Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
6
Replies

AES-256 on VAM2 Counters?

Marcel Zehnder
Spotlight
Spotlight

‎01-17-2011 04:59 AM

Hello Community

I was to stupid to read the datasheet and just configured AES-256 on a router with a VAM2-modul. According to the datasheet the VAM2 processes AES-256 in software. Now my question: Is there any show command to check how many (crypto-) packets are processed in software on the VAM2.

If I do a "sh crypto engine accelerator statistic" which counter indicates that the AES256-packets are processed in software?

Thank you for your answers!

Marcel

Labels:
0 Helpful
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-17-2011 09:42 AM

Marcel,

I think there's a bigger misconception here.

A particular IPsec/SSL flow can be handled by crypto engine (built in, external) or under certain circumstances in software  (when everything else fails, usually)

In case of IPsec you can handle which particular flow is handled by which encryption method by checking:

"show crypto ipsec sa" and checking "flow" value (might depend on version)

To see what kind of accelarator engines are available in system you can check "show crypto eli".

Marcin

0 Helpful

Marcel Zehnder
Spotlight
Spotlight
In response to Marcin Latosiewicz

‎01-17-2011 11:36 AM

Thank you Marcin for the reply.

Well I see that my crypto sessions are handled by the VAM2-module:

sh crypto ipsec sa detail | inc flow

        conn id: 5039, flow_id: VAM2:3039, crypto map: Tunnel1-head-0

        conn id: 5040, flow_id: VAM2:3040, crypto map: Tunnel1-head-0

        etc.

right, the VAM2 handels AES-192 and AES-256 in HSP software (it's handled by the VPN-modul, but not in hardware, but in HSP software).
What I need is a show-command which indicates which IPSEC SA's are handled by HSP... ...is there some kind of command?
Regards
Marcel

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Marcel Zehnder

‎01-17-2011 12:08 PM

Marcel,https://supportforums.cisco.com/post!reply.jspa?message=3271985

Honestly I have not seen a split in VAM2 for HSP and non-HSP flows (but I'm not dealing with crypto hardware).

Can you check "show crypto eng conf" and full output of "show crypto ipsec sa" to see what is currently being run?

Marcin

0 Helpful

Marcel Zehnder
Spotlight
Spotlight
In response to Marcin Latosiewicz

‎01-17-2011 11:37 PM

Hi Marcin

Here are the requested outputs:

sh crypto engine configuration

        crypto engine name:  Virtual Private Network (VPN) Module

        crypto engine type:  hardware

                     State:  Enabled

                  Location:  slot 1

        VPN Module in slot:  1

              Product Name:  VAM2

         Software Serial #:  55AA

                 Device ID:  0014 - revision 0004

                 Vendor ID:  0000

               Revision No:  0x00140004

              VSK revision:  0

              Boot version:  12

               DPU version:  0

               HSP version:  2.3(5) (PRODUCTION)

              Time running:  4w4d

               Compression:  Yes

                       DES:  Yes

                     3 DES:  Yes

                   AES CBC:  Yes (128,192,256)

                  AES CNTR:  No

     Maximum buffer length:  4096

          Maximum DH index:  5120

          Maximum SA index:  5120

        Maximum Flow index:  10230

      Maximum RSA key size:  2048

        crypto lib version:  20.0.0

     crypto engine in slot:  1

                  platform:  VPN hardware accelerator

   Crypto Adjacency Counts:

                Lock Count:  -1622581642

              Unlock Count:  -1623453350

        crypto lib version:  20.0.0

Hmmm, looks like AES with 256 bit keys is supported depending on the mode of operation - But still I don't know if this is in hardware or in software (have you seen the datasheet and the comment about AES-192 and AES-256?)
And here the second command:
show crypto ipsec sa detail

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 10.2.32.15

   protected vrf: besiscr
   local  ident (addr/mask/prot/port): (10.2.32.15/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.2.32.128/255.255.255.255/47/0)
   current_peer 10.2.32.128 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 114, #pkts encrypt: 114, #pkts digest: 114
    #pkts decaps: 142, #pkts decrypt: 142, #pkts verify: 142
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 10.2.32.15, remote crypto endpt.: 10.2.32.128
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback1
     current outbound spi: 0xCD695E1A(3446234650)

     inbound esp sas:
      spi: 0xAD976BD4(2912381908)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 5633, flow_id: VAM2:3633, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4545193/2351)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCD695E1A(3446234650)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 5634, flow_id: VAM2:3634, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4545191/2351)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

   protected vrf: besiscr
   local  ident (addr/mask/prot/port): (10.2.32.15/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (10.2.32.1/255.255.255.255/47/0)
   current_peer 10.2.32.1 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 371160003, #pkts encrypt: 371160003, #pkts digest: 371160003
    #pkts decaps: 667833920, #pkts decrypt: 667833920, #pkts verify: 667833920
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 2, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 10.2.32.15, remote crypto endpt.: 10.2.32.1
     path mtu 1514, ip mtu 1514, ip mtu idb Loopback1
     current outbound spi: 0x774A849C(2001372316)

     inbound esp sas:
      spi: 0xFB2E22F1(4214104817)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Transport, }
        conn id: 5599, flow_id: VAM2:3599, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (3920695/368)
        IV size: 16 bytes
        replay detection support: N
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x774A849C(2001372316)
         etc
-Marcel

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Marcel Zehnder

‎01-17-2011 11:55 PM

Marcel,


Well VAM2 will be end of lifed completly this year (unlike VAM2+!) and yes I guess you should run AES-128 last version to support VAM is 12.4(15)T.

http://www.cisco.com/en/US/prod/collateral/modules/ps8768/ps5308/prod_end-of-life_notice0900aecd8033791f.html

What my best guess is at this part of processing is done in HSP (sort of general purpose proc CPU on card), since it's documented to do so.

Marcin

0 Helpful

Marcel Zehnder
Spotlight
Spotlight
In response to Marcin Latosiewicz

‎01-18-2011 12:07 AM

Allright, I think your guess is right :-)

Well it isn't really a problem, because due tho the EOL we change the NPE and VAM on the router to G2 and VAM2+... ...but I was just wondering how to check what's written in the datasheet.

Thank you for your help

Marcel

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents