AIM-VPN/SSL-3 support for SHA256 or SHA384 on Cisco 3845?
Setting DMVPM WAN for customer with Cisco 3845 (AIM-VPN) on the hub site. Cisco 2811 on the spoke sites.
Checked IOS feasture guide;
it mentioned IOS 15.1(2)T support IKE policy with the sha256 / sha384 hash algorithm ;
crypto isakmp policy 15
it also mentioned IOS 15.1(2)T support IKEv2 proposal with the sha256 / sha384 integrity algorithm ;
Checked CCO product datasheet on AIM-VPN/SSL-3 module;
it mentioned that ; All AIM-VPN modules support IPSec DES and 3DES; Authentication: Rivest, Shamir, and Adelman (RSA) and Diffie Hellman; data integrity: Secure Hash Algorithm 1 (SHA-1) and Message Digest Algorithm 5 (MD5); and DES, 3DES, and AES key sizes: AES128, AES192, and AES256.
Question1: With IOS 15.1(2)T on c3845 with AIM-VPN module, can i run DMVPN with IKE/IPSEC transform-set parameter using AES256 & SHA256 ?
Questiion2: If it is supported, it is done on the hardware AIM-VPN or it will be software processed by the c3845 main CPU? What is the expected performance (pps/Mbps) in a software processing case?
Re: AIM-VPN/SSL-3 support for SHA256 or SHA384 on Cisco 3845?
As you found the sha256 and sha384 hashes are not mentioned on the datasheet of the AIM-VPN/SSL-3.
This means that the card cannot handle those hashes.
IOS should fall back to the software engine if you are using these hashes.
If you are using them for the IKE part then the impact it limited to the key calculation time, if you do not renegociate too often this is ok.
If you are going to use this in a transform-set for the IPSec traffic then this would have considerable impact, I have no number but I would not think this would be useful for anything except management-of-the-box traffic.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :