The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
VPN Acceleration Module (VAM) supports Data Encryption Standard (DES) or Triple DES (3DES) IPsec encryption at a rate greater than full-duplex DS-3 line rate (up to 145 Mbps) for site-to-site VPNs such as intranets and extranets. VAM also supports up to 5000 encrypted tunnels for mixed VPN environments that have both site-to-site and remote access VPN requirements. VAM integrates hardware-assisted Rivest, Shamir, and Adelman (RSA) and IP Payload Compression Protocol (IPPCP) layer 3 compression to accelerate RSA processing, thereby enhancing tunnel setup and improving overall VPN initialization. In environments where bandwidth is costly, VAM provides hardware-based IPPCP Lempel-Ziv-Stac (LZS) processing to compress network traffic before it is encrypted and sent over pay-per-byte WAN connections.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
You must configure IPSec and IKE on the router and a crypto map to all interfaces that require encryption service from the VPN Acceleration Module.
The VPN Acceleration Module (VAM) is a single-width acceleration module. It provides high-performance, hardware-assisted tunneling and encryption services suitable for VPN remote access, site-to-site intranet, and extranet applications. It also provides platform scalability and security while working with all services necessary for successful VPN deployments--security, quality of service (QoS), firewall and intrusion detection, service-level validation, and management. The VAM off-loads IPsec processing from the main processor, thus freeing resources on the processor engines for other tasks.
The VAM provides hardware-accelerated support for the following multiple encryption functions:
The VAM provides the following benefits:
Note |
Support for dual VAMs is available on a Cisco 7200 series router with an NPE-G1, on Cisco IOS Release 12.2(15)T, 12.1(14)E, and 12.3 Mainline. |
The following two tables provide performance results for a single VAM on a Cisco 7206VXR with an NPE-G1 processor, an onboard GE, and FE port adapters in slots 3 and 4.
clear_packet _size |
crypto_packet_size |
out_packet_size |
---|---|---|
64 |
96 |
114 |
300 |
336 |
354 |
1400 |
1432 |
1450 |
Mixed packet size - 344 |
378 |
396 |
pkt_size (bytes) |
# of tunnels |
measured_pps (pps) |
meas_clear_ndr (Mbps) |
meas_crypto_ndr (Mbps) |
meas_out_ndr (Mbps) |
---|---|---|---|---|---|
64 |
4 |
65,224 |
33.39 |
50.09 |
59.48 |
|
500 |
41,888 |
21.44 |
32.17 |
38.20 |
|
1,000 |
40,480 |
20.73 |
31.09 |
36.92 |
|
5,000 |
39,408 |
20.18 |
30.27 |
35.94 |
300 |
4 |
38,032 |
91.28 |
102.23 |
107.71 |
|
500 |
37,184 |
89.24 |
99.95 |
105.31 |
|
1,000 |
36,064 |
86.55 |
96.94 |
102.13 |
|
5,000 |
36,016 |
86.44 |
96.81 |
101.99 |
1400 |
4 |
9,984 |
111.82 |
114.38 |
115.81 |
|
500 |
9,848 |
110.29 |
112.82 |
114.24 |
|
1,000 |
9,648 |
108.06 |
110.53 |
111.92 |
|
5,000 |
9,616 |
107.70 |
110.16 |
111.55 |
Mixed packet size |
4 |
31,472 |
86.61 |
95.17 |
99.70 |
|
500 |
31,056 |
85.47 |
93.91 |
98.39 |
|
1,000 |
30,128 |
82.91 |
91.11 |
95.45 |
|
5,000 |
29,264 |
80.53 |
88.49 |
92.71 |
The following two tables provide performance results for dual VAMs on a Cisco 7206VXR with an NPE-G1 processor, an onboard GE, and FE port adapters in slots 3 and 4.
clear_packet _size |
crypto_packet_size |
out_packet_size |
---|---|---|
64 |
96 |
114 |
300 |
336 |
354 |
1400 |
1432 |
1450 |
Mixed packet size - 344 |
378 |
396 |
pkt_size (bytes) |
# of tunnels |
measured_pps (pps) |
meas_clear_ndr (Mbps) |
meas_crypto_ndr (Mbps) |
meas_out_ndr (Mbps) |
---|---|---|---|---|---|
64 |
4 |
135,544 |
69.40 |
104.10 |
123.61 |
|
500 |
61,520 |
31.50 |
47.25 |
56.11 |
|
1,000 |
56,928 |
29.15 |
43.72 |
51.92 |
|
5,000 |
43,744 |
22.40 |
33.60 |
39.89 |
300 |
4 |
71,336 |
171.21 |
191.75 |
202.02 |
|
500 |
60,416 |
145.00 |
162.40 |
171.10 |
|
1,000 |
56,016 |
134.44 |
150.57 |
158.64 |
|
5,000 |
42,496 |
101.99 |
114.23 |
120.35 |
1400 |
4 |
18,736 |
209.84 |
214.64 |
217.34 |
|
500 |
18,424 |
206.35 |
211.07 |
213.72 |
|
1000 |
18,352 |
205.54 |
210.24 |
212.88 |
|
5,000 |
18,352 |
205.54 |
210.24 |
212.88 |
Mixed packet size |
4 |
60,416 |
166.26 |
182.70 |
191.40 |
|
500 |
57,888 |
159.31 |
175.05 |
183.40 |
|
1,000 |
55,488 |
152.70 |
167.80 |
175.79 |
|
5,000 |
34,272 |
94.32 |
103.64 |
108.57 |
On power up if the enabled LED is on, the VAM is fully functional and does not require any configuration commands. However, for the VAM to provide encryption services, you must complete the following tasks:
The following restrictions apply if you are configuring an AES IKE policy:
The following sample output from the show crypto isakmp policy command displays a warning message after a user tries to configure an IKE encryption method that the hardware does not support:
Router# show crypto isakmp policy
Protection suite of priority 1
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
WARNING:encryption hardware does not support the configured
encryption method for ISAKMP policy 1
hash algorithm: Secure Hash Standard 2 (256-bit)
authentication method: Pre-Shared Key
Diffie-Hellman group: #14 (2048 bit)
lifetime: 3600 seconds, no volume limit
After you have completed IKE configuration, configure IPsec at each participating IPsec peer. This section contains basic steps to configure IPsec.
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Example: Device(config)# access-list 100 permit ip 10.0.68.0 0.0.0.255 10.1.1.0 0.0.0.255 Example: Device(config)# ip access-list extended vpn-tunnel |
Specifies conditions to determine which IP packets are protected.
|
||
|
|
-- |
Command or Action | Purpose | |
---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
|
Example: Device# configure terminal |
Enters global configuration mode. |
|
Example: Device(config)# crypto ipsec transform-set aesset esp-aes 256 esp-sha-hmac |
Defines a transform set and enters crypto transform configuration mode.
|
|
Example: Device(cfg-crypto-tran)# mode transport |
(Optional) Changes the mode associated with the transform set. |
|
Example: Device(cfg-crypto-tran)# end |
Exits crypto transform configuration mode and enters privileged EXEC mode. |
|
Example: Device# clear crypto sa |
(Optional) Clears existing IPsec security associations so that any changes to a transform set takes effect on subsequently established security associations. Manually established SAs are reestablished immediately. |
|
Example: Device# show crypto ipsec transform-set |
(Optional) Displays the configured transform sets. |
When IKE is used to establish SAs, the IPsec peers can negotiate the settings they use for the new security associations. This means that you can specify lists (such as lists of acceptable transforms) within the crypto map entry.
Perform this task to create crypto map entries that use IKE to establish SAs. To create IPv6 crypto map entries, you must use the ipv6 keyword with the crypto map command. For IPv4 crypto maps, use the crypto map command without the ipv6 keyword.
Note |
Security threats, as well as the cryptographic technologies to help protect against them, are constantly changing. For more information about the latest Cisco cryptographic recommendations, see the Next Generation Encryption (NGE) white paper. |
Command or Action | Purpose | |||
---|---|---|---|---|
|
Example: Device> enable |
Enables privileged EXEC mode. |
||
|
Example: Device# configure terminal |
Enters global configuration mode. |
||
|
Example: Device(config)# crypto map static-map 1 ipsec-isakmp |
Creates or modifies a crypto map entry, and enters crypto map configuration mode. |
||
|
Example: Device(config-crypto-m)# match address vpn-tunnel |
Names an extended access list. |
||
|
Example: Device(config-crypto-m)# set-peer 192.168.101.1 |
Specifies a remote IPsec peer--the peer to which IPsec protected traffic can be forwarded. |
||
|
Example: Device(config-crypto-m)# set transform-set aesset |
Specifies the transform sets that are allowed for this crypto map entry. |
||
|
Example: Device (config-crypto-m)# set security-association lifetime seconds 2700 |
(Optional) Specifies a SA lifetime for the crypto map entry. |
||
|
Example: Device(config-crypto-m)# set security-association level per-host |
(Optional) Specifies that separate SAs should be established for each source and destination host pair.
|
||
|
Example: Device(config-crypto-m)# set pfs group14 |
(Optional) Specifies that IPsec either should ask for password forward secrecy (PFS) when requesting new SAs for this crypto map entry or should demand PFS in requests received from the IPsec peer.
|
||
|
Example: Device(config-crypto-m)# end |
Exits crypto map configuration mode and returns to privileged EXEC mode. |
||
|
Example: Device# show crypto map |
Displays your crypto map configuration. |
Step 1 |
show crypto ipsec transform-set Example:
Device# show crypto ipsec transform-set
Transform set combined-des-md5: {esp-des esp-md5-hmac}
will negotiate = {Tunnel,},
Transform set t1: {esp-des esp-md5-hmac}
will negotiate = {Tunnel,},
Transform set t100: {ah-sha-hmac}
will negotiate = {Transport,},
Transform set t2: {ah-sha-hmac}
will negotiate = {Tunnel,},
{esp-des}
will negotiate = {Tunnel,},
Displays the transform set configuration. |
Step 2 |
show crypto map [interface interface | tag map-name] Example:
Device# show crypto map
Crypto Map "abc" 10 ipsec-isakmp
Peer = 172.21.114.67
Extended IP access list 141
access-list 141 permit ip
source: addr = 172.21.114.123/0.0.0.0
dest: addr = 172.21.114.67/0.0.0.0
Current peer: 172.21.114.67
Security-association lifetime: 4608000 kilobytes/120 seconds
PFS (Y/N): N
Transform sets={t1,}
Displays the crypto map configuration. |
Step 3 |
show crypto ipsec sa [map map-name | address | identity | detail | interface] Example:
Device# show crypto map ipsec sa interface
Crypto map tag: abc, local addr. 172.21.114.123
local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
current_peer: 172.21.114.67
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#send errors 10, #recv errors 0
local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
path mtu 1500, media mtu 1500
current outbound spi: 20890A6F
inbound esp sas:
spi: 0x257A1039(628756537)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 26, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x20890A6F(545852015)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 27, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
interface: Tunnel0
Crypto map tag: abc, local addr. 172.21.114.123
local ident (addr/mask/prot/port): (172.21.114.123/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.21.114.67/255.255.255.255/0/0)
current_peer: 172.21.114.67
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10
#send errors 10, #recv errors 0
local crypto endpt.: 172.21.114.123, remote crypto endpt.: 172.21.114.67
path mtu 1500, media mtu 1500
current outbound spi: 20890A6F
inbound esp sas:
spi: 0x257A1039(628756537)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 26, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x20890A6F(545852015)
transform: esp-des esp-md5-hmac,
in use settings ={Tunnel,}
slot: 0, conn id: 27, crypto map: router-alice
sa timing: remaining key lifetime (k/sec): (4607999/90)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
Displays information about IPsec security associations. |
To verify that Cisco IOS software has recognized VAM, enter the show diag command and check the output. For example, when the router has the VAM in slot 1, the following output appears:
Router# show diag 1
Slot 1:
VAM Encryption/Compression engine. Port adapter
Port adapter is analyzed
Port adapter insertion time 00:04:45 ago
EEPROM contents at hardware discovery:
Hardware Revision :1.0
PCB Serial Number :15485660
Part Number :73-5953-04
Board Revision :
RMA Test History :00
RMA Number :0-0-0-0
RMA History :00
Deviation Number :0-0
Product Number :CLEO
Top Assy. Part Number :800-10496-04
CLEI Code :
EEPROM format version 4
EEPROM contents (hex):
0x00:04 FF 40 02 8A 41 01 00 C1 8B 31 35 34 38 35 36
0x10:36 30 00 00 00 82 49 17 41 04 42 FF FF 03 00 81
0x20:00 00 00 00 04 00 80 00 00 00 00 CB 94 43 4C 45
0x30:4F 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
0x40:20 C0 46 03 20 00 29 00 04 C6 8A FF FF FF FF FF
0x50:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x60:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0x70:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
To see if the VAM is currently processing crypto packets, enter the show pas vam interface command. The following is sample output:
Router# show pas vam interface
Interface VAM 1/1 :
ds:0x632770C8 idb:0x62813728
Statistics of packets and bytes that through this interface:
18 packets in 18 packets out
2268 bytes in 2268 bytes out
0 paks/sec in 0 paks/sec out
0 Kbits/sec in 0 Kbits/sec out
83 commands out 83 commands acknowledged
ppq_full_err :0 ppq_rx_err :0
cmdq_full_err :0 cmdq_rx_err :0
no_buffer :0 fallback :0
dst_overflow :0 nr_overflow :0
sess_expired :0 pkt_fragmented :0
out_of_mem :0 access_denied :0
invalid_fc :0 invalid_param :0
invalid_handle :0 output_overrun :0
input_underrun :0 input_overrun :0
key_invalid :0 packet_invalid :0
decrypt_failed :0 verify_failed :0
attr_invalid :0 attr_val_invalid :0
attr_missing :0 obj_not_wrap :0
bad_imp_hash :0 cant_fragment :0
out_of_handles :0 compr_cancelled :0
rng_st_fail :0 other_errors :0
633 seconds since last clear of counters
When the VAM processes packets, the "packet in" and "packet out" counters change. Counter "packets out" represents the number of packets directed to the VAM. Counter "packets in" represents the number of packets received from the VAM.
Note |
In versions prior to Cisco IOS Release 12.2(5)T and Cisco IOS Release 12.1(10)E, upon reboot trap configurations are lost and need to be re-entered. |
Use the commands below to monitor and maintain the VPN Acceleration Module:
Command |
Purpose |
---|---|
Router# show pas isa interface |
Displays the ISA interface configuration. |
Router# show pas isa controller |
Displays the ISA controller configuration. |
Router# show pas vam interface |
Verifies the VAM is currently processing crypto packets. |
Router# show pas vam controller |
Displays the VAM controller configuration. |
Router# Show version |
Displays integrated service adapter as part of the interfaces. |
In the following example, two IKE policies are created, with policy 15 as the highest priority, policy 20 as the next priority, and the existing default priority as the lowest priority. It also creates a preshared key to be used with policy 20 with the remote peer whose IP address is 192.168.224.33.
crypto isakmp policy 15 encryption 3des hash md5 authentication rsa-sig group 2 lifetime 5000 crypto isakmp policy 20 authentication pre-share lifetime 10000 crypto isakmp key 1234567890 address 192.168.224.33
The following example shows a minimal IPsec configuration where the security associations will be established via IKE:
An IPsec access list defines which traffic to protect:
access-list 101 permit ip 10.0.0.0 0.0.0.255 10.2.2.0 0.0.0.255
A transform set defines how the traffic will be protected. In this example, transform set "myset1" uses DES encryption and SHA for data packet authentication:
crypto ipsec transform-set myset1 esp-des esp-sha
Another transform set example is "myset2," which uses Triple DES encryption and MD5 (HMAC variant) for data packet authentication:
crypto ipsec transform-set myset2 esp-3des esp-md5-hmac
A crypto map joins together the IPsec access list and transform set and specifies where the protected traffic is sent (the remote IPsec peer):
crypto map toRemoteSite 10 ipsec-isakmp match address 101 set transform-set myset2 set peer 10.2.2.5
The crypto map is applied to an interface:
interface Serial0 ip address 10.0.0.2 crypto map toRemoteSite
Note |
In this example, IKE must be enabled. |
Related Topic | Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
IPsec configuration |
Configuring IPsec |
IKE configuration |
Configuring IKE |
VAM installation and configuration tasks |
VAM Installation and Configuration Guide |
Standard/RFC | Title |
---|---|
RFC 2393 |
IP Payload Compression Protocol (IPComp) |
RFC 2395 |
IP Payload Compression Using LZS |
RFCs 2401 to 2411 |
IPsec--IKE |
RFC 2451 |
The ESP CBC-Mode Cipher Algorithms |
IPSec/IKE: RFCs 2401-2411, 2451 |
MIB | MIBs Link |
---|---|
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
Description | Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for VPN Acceleration Module |
Feature Name | Releases | Feature Information |
---|---|---|
VPN Acceleration Module (VAM) |
12.1(9)E 12.1(14)E 12.2(9)YE 12.2(13)T 12.2(15)T 12.3(1)Mainline 12.2(14)SU |
VPN Acceleration Module (VAM) supports Data Encryption Standard (DES) or Triple DES (3DES) IPsec encryption at a rate greater than full-duplex DS-3 line rate (up to 145 Mbps) for site-to-site VPNs such as intranets and extranets. VAM also supports up to 5000 encrypted tunnels for mixed VPN environments that have both site-to-site and remote access VPN requirements. VAM integrates hardware-assisted Rivest, Shamir, and Adelman (RSA) and IP Payload Compression Protocol (IPPCP) layer 3 compression to accelerate RSA processing, thereby enhancing tunnel setup and improving overall VPN initialization. In environments where bandwidth is costly, VAM provides hardware-based IPPCP Lempel-Ziv-Stac (LZS) processing to compress network traffic before it is encrypted and sent over pay-per-byte WAN connections. In 12.1(9)E, this feature was introduced on the Cisco 7200 series routers on NPE-225, NPE-400, and NSE-1. In 12.1(14)E, this feature was integrated into Cisco IOS Release 12.1(14)E and support for dual VAMs1 on the Cisco 7200 series with NPE-G1 was added. In 12.2(9)YE, support for this feature was added to the Cisco 7401ASR router2. The following commands were introduced or modified:crypto engine sw ipsec, show pas vam controller, show pas vam interface. |
IKE--Internet Key Exchange. IKE establishes a shared security policy and authenticates keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must verify the identity of its peer. This can be done by manually entering preshared keys into both hosts or by a CA service.
IPsec--IP Security. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle the negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.