01-14-2011 04:17 PM
I'm trying to solve a client VPN issue and I'm using my home 871W as a test platform. I seem to have angered my crypto engine though and have been unable to use that router for this purpose. The error I'm getting is:
003890: Jan 14 18:05:39.691 CST: select crypto engine: ce_engine[3] does not accept the capabilities
The 871W should have hardware encryption, and this show output confirms that:
#sh cry en br
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: onboard 0
Product Name: Onboard-VPN
FW Version: 1
Time running: 4294967 seconds
Compression: Yes
DES: Yes
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 0020
Maximum SA index: 0020
Maximum Flow index: 0040
Maximum RSA key size: 0000
crypto engine name: Cisco VPN Software Implementation
crypto engine type: software
serial number: D5E2AFE6
crypto engine state: installed
crypto engine in slot: N/A
The crypto config is pretty basic and I can't see what it would be bitching about:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 64
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key ####address ####
crypto isakmp key ####address 0.0.0.0 0.0.0.0
crypto isakmp identity hostname
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group cvpn-split-tunnel
key #####
domain corp.local
pool cvpn-pool
acl cvpn-split-tunnel-acl
save-password
netmask 255.255.255.0
banner ^CSuccess!
^C
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-MD5 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set 3des-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set aes256-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto dynamic-map cvpn 10
set transform-set 3des-sha-hmac
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to#####
set peer ####
set transform-set ESP-AES256-MD5
match address 100
!
crypto map cvpn-map client authentication list netauth
crypto map cvpn-map isakmp authorization list netauth
crypto map cvpn-map client configuration address initiate
crypto map cvpn-map client configuration address respond
crypto map cvpn-map 10 ipsec-isakmp dynamic cvpn
The crypto map is applied to the upstream-facing interface. The config contains a legacy L2L that I could remove as well as much cvpn-split-tunnel client config work in progress.
Whenever I try VPN in or simply run sh run the config is processed and I get 21 lines of the error about (incrementing the numbers in the first column). It seems like I ran into issues with certain older routers not supporting certain crypto options. I can't recall what those were though. Does anyone recognize anything in my config that would be supported on a 871W running 12.4(24)T2 Adv IP?
Thanks
PS==> From global config I've run 'crypto engine onboard 0' and 'crypto engine accelerator' to no avail. No crypto engine commands appear in the config.
01-14-2011 05:39 PM
Hello Justin,
Are the clients able to connect? I'm asking this because it seems that the "select crypto engine: ce_engine[2] does not accept the capabilities"
message is harmless. It happens when we search through the available engines to find the suitable crypto engine
to do the operation. We will continue to search until we find a suitable crypto engine.
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide