08-31-2010 01:29 AM
Setting DMVPM WAN for customer with Cisco 3845 (AIM-VPN) on the hub site. Cisco 2811 on the spoke sites.
Checked IOS feasture guide;
it mentioned IOS 15.1(2)T support IKE policy with the sha256 / sha384 hash algorithm ;
crypto isakmp policy 15
hash sha256
exit
it also mentioned IOS 15.1(2)T support IKEv2 proposal with the sha256 / sha384 integrity algorithm ;
Checked CCO product datasheet on AIM-VPN/SSL-3 module;
it mentioned that ; All AIM-VPN modules support IPSec DES and 3DES; Authentication: Rivest, Shamir, and Adelman (RSA) and Diffie Hellman; data integrity: Secure Hash Algorithm 1 (SHA-1) and Message Digest Algorithm 5 (MD5); and DES, 3DES, and AES key sizes: AES128, AES192, and AES256.
Question1: With IOS 15.1(2)T on c3845 with AIM-VPN module, can i run DMVPN with IKE/IPSEC transform-set parameter using AES256 & SHA256 ?
Questiion2: If it is supported, it is done on the hardware AIM-VPN or it will be software processed by the c3845 main CPU? What is the expected performance (pps/Mbps) in a software processing case?
integrity {sha1 | sha256 | sha384 | md5}
08-31-2010 06:33 AM
Hello,
As you found the sha256 and sha384 hashes are not mentioned on the datasheet of the AIM-VPN/SSL-3.
This means that the card cannot handle those hashes.
IOS should fall back to the software engine if you are using these hashes.
If you are using them for the IKE part then the impact it limited to the key calculation time, if you do not renegociate too often this is ok.
If you are going to use this in a transform-set for the IPSec traffic then this would have considerable impact, I have no number but I would not think this would be useful for anything except management-of-the-box traffic.
Best regards, Peter
08-31-2010 08:12 AM
Any insight on the roadmap for this case?
I mean will AIM-VPN on c3845 support SHA256 in hardware with IOS upgrade in the near future?
Or this is not upgradeable ASIC feature on the AIM-VPN module..
08-31-2010 08:49 AM
Hi,
I have no insight on the future plans, however the AIM-VPN/SSL3 is an almost pure hardware solution. So I think that we will NOT see an upgrade.
However as this is IKE only this is not so dramatic as you might think.
Sorry, Peter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide