Solved: Cisco 1921: On board hw module not used ?

sylvain.munaut · ‎03-07-2013

Hi,

I have a Cisco 1921 which has a IPSec connection to the outside, but despite this, it seems the hw accelerator module is not used because the stats are all zeros (see below). Also, I can see that the module is enabled ( using show crypto engine brief ), but the connection are router to the sw module ( using show crypto engine connections flow )

What could that be caused by ?

Cheers,

Sylvain

gw#show crypto engine accelerator statistic 

Device:   Onboard VPN
Location: Onboard: 0
     :Statistics for encryption device since the last clear 
      of counters 4294967 seconds ago
                   0 packets in                           0 packets out           
                   0 bytes in                             0 bytes out             
                   0 paks/sec in                          0 paks/sec out          
                   0 Kbits/sec in                         0 Kbits/sec out         
                   0 packets decrypted                    0 packets encrypted     
                   0 bytes before decrypt                 0 bytes encrypted       
                   0 bytes decrypted                      0 bytes after encrypt   
                   0 packets decompressed                 0 packets compressed    
                   0 bytes before decomp                  0 bytes before comp     
                   0 bytes after decomp                   0 bytes after comp      
                   0 packets bypass decompr               0 packets bypass compres
                   0 bytes bypass decompres               0 bytes bypass compressi
                   0 packets not decompress               0 packets not compressed
                   0 bytes not decompressed               0 bytes not compressed  
                  1.0:1 compression ratio                1.0:1 overall
          Last 5 minutes: 
                   0 packets in                           0 packets out           
                   0 paks/sec in                          0 paks/sec out          
                   0 bits/sec in                          0 bits/sec out          
                   0 bytes decrypted                      0 bytes encrypted       
                   0 Kbits/sec decrypted                  0 Kbits/sec encrypted   
                  1.0:1 compression ratio                1.0:1 overall



gw#show crypto engine brief 
        crypto engine name:  Virtual Private Network (VPN) Module
        crypto engine type:  hardware
                     State:  Enabled
                  Location:  onboard 0
              Product Name:  Onboard-VPN
                HW Version:  1.0
               Compression:  Yes
                       DES:  Yes
                     3 DES:  Yes
                   AES CBC:  Yes (128,192,256)
                  AES CNTR:  No
     Maximum buffer length:  0000
          Maximum DH index:  0000
          Maximum SA index:  0000
        Maximum Flow index:  2000
      Maximum RSA key size:  0000


        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  02FBA4F2
       crypto engine state:  installed
     crypto engine in slot:  N/A



gw#show crypto engine connections flow 
Crypto engine: Software Crypto Engine 
      flow_id   ah_conn_id  esp_conn_id     comp_spi 
          245                 245       0x2F12 
          246                 246       0x4E13 
 
Crypto engine: Onboard VPN 
      flow_id   ah_conn_id  esp_conn_id     comp_spi

olpeleri · ‎03-08-2013

Hey Sylvain,

If you are looking for HW suite-B support, then you will have to upgrade to 15.2(4)M train.

See the release notes for further details

http://www.cisco.com/en/US/docs/ios/15_2m_and_t/release/notes/15_2m_and_t.pdf

"The IPSec algorithms required by Suite B are now supported by the hardware crypto engine on the

Cisco Integrated Services Routers Generation 2: 800 Series, 1900 Series, 2901, 2911, 2921, 2935R,

3925E, and 3945E, each of which has embedded hardware-accelerated VPN encryption.

Suite B requirements comprise four user-interface suites of cryptographic algorithms for use with IKE

and IPsec, which are described in RFC 6379 and RFC 6380. Each suite consists of an encryption

algorithm, a digital signature algorithm, a key agreement algorithm, and a hash or message digest

algorithm.

Suite B provides a comprehensive security enhancement for Cisco IPsec VPNs, and it allows additional

security for large-scale deployments. Suite B is the recommended solution for organizations requiring

advanced encryption security for the wide-area network (WAN) between remote sites.

For detailed information about Cisco IOS IPsec features in 15.2(4)M that support Suite B"

That should answer your question.

View solution in original post

olpeleri · ‎03-08-2013

Hey Sylvain,

What version do you use? Can you paste the crypto part of your config?

Cheers,

sylvain.munaut · ‎03-08-2013

I just dug up a little more this morning (comparing configs where I have some 1921 that were using the hw module) and found out that the issue was the usage of SHA256 as a ESP HMAC.

Is there a list somehwere of what is supported by the hardware and what is not ? And preferrably some perf of the various options, like what is the impact of enabling compressiong or aes256 vs aes128, ...

Cheers,

Sylvain

olpeleri · ‎03-08-2013

Hello,

What version are you running?

Cheers,

sylvain.munaut · ‎03-08-2013

Version 15.1(4)M4

olpeleri · ‎03-08-2013

Hey Sylvain,

If you are looking for HW suite-B support, then you will have to upgrade to 15.2(4)M train.

See the release notes for further details

http://www.cisco.com/en/US/docs/ios/15_2m_and_t/release/notes/15_2m_and_t.pdf

"The IPSec algorithms required by Suite B are now supported by the hardware crypto engine on the

Cisco Integrated Services Routers Generation 2: 800 Series, 1900 Series, 2901, 2911, 2921, 2935R,

3925E, and 3945E, each of which has embedded hardware-accelerated VPN encryption.

Suite B requirements comprise four user-interface suites of cryptographic algorithms for use with IKE

and IPsec, which are described in RFC 6379 and RFC 6380. Each suite consists of an encryption

algorithm, a digital signature algorithm, a key agreement algorithm, and a hash or message digest

algorithm.

Suite B provides a comprehensive security enhancement for Cisco IPsec VPNs, and it allows additional

security for large-scale deployments. Suite B is the recommended solution for organizations requiring

advanced encryption security for the wide-area network (WAN) between remote sites.

For detailed information about Cisco IOS IPsec features in 15.2(4)M that support Suite B"

That should answer your question.

sylvain.munaut · ‎03-08-2013

Damn, sorry, I logged on the wrong router, it's actually 15.2(2)T at the moment, but I guess your answer still applies and I should update, thanks.

Do you know if a similar support for the suite B is available for the 1812 router hw module in some further fw version ? (and that one is currently at 15.1(4)M4 )

sylvain.munaut · ‎03-08-2013

To make it clear, this is the TS I use:

crypto ipsec transform-set vpn-s2s esp-aes 256 esp-sha256-hmac comp-lzs

mode transport require

Ruterford · ‎06-29-2013

Hi Sylvain,
Was it only because of sha256 or greater dh groups like group 14, 16 were also the problem?
Wondering if I can use group 14 along with sha1 on ISR G2 with no SW upgrade.

Thanks!

Sent from Cisco Technical Support iPhone App

olpeleri · ‎03-08-2013

Hello Sylvain,

ISR-G1 [ 1800 - 2800 - 3800 ] are currently going through their end of life process. 15.1(4)M train is the last one to be build published.

Unfortunately it means no HW support for Suite-B.

Regards,