871W crypto engine limitations?

Justin Shore · ‎01-14-2011

I'm trying to solve a client VPN issue and I'm using my home 871W as a test platform. I seem to have angered my crypto engine though and have been unable to use that router for this purpose. The error I'm getting is:

003890: Jan 14 18:05:39.691 CST: select crypto engine: ce_engine[3] does not accept the capabilities

The 871W should have hardware encryption, and this show output confirms that:

#sh cry en br
        crypto engine name: Virtual Private Network (VPN) Module
        crypto engine type: hardware
                     State: Enabled
                  Location: onboard 0
              Product Name: Onboard-VPN
                FW Version: 1
              Time running: 4294967 seconds
               Compression: Yes
                       DES: Yes
                     3 DES: Yes
                   AES CBC: Yes (128,192,256)
                  AES CNTR: No
     Maximum buffer length: 4096
          Maximum DH index: 0020
          Maximum SA index: 0020
        Maximum Flow index: 0040
      Maximum RSA key size: 0000

        crypto engine name: Cisco VPN Software Implementation
        crypto engine type: software
             serial number: D5E2AFE6
       crypto engine state: installed
     crypto engine in slot: N/A

The crypto config is pretty basic and I can't see what it would be bitching about:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 64
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key ####address ####
crypto isakmp key ####address 0.0.0.0 0.0.0.0
crypto isakmp identity hostname
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group cvpn-split-tunnel
key #####
domain corp.local
pool cvpn-pool
acl cvpn-split-tunnel-acl
save-password
netmask 255.255.255.0
banner ^CSuccess!
^C
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-AES256-MD5 esp-aes 256 esp-md5-hmac
crypto ipsec transform-set 3des-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set aes256-sha-hmac esp-aes 256 esp-sha-hmac
!
crypto dynamic-map cvpn 10
set transform-set 3des-sha-hmac
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to#####
set peer ####
set transform-set ESP-AES256-MD5
match address 100
!
crypto map cvpn-map client authentication list netauth
crypto map cvpn-map isakmp authorization list netauth
crypto map cvpn-map client configuration address initiate
crypto map cvpn-map client configuration address respond
crypto map cvpn-map 10 ipsec-isakmp dynamic cvpn

The crypto map is applied to the upstream-facing interface. The config contains a legacy L2L that I could remove as well as much cvpn-split-tunnel client config work in progress.

Whenever I try VPN in or simply run sh run the config is processed and I get 21 lines of the error about (incrementing the numbers in the first column). It seems like I ran into issues with certain older routers not supporting certain crypto options. I can't recall what those were though. Does anyone recognize anything in my config that would be supported on a 871W running 12.4(24)T2 Adv IP?

Thanks

PS==> From global config I've run 'crypto engine onboard 0' and 'crypto engine accelerator' to no avail. No crypto engine commands appear in the config.

Gustavo Medina · ‎01-14-2011

Hello Justin,

Are the clients able to connect? I'm asking this because it seems that the "select crypto engine: ce_engine[2] does not accept the capabilities"

message is harmless. It happens when we search through the available engines to find the suitable crypto engine 
to do the operation. We will continue to search until we find a suitable crypto engine. 

Regards,