03-13-2014 12:54 AM - edited 02-21-2020 07:33 PM
Greetings everyone,
I have 2911-SEC/K9 router with IOS 151-4.M7. I'm using IPSec + DMVPN. settings are the following:
crypto isakmp policy 20
encr aes 256
group 24
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
crypto ipsec transform-set *set-name* esp-aes 256 esp-sha512-hmac
crypto ipsec profile *profile-name*
set transform-set *set-name*
int tunnelXXX
*dmvpn settings*
tunnel protection ipsec profile *profile-name* shared
With these settings I was able to load my 100mb/s channel only for 15mb/s and CPU went 99%
Some strange outputs:
#sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 0 active, 3200 max, 0 failed
#sh crypto isakmp sa count
Active ISAKMP SA's: 5
#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.*.*.* 10.*.*.* QM_IDLE 1044 ACTIVE
10.*.*.* 10.*.*.* QM_IDLE 1045 ACTIVE
#sh plat cer
IPSEC D D 3 N/A
Failed encrypt pkts: 0
Failed decrypt pkts: 0
Failed encrypt pkt bytes: 0
Failed decrypt pkt bytes: 0
Passed encrypt pkts: 5747239
Passed decrypt pkts: 5750789
Passed encrypt pkt bytes: 2974407264
Passed decrypt pkt bytes: 4220119968
So IPSec is working , but why sh crypto eli doesn't show it? Why only 15mb/s?
UPD: Same thing with 881-SEC/K9 and 871
#sh cry eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE
IPSec-Session : 0 active, 100 max, 0 failed
3945E (central hub) shows fine:
sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 66 active, 6399 max, 0 failed
All devices using 151-4.M7
Solved! Go to Solution.
03-13-2014 02:12 AM
03-13-2014 02:12 AM
03-13-2014 02:22 AM
Thanks Marcin, seems you are right:
3945E (using different profiles)
conn id: 5235, flow_id: Onboard VPN:3235, sibling_flags 80000046, crypto map: map-name-1
conn id: 629, flow_id: SW:629, sibling_flags 80000046, crypto map: crypto map: map-name-2
2911, 881, 871 using only profile that I provided and output is
conn id: 450, flow_id: SW:450, sibling_flags 80000046, crypto map:map-name-2
So I have another question now - Why onboard VPN module doesn't support my profile? should I lower sha to 256? and why 512 is not supported? And where I can find the maximum capabilites of this module?
03-13-2014 02:37 AM
03-13-2014 03:06 AM
Some more information on this topic:
IOS 151-4.M7. ISR G2 routers
crypto ipsec transform-set *set-name* esp-aes 256 esp-sha256-hmac still uses Software encryption
crypto ipsec transform-set *set-name* esp-aes 256 esp-sha-hmac uses Onboard VPN module
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: