cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10817
Views
0
Helpful
12
Replies

VPN Encryption Module

Amin Shaikh
Level 1
Level 1

Hi

Show version on router shows this output, but we didnt purchase VPN Encryption Module.

Why it shows 2 VPN Module,If I get VPN module how to move the encryption from software to hardware.

Are there any tools to check difference between software and hardware encryption for Cisco 2851Box

Cisco 2851 (revision 22.50) with 249856K/12288K bytes of memory.
Processor board ID FCZ3313122Y
2 Gigabit Ethernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102

1 Accepted Solution

Accepted Solutions

I believe that the most clear way to understand precisely what is in the router for encryption modules is to use the command show crypto engine brief. The output here clearly shows both the optional VPN module AIM-VPN/SSL1 in slot0 and the built in module Onboard-VPN (in location onboard 0).

sh crypto eng brief
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  aim 0
        VPN Module in slot:  0
              Product Name:  AIM-VPN/SSL-1
         Software Serial #:  55AA
                 Device ID:  001F - revision 0000
                 Vendor ID:  0000
               Revision No:  0x001F0000
              VSK revision:  0
              Boot version:  255
               DPU version:  0
               HSP version:  3.4(1) (PRODUCTION)
              Time running:  1w5d
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  1000
          Maximum SA index:  1000
        Maximum Flow index:  2000
      Maximum RSA key size:  2048

        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Disabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN
                HW Version:  1.0
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  0000
          Maximum SA index:  0000
        Maximum Flow index:  0300
      Maximum RSA key size:  0000


        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  35C2FA40
       crypto engine state:  installed
     crypto engine in slot:  N/A

HTH

Rick

HTH

Rick

View solution in original post

12 Replies 12

Richard Burts
Hall of Fame
Hall of Fame

The 2800 series router comes with a VPN module built in and your show version is pretty clear that this router has the second optional module. You could use the show diag command to see more details about the VPN module.

When the VPN module is present the OS automatically move the encryption from software to hardware. There is not a need for specific commands to activate it.

HTH

Rick

HTH

Rick

I was curious about this issue, so I looked at one of our 2821's with the security bundle in it.  Sure enough, it shows in the output of SHOW VERSION that there are two VPN modules.  However, in the output of SHOW DIAG I only see one VPN module in slot 0.

I then checked this document.  https://www.cisco.com/en/US/docs/routers/access/2800/hardware/installation/guide/10_hw.html#wp1109723

In the section on verifying the AIM installation, the output of SHOW VERSION shows that there is only one VPN module.

It also says in several places the following stipulation:
Cisco 2811, Cisco 2821, and Cisco 2851 routers have two AIM connectors—AIM slot 0 and AIM slot 1. You can install a virtual private network (VPN) encryption AIM or a voice-mail AIM in either slot, but not in both slots. You can install voice and data compression AIMs and ATM AIMs in both slots.

Post the full "show diag" here.

You can edit SN # if worried about that.

There are "show crypto" commnds that tell you which HW is being used.

#sh ver
Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(9)T3, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 23-Mar-07 18:35 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

xxxxx uptime is x weeks, x days, x hours, x minutes
System returned to ROM by power-on
System restarted at 12:55:27 CDT Wed Jun 17 2009
System image file is "flash:c2800nm-advipservicesk9-mz.124-9.T3.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 2821 (revision 53.51) with 249856K/12288K bytes of memory.
Processor board ID xxxxxxx
2 Gigabit Ethernet interfaces
2 Serial interfaces
2 Channelized T1/PRI ports
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity enabled.
239K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102


sh diag
Slot 0:
        C2821 Motherboard with 2GE and integrated VPN Port adapter, 2 ports
        Port adapter is analyzed
        Port adapter insertion time unknown
        Onboard VPN             : v2.2.0
        EEPROM contents at hardware discovery:
        PCB Serial Number        : xxxxxxxxxxx
        Hardware Revision        : 1.0
        Top Assy. Part Number    : 800-26921-02
        Board Revision           : A0
        Deviation Number         : 0
        Fab Version              : 03
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Processor type           : 87
        Hardware date code       : 20070329
        Chassis Serial Number    : xxxxxxxxxx
        Chassis MAC Address      : xxxxxxxxxx
        MAC Address block size   : 32
        CLEI Code                : COM3D00BRA
        Product (FRU) Number     : CISCO2821
        Part Number              : 73-8853-04
        Version Identifier       : V03
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF C1 8B 46 4F 43 31 31 31 31 32 48 4B 34 40
          0x10: 03 E8 41 01 00 C0 46 03 20 00 69 29 02 42 41 30
          0x20: 88 00 00 00 00 02 03 03 00 81 00 00 00 00 04 00
          0x30: 09 87 83 01 32 3F B9 C2 8B 46 54 58 31 31 31 37
          0x40: 41 33 53 46 C3 06 00 1B 54 44 77 B0 43 00 20 C6
          0x50: 8A 43 4F 4D 33 44 30 30 42 52 41 CB 8F 43 49 53
          0x60: 43 4F 32 38 32 31 20 20 20 20 20 20 82 49 22 95
          0x70: 04 89 56 30 33 20 D9 02 40 C1 FF FF FF FF FF FF

        WIC Slot 0:
        VWIC2-2MFT-T1/E1 - 2-Port RJ-48 Multiflex Trunk - T1/E1
        Hardware Revision        : 0.0
        Top Assy. Part Number    : 800-22629-05
        Board Revision           : B0
        Deviation Number         : 0
        Fab Version              : 04
        PCB Serial Number        : xxxxxxxxxxxxx
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Product (FRU) Number     : VWIC2-2MFT-T1/E1
        Version Identifier       : V01
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF 40 03 FC 41 00 00 C0 46 03 20 00 58 65 05
          0x10: 42 42 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31
          0x20: 31 31 36 34 4D 41 41 03 00 81 00 00 00 00 04 00
          0x30: CB 90 56 57 49 43 32 2D 32 4D 46 54 2D 54 31 2F
          0x40: 45 31 89 56 30 31 20 D9 02 40 C1 FF FF FF FF FF
          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

        AIM Module in slot: 0
        Hardware Revision        : 1.0
        Top Assy. Part Number    : 800-27059-01
        Board Revision           : A0
        Deviation Number         : 0-0
        Fab Version              : 02
        PCB Serial Number        : xxxxxxxxxxx
        RMA Test History         : 00
        RMA Number               : 0-0-0-0
        RMA History              : 00
        Product (FRU) Number     : AIM-VPN/SSL-2
        Version Identifier       : V01
        EEPROM format version 4
        EEPROM contents (hex):
          0x00: 04 FF 40 04 F4 41 01 00 C0 46 03 20 00 69 B3 01
          0x10: 42 41 30 80 00 00 00 00 02 02 C1 8B 46 4F 43 31
          0x20: 31 31 32 33 56 52 37 03 00 81 00 00 00 00 04 00
          0x30: CB 8D 41 49 4D 2D 56 50 4E 2F 53 53 4C 2D 32 89
          0x40: 56 30 31 00 D9 02 40 C1 FF FF FF FF FF FF FF FF
          0x50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
          0x70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF

You have an optional VPN module installed:

AIM Module in slot: 0

        Hardware Revision        : 1.0

        Top Assy. Part Number    : 800-27059-01

        Board Revision           : A0

        Deviation Number         : 0-0

        Fab Version              : 02

        PCB Serial Number        : xxxxxxxxxxx

        RMA Test History         : 00

        RMA Number               : 0-0-0-0

        RMA History              : 00

        Product (FRU) Number     : AIM-VPN/SSL-2

Please remember to rate useful posts with the scrollbox below.

Leo Laohoo
Hall of Fame
Hall of Fame

Can you please post the result of sh inventory and sh crypto engine acc?  Thanks.

What for? Show diag above is clear enough.

Hi Paolo,

If I read this correctly, the router has TWO (2) AIM-VPN, is this correct? 





No, it has one.

I believe that the most clear way to understand precisely what is in the router for encryption modules is to use the command show crypto engine brief. The output here clearly shows both the optional VPN module AIM-VPN/SSL1 in slot0 and the built in module Onboard-VPN (in location onboard 0).

sh crypto eng brief
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  aim 0
        VPN Module in slot:  0
              Product Name:  AIM-VPN/SSL-1
         Software Serial #:  55AA
                 Device ID:  001F - revision 0000
                 Vendor ID:  0000
               Revision No:  0x001F0000
              VSK revision:  0
              Boot version:  255
               DPU version:  0
               HSP version:  3.4(1) (PRODUCTION)
              Time running:  1w5d
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  1000
          Maximum SA index:  1000
        Maximum Flow index:  2000
      Maximum RSA key size:  2048

        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Disabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN
                HW Version:  1.0
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  4096
          Maximum DH index:  0000
          Maximum SA index:  0000
        Maximum Flow index:  0300
      Maximum RSA key size:  0000


        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  35C2FA40
       crypto engine state:  installed
     crypto engine in slot:  N/A

HTH

Rick

HTH

Rick

Thank U Sir

You are welcome.

Please remember to rate useful posts with the scrollbox below.

Review Cisco Networking for a $25 gift card