Friday, May 15, 2009

Using AES on the Cisco 837

While trying to setup an IPSec SA on a Cisco 837 router I ran across an annoying problem. The solution is not obvious (to me) and google wasn't very helpful, so I figure it is worth mentioning. When trying to configure a transform set using esp-aes I got the following message:

Cisco837(config)#crypto ipsec transform-set my-ts esp-aes 256
Transform ecessa-ts disabled because esp-aes is not supported by encryption hardware

Re-checking the 837 datasheet, it does support AES in software. Setting 128 or 192 for the cipher length also had the same result. I also tried setting up AES as an ISAKMP encryption parameter and also got an error:

Cisco837(config-isakmp)#enc aes 256
May 15 15:38:03.704: %CRYPTO-4-ENC_METHOD_NOT_SUPPORTED: Invalid encryption method for IKE policy 10

Google was oddly unhelpful, until I searched the comp.dcom.sys.cisco usenet group and found this thread. Apparently, to use AES in software on the 837, you need to disable the hardware 3des engine using the following global configuration command:

no crypto engine accelerator

After that, specifying AES works fine.

2 comments:

  1. whic ios are you using?

    ReplyDelete
  2. I didn't have that router very long, but the gods of email are smiling and I still have an email string about it. The firmware file in use was c837-k9o3sy6-mz.123-11.T10.bin, so presumably 12.3-11

    ReplyDelete