I was to stupid to read the datasheet and just configured AES-256 on a router with a VAM2-modul. According to the datasheet the VAM2 processes AES-256 in software. Now my question: Is there any show command to check how many (crypto-) packets are processed in software on the VAM2.
If I do a "sh crypto engine accelerator statistic" which counter indicates that the AES256-packets are processed in software?
Thank you for your answers!
I think there's a bigger misconception here.
A particular IPsec/SSL flow can be handled by crypto engine (built in, external) or under certain circumstances in software (when everything else fails, usually)
In case of IPsec you can handle which particular flow is handled by which encryption method by checking:
"show crypto ipsec sa" and checking "flow" value (might depend on version)
To see what kind of accelarator engines are available in system you can check "show crypto eli".
Thank you Marcin for the reply.
Well I see that my crypto sessions are handled by the VAM2-module:
sh crypto ipsec sa detail | inc flow
conn id: 5039, flow_id: VAM2:3039, crypto map: Tunnel1-head-0
conn id: 5040, flow_id: VAM2:3040, crypto map: Tunnel1-head-0
Honestly I have not seen a split in VAM2 for HSP and non-HSP flows (but I'm not dealing with crypto hardware).
Can you check "show crypto eng conf" and full output of "show crypto ipsec sa" to see what is currently being run?
Here are the requested outputs:
sh crypto engine configuration
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
Location: slot 1
VPN Module in slot: 1
Product Name: VAM2
Software Serial #: 55AA
Device ID: 0014 - revision 0004
Vendor ID: 0000
Revision No: 0x00140004
VSK revision: 0
Boot version: 12
DPU version: 0
HSP version: 2.3(5) (PRODUCTION)
Time running: 4w4d
3 DES: Yes
AES CBC: Yes (128,192,256)
AES CNTR: No
Maximum buffer length: 4096
Maximum DH index: 5120
Maximum SA index: 5120
Maximum Flow index: 10230
Maximum RSA key size: 2048
crypto lib version: 20.0.0
crypto engine in slot: 1
platform: VPN hardware accelerator
Crypto Adjacency Counts:
Lock Count: -1622581642
Unlock Count: -1623453350
crypto lib version: 20.0.0
Well VAM2 will be end of lifed completly this year (unlike VAM2+!) and yes I guess you should run AES-128 last version to support VAM is 12.4(15)T.
What my best guess is at this part of processing is done in HSP (sort of general purpose proc CPU on card), since it's documented to do so.
Allright, I think your guess is right :-)
Well it isn't really a problem, because due tho the EOL we change the NPE and VAM on the router to G2 and VAM2+... ...but I was just wondering how to check what's written in the datasheet.
Thank you for your help