Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1980
Views
0
Helpful
3
Replies

AIM-VPN/SSL-3 support for SHA256 or SHA384 on Cisco 3845?

yongaik
Level 1
Level 1

‎08-31-2010 01:29 AM

Setting DMVPM WAN for customer with Cisco 3845 (AIM-VPN) on the hub site. Cisco 2811 on the spoke sites.

Checked IOS feasture guide;

it mentioned IOS 15.1(2)T support IKE policy with the sha256 / sha384 hash algorithm ;

crypto isakmp policy 15

     hash sha256

    exit

it also mentioned IOS 15.1(2)T support IKEv2 proposal with the sha256 / sha384 integrity algorithm ;

Checked CCO product datasheet on AIM-VPN/SSL-3 module;

it mentioned that ; All AIM-VPN modules support IPSec DES and 3DES; Authentication: Rivest, Shamir, and Adelman (RSA) and Diffie Hellman; data integrity: Secure Hash Algorithm 1 (SHA-1) and Message Digest Algorithm 5 (MD5); and DES, 3DES, and AES key sizes: AES128, AES192, and AES256.

Question1: With IOS 15.1(2)T on c3845 with AIM-VPN module, can i run DMVPN with IKE/IPSEC transform-set parameter using AES256 & SHA256 ?

Questiion2: If it is supported, it is done on the hardware AIM-VPN or it will be software processed by the c3845 main CPU? What is the expected performance (pps/Mbps) in a software processing case?

integrity {sha1 | sha256 | sha384 | md5}

Labels:
0 Helpful
3 Replies 3

pevaneyn
Cisco Employee
Cisco Employee

‎08-31-2010 06:33 AM

Hello,

As you found the sha256 and sha384 hashes are not mentioned  on the datasheet of the AIM-VPN/SSL-3.

This means that the card cannot handle those hashes.

IOS should fall back to the software engine if you are using these hashes.

If you are using them for the IKE part then the impact it limited to the key calculation time, if you do not renegociate too often this is ok.

If you are going to use this in a transform-set for the IPSec traffic then this would have considerable impact, I have no number but I would not think this would be useful for anything except management-of-the-box traffic.

Best regards, Peter

0 Helpful

yongaik
Level 1
Level 1
In response to pevaneyn

‎08-31-2010 08:12 AM

Any insight on the roadmap for this case?

I mean will AIM-VPN on c3845 support SHA256 in hardware with IOS upgrade in the near future?

Or this is not upgradeable ASIC feature on the AIM-VPN module..

0 Helpful

pevaneyn
Cisco Employee
Cisco Employee
In response to yongaik

‎08-31-2010 08:49 AM

Hi,

I have no insight on the future plans, however the AIM-VPN/SSL3 is an almost pure hardware solution. So I think that we will NOT see an upgrade.

However as this is IKE only this is not so dramatic as you might think.

Sorry, Peter

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents