there is no hardware crypto card.

My transform set is esp-3des esp-sha-hmac

The solution will be to go down to esp-des, right ?

Thanks,

Yes,

You can try going to DES and MD5

Instead of:

esp-3des esp-sha-hmac

esp-des esp-md5-hmac

As well, if you have the same settings for phase 1, you can change them as well:

sh cry isa policy

Now, give this a try, but I don't think is the right final solution.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: