AIM-VPN/SSL-3 support for SHA256 or SHA384 on Cisco 3845?

Unanswered Question
Aug 31st, 2010

Setting DMVPM WAN for customer with Cisco 3845 (AIM-VPN) on the hub site. Cisco 2811 on the spoke sites.

Checked IOS feasture guide;

it mentioned IOS 15.1(2)T support IKE policy with the sha256 / sha384 hash algorithm ;

crypto isakmp policy 15

     hash sha256


it also mentioned IOS 15.1(2)T support IKEv2 proposal with the sha256 / sha384 integrity algorithm ;

Checked CCO product datasheet on AIM-VPN/SSL-3 module;

it mentioned that ; All AIM-VPN modules support IPSec DES and 3DES; Authentication: Rivest, Shamir, and Adelman (RSA) and Diffie Hellman; data integrity: Secure Hash Algorithm 1 (SHA-1) and Message Digest Algorithm 5 (MD5); and DES, 3DES, and AES key sizes: AES128, AES192, and AES256.

Question1: With IOS 15.1(2)T on c3845 with AIM-VPN module, can i run DMVPN with IKE/IPSEC transform-set parameter using AES256 & SHA256 ?

Questiion2: If it is supported, it is done on the hardware AIM-VPN or it will be software processed by the c3845 main CPU? What is the expected performance (pps/Mbps) in a software processing case?

integrity {sha1 | sha256 | sha384 | md5}

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pevaneyn Tue, 08/31/2010 - 06:33


As you found the sha256 and sha384 hashes are not mentioned  on the datasheet of the AIM-VPN/SSL-3.

This means that the card cannot handle those hashes.

IOS should fall back to the software engine if you are using these hashes.

If you are using them for the IKE part then the impact it limited to the key calculation time, if you do not renegociate too often this is ok.

If you are going to use this in a transform-set for the IPSec traffic then this would have considerable impact, I have no number but I would not think this would be useful for anything except management-of-the-box traffic.

Best regards, Peter

yongaik Tue, 08/31/2010 - 08:12

Any insight on the roadmap for this case?

I mean will AIM-VPN on c3845 support SHA256 in hardware with IOS upgrade in the near future?

Or this is not upgradeable ASIC feature on the AIM-VPN module..

pevaneyn Tue, 08/31/2010 - 08:49


I have no insight on the future plans, however the AIM-VPN/SSL3 is an almost pure hardware solution. So I think that we will NOT see an upgrade.

However as this is IKE only this is not so dramatic as you might think.

Sorry, Peter


This Discussion