I needed to configure my Cisco 1921 lab router for Site-to-Site IPsec VPN with a Cisco FTD but I don't have the Security license installed. So I just activated the 60-day Evaluation license instead. Here's a good Cisco link about Cisco ISR G2 and 4K router software packages and licenses.
License Types Available on the ISR G2
Permanent Licenses
Permanent licenses are valid for the life of the device on which it is installed. Some examples of permanent licenses are IOS Technology Packages (IPB, UC, SEC, DATA), Feature Licenses such as SSL VPN etc.
Temporary Licenses
Temporary licenses are used for evaluating new capabilities or in emergency situations. A temporary license allows a feature set to be used for 60 days of actual usage. When the 60-day period expires, the device will continue to operate normally until reloaded. After the reload, the device will default to the original functionality before the temporary license was enabled. Only actual time that the temporary license is enabled counts towards the 60 day limit. The Cisco Technical Assistance Center (TAC) can provide an extension license for longer trials or other circumstances.
Feature Licenses
Some individual features can be enabled or disabled by license keys. These features check for their licenses before enabling themselves. A feature license will typically have a prerequisite before it will function such as a requirement for a Universal Communication license before a CUBE feature license will function. Some examples of feature licenses are CME, CUBE etc.
There are two types of Feature licenses:
Software Activation Feature Licenses
These are typically upgrades to one or more technology Package Licenses and can be included on new routers or upgraded through Cisco Software Activation. These licenses are enforced through Cisco Software Licensing framework.
Right to Use Feature Licenses
These licenses follow the traditional licensing model and do not use Cisco Software Activation. They can be ordered when the router is initially purchased or at a later date.
Subscription Licenses
Subscription licenses are time-based licenses that require the subscriber to periodically renew or the license will expire after an agreed-upon time. Some examples of Subscription license are URL Filtering and IPS.
Counted Licenses
Feature licenses can be either uncounted licenses or counted licenses. Uncounted licenses do not have any count and simply enable the unrestricted feature on the router when activated. Counted licenses enable a defined number of uses e.g. CME User Licenses
You can verify the router's software package and features either using the show version and show license CLI commands.
I was able to issue crypto related commands and establish a IKE Security Association (SA) with the Cisco FTD afterwards.
License Types Available on the ISR G2
Permanent Licenses
Permanent licenses are valid for the life of the device on which it is installed. Some examples of permanent licenses are IOS Technology Packages (IPB, UC, SEC, DATA), Feature Licenses such as SSL VPN etc.
Temporary Licenses
Temporary licenses are used for evaluating new capabilities or in emergency situations. A temporary license allows a feature set to be used for 60 days of actual usage. When the 60-day period expires, the device will continue to operate normally until reloaded. After the reload, the device will default to the original functionality before the temporary license was enabled. Only actual time that the temporary license is enabled counts towards the 60 day limit. The Cisco Technical Assistance Center (TAC) can provide an extension license for longer trials or other circumstances.
Feature Licenses
Some individual features can be enabled or disabled by license keys. These features check for their licenses before enabling themselves. A feature license will typically have a prerequisite before it will function such as a requirement for a Universal Communication license before a CUBE feature license will function. Some examples of feature licenses are CME, CUBE etc.
There are two types of Feature licenses:
Software Activation Feature Licenses
These are typically upgrades to one or more technology Package Licenses and can be included on new routers or upgraded through Cisco Software Activation. These licenses are enforced through Cisco Software Licensing framework.
Right to Use Feature Licenses
These licenses follow the traditional licensing model and do not use Cisco Software Activation. They can be ordered when the router is initially purchased or at a later date.
Subscription Licenses
Subscription licenses are time-based licenses that require the subscriber to periodically renew or the license will expire after an agreed-upon time. Some examples of Subscription license are URL Filtering and IPS.
Counted Licenses
Feature licenses can be either uncounted licenses or counted licenses. Uncounted licenses do not have any count and simply enable the unrestricted feature on the router when activated. Counted licenses enable a defined number of uses e.g. CME User Licenses
You can verify the router's software package and features either using the show version and show license CLI commands.
Router#show
version
Cisco IOS
Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE
SOFTWARE (fc1)
Technical
Support: http://www.cisco.com/techsupport
Copyright
(c) 1986-2012 by Cisco Systems, Inc.
Compiled
Tue 20-Mar-12 17:58 by prod_rel_team
ROM:
System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Router
uptime is 2 minutes
System
returned to ROM by power-on
System
restarted at 10:03:01 UTC Wed Aug 7 2019
System
image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last
reload type: Normal Reload
This
product contains cryptographic features and is subject to United
States
and local country laws governing import, export, transfer and
use.
Delivery of Cisco cryptographic products does not imply
third-party
authority to import, export, distribute or use encryption.
Importers,
exporters, distributors and users are responsible for
compliance
with U.S. and local country laws. By using this product you
agree to
comply with applicable laws and regulations. If you are unable
to comply
with U.S. and local laws, return this product immediately.
A summary
of U.S. laws governing Cisco cryptographic products may be found at:
If you
require further assistance please contact us by sending email to
export@cisco.com.
Cisco
CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor
board ID FGL16312ABC
2 Gigabit
Ethernet interfaces
1
Serial(sync/async) interface
1
terminal line
DRAM
configuration is 64 bits wide with parity disabled.
255K
bytes of non-volatile configuration memory.
249840K
bytes of USB Flash usbflash0 (Read/Write)
License
Info:
License
UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1921/K9 FGL16312ABC
Technology
Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security
None None None
data None None None
Configuration
register is 0x2102
Router#show
crypto
%
Incomplete command. // UNABLE TO ISSUE CRYPTO RELATED COMMANDS
Router#show
license
Index 1
Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period
left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License
State: Not in Use, EULA not accepted
License Count: Non-Counted
License
Priority: None
Index 3
Feature: datak9
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Index 4
Feature: SSL_VPN
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: 0/0 (In-use/Violation)
License Priority: None
Index 5
Feature: ios-ips-update
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Index 6
Feature: WAAS_Express
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Router#configure
terminal
Enter
configuration commands, one per line.
End with CNTL/Z.
Router(config)#license
?
accept
Accept all further License Agreements
agent
Configure LIC_AGENT
boot
license boot config commands
call-home
license call-home config commands
Router(config)#license
boot ?
module
which module to boot
Router(config)#license
boot module ?
c1900
license boot module for c1900
Router(config)#license
boot module c1900 ?
technology-package product technology group
Router(config)#license
boot module c1900 technology-package ?
datak9
data technology
securityk9
security technology
Router(config)#license
boot module c1900 technology-package securityk9 ?
disable
disable the technology
<cr>
Router(config)#license boot module c1900 technology-package
securityk9
PLEASE READ THE
FOLLOWING TERMS CAREFULLY.
INSTALLING THE LICENSE OR
LICENSE KEY
PROVIDED FOR ANY CISCO PRODUCT
FEATURE OR USING SUCH
PRODUCT FEATURE
CONSTITUTES YOUR FULL ACCEPTANCE OF THE
FOLLOWING
TERMS.
YOU MUST NOT PROCEED FURTHER IF YOU ARE NOT WILLING TO BE BOUND
BY ALL
THE TERMS SET FORTH HEREIN.
Use of
this product feature requires an
additional license from Cisco,
together
with an additional payment. You may use this product feature
on an
evaluation basis, without payment to Cisco, for 60 days. Your use
of
the product, including
during the 60 day evaluation period,
is
subject
to the Cisco end user license agreement
If you
use the product feature beyond the 60 day evaluation period, you
must
submit the appropriate payment to Cisco for the license. After the
60
day evaluation period,
your use of the product
feature will be
governed solely by the Cisco end user license agreement (link above),
together with any supplements relating to such product feature.
The
above applies
even if the evaluation
license is not
automatically
terminated and you do
not receive any notice of the expiration of the
evaluation period.
It is your responsibility to
determine when the
evaluation period is complete and you are required to
make payment to
Cisco for
your use of the product feature beyond the evaluation period.
Your acceptance
of this agreement for the software features on one
product shall be deemed your
acceptance with respect
to all such
software on all Cisco
products you purchase which includes the same
software. (The foregoing notwithstanding, you must purchase a license
for each
software feature you use past the 60
days evaluation period,
so that
if you enable a software feature
on 1000
devices, you must
purchase
1000 licenses for use past the 60 day
evaluation period.)
Activation of the
software command line interface will be evidence of
your
acceptance of this agreement.
ACCEPT?
[yes/no]: yes
% use
'write' command to make license boot config take effect on next boot
Router(config)#
Aug 7 10:09:24.559:
%IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name = c1900 Next reboot
level = securityk9 and License = securityk9
Aug 7 10:09:24.955: %LICENSE-6-EULA_ACCEPTED:
EULA for feature securityk9 1.0 has been accepted.
UDI=CISCO1921/K9:FGL163126BV; StoreIndex=0:Built-In License Storage
Router(config)#end
Router#
Aug 7 10:09:33.315: %SYS-5-CONFIG_I: Configured
from console by console
Router#write
Building
configuration...
[OK]
Router#show
version
Cisco IOS
Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE
SOFTWARE (fc1)
Technical
Support: http://www.cisco.com/techsupport
Copyright
(c) 1986-2012 by Cisco Systems, Inc.
Compiled
Tue 20-Mar-12 17:58 by prod_rel_team
ROM:
System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Router
uptime is 6 minutes
System
returned to ROM by power-on
System
restarted at 10:03:01 UTC Wed Aug 7 2019
System
image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last
reload type: Normal Reload
This
product contains cryptographic features and is subject to United
States
and local country laws governing import, export, transfer and
use.
Delivery of Cisco cryptographic products does not imply
third-party
authority to import, export, distribute or use encryption.
Importers,
exporters, distributors and users are responsible for
compliance
with U.S. and local country laws. By using this product you
agree to
comply with applicable laws and regulations. If you are unable
to comply
with U.S. and local laws, return this product immediately.
A summary
of U.S. laws governing Cisco cryptographic products may be found at:
If you
require further assistance please contact us by sending email to
export@cisco.com.
Cisco
CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor
board ID FGL16312ABC
2 Gigabit
Ethernet interfaces
1
Serial(sync/async) interface
1
terminal line
DRAM
configuration is 64 bits wide with parity disabled.
255K
bytes of non-volatile configuration memory.
249840K
bytes of USB Flash usbflash0 (Read/Write)
License
Info:
License
UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1921/K9 FGL16312ABC
Technology
Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security
None None securityk9
data None None None
Configuration
register is 0x2102
Router#show
license
Index 1
Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period
left: 8 weeks 4 days
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License
State: Active, Not in Use, EULA accepted
License Count: Non-Counted
License
Priority: Low
Index 3
Feature: datak9
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Index 4
Feature: SSL_VPN
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: 0/0 (In-use/Violation)
License Priority: None
Index 5
Feature: ios-ips-update
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Index 6
Feature: WAAS_Express
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Router#reload // NEED A REBOOT OR RELOAD TO TAKE EFFECT
Proceed
with reload? [confirm]
Aug 7 10:10:17.031: %SYS-5-RELOAD: Reload
requested by console. Reload Reason: Reload Command.
System
Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Technical
Support: http://www.cisco.com/techsupport
Copyright
(c) 2011 by cisco Systems, Inc.
Total
memory size = 512 MB
CISCO1921/K9
platform with 524288 Kbytes of main memory
Main
memory is configured to 64 bit mode with ECC disabled
Readonly
ROMMON initialized
program
load complete, entry point: 0x80903000, size: 0x4c4a0
program
load complete, entry point: 0x80903000, size: 0x4c4a0
IOS Image
Load Test
___________________
Digitally
Signed Release Software
program
load complete, entry point: 0x81000000, size: 0x34890b0
Self
decompressing the image :
<SNIP>
Press
RETURN to get started!
Jan 2
12:00:02.587: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name =
c1900 Next reboot level = ipbasek9 and License = ipbasek9
Jan 2
12:00:02.843: %IOS_LICENSE_IMAGE_APPLICATION-6-LICENSE_LEVEL: Module name =
c1900 Next reboot level = securityk9 and License = securityk9
Aug 7
10:12:13.163: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Initialized
Aug 7
10:12:13.167: %VPN_HW-6-INFO_LOC: Crypto engine: onboard 0 State changed to: Enabled
Aug 7 10:12:13.879: %LINK-
Router>3-UPDOWN:
Interface GigabitEthernet0/0, changed state to down
Aug 7 10:12:13.879: %LINK-3-UPDOWN: Interface
GigabitEthernet0/1, changed state to down
Aug 7 10:12:13.879: %LINK-3-UPDOWN: Interface
Serial0/0/0, changed state to down
Aug 7 10:12:14.879: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/0, changed state to down
Aug 7 10:12:14.879: %LINEPROTO-5-UPDOWN: Line
protocol on Interface GigabitEthernet0/1, changed state to down
Aug 7 10:12:14.879: %LINEPROTO-5-UPDOWN: Line
protocol on Interface Serial0/0/0, changed state to down
Aug 7 10:12:19.627: %USBFLASH-5-CHANGE: usbflash0
has been inserted!
Aug 7 10:12:22.079: %SYS-5-CONFIG_I: Configured
from memory by console
Aug 7 10:12:24.043: %LINK-5-CHANGED: Interface
Embedded-Service-Engine0/0, changed state to administratively down
Aug 7 10:12:24.043: %LINK-5-CHANGED: Interface
GigabitEthernet0/0, changed state to administratively down
Aug 7 10:12:24.043: %LINK-5-CHANGED: Interface
GigabitEthernet0/1, changed state to administratively down
Aug 7 10:12:24.047: %LINK-5-CHANGED: Interface
Serial0/0/0, changed state to administratively down
Aug 7 10:12:25.091: %LINEPROTO-5-UPDOWN: Line
protocol on Interface Embedded-Service-Engine0/0, changed state to down
Aug 7 10:12:25.479: %SYS-5-RESTART: System
restarted --
Cisco IOS
Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE
SOFTWARE (fc1)
Technical
Support: http://www.cisco.com/techsupport
Copyright
(c) 1986-2012 by Cisco Systems, Inc.
Compiled
Tue 20-Mar-12 17:58 by prod_rel_team
Aug 7 10:12:25.483: %SNMP-5-COLDSTART: SNMP agent
on host Router is undergoing a cold start
Aug 7 10:12:26.095: %SYS-6-BOOTTIME: Time taken
to reboot after reload = 130 seconds
Aug 7 10:12:26.719: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is OFF
Aug 7 10:12:26.719: %CRYPTO-6-GDOI_ON_OFF: GDOI
is OFF
Aug 7 10:12:26.719: %CRYPTO-6-ISAKMP_ON_OFF:
ISAKMP is OFF
Aug 7 10:12:26.719: %CRYPTO-6-GDOI_ON_OFF: GDOI
is OFF
Router>enable
Router#show
version
Cisco IOS
Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE
SOFTWARE (fc1)
Technical
Support: http://www.cisco.com/techsupport
Copyright
(c) 1986-2012 by Cisco Systems, Inc.
Compiled
Tue 20-Mar-12 17:58 by prod_rel_team
ROM:
System Bootstrap, Version 15.0(1r)M15, RELEASE SOFTWARE (fc1)
Router
uptime is 1 minute
System
returned to ROM by reload at 10:10:15 UTC Wed Aug 7 2019
System
restarted at 10:11:48 UTC Wed Aug 7 2019
System
image file is "usbflash0:c1900-universalk9-mz.SPA.151-4.M4.bin"
Last
reload type: Normal Reload
Last
reload reason: Reload Command
This
product contains cryptographic features and is subject to United
States
and local country laws governing import, export, transfer and
use.
Delivery of Cisco cryptographic products does not imply
third-party
authority to import, export, distribute or use encryption.
Importers,
exporters, distributors and users are responsible for
compliance
with U.S. and local country laws. By using this product you
agree to
comply with applicable laws and regulations. If you are unable
to comply
with U.S. and local laws, return this product immediately.
A summary
of U.S. laws governing Cisco cryptographic products may be found at:
If you
require further assistance please contact us by sending email to
export@cisco.com.
Cisco
CISCO1921/K9 (revision 1.0) with 487424K/36864K bytes of memory.
Processor
board ID FGL16312ABC
2 Gigabit
Ethernet interfaces
1
Serial(sync/async) interface
1
terminal line
1 Virtual
Private Network (VPN) Module
DRAM
configuration is 64 bits wide with parity disabled.
255K
bytes of non-volatile configuration memory.
249840K
bytes of USB Flash usbflash0 (Read/Write)
License
Info:
License
UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO1921/K9 FGL16312ABC
Technology
Package License Information for Module:'c1900'
-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security
securityk9 EvalRightToUse
securityk9
data None None None
Configuration
register is 0x2102
Router#show
license
Index 1
Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period
left: 8 weeks 4 days
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License
State: Active, In Use
License Count: Non-Counted
License
Priority: Low
Index 3
Feature: datak9
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Index 4
Feature: SSL_VPN
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: 0/0 (In-use/Violation)
License Priority: None
Index 5
Feature: ios-ips-update
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
Index 6
Feature: WAAS_Express
Period left: Not Activated
Period Used: 0 minute
0 second
License Type: EvalRightToUse
License State: Not in Use, EULA not
accepted
License Count: Non-Counted
License Priority: None
I was able to issue crypto related commands and establish a IKE Security Association (SA) with the Cisco FTD afterwards.
Router#show
crypto ?
call Show crypto call admission info
ctcp cTCP connections
datapath Data Path
debug-condition Debug Condition filters
dynamic-map Crypto map templates
eli Encryption Layer Interface
engine Show crypto engine info
entropy Entropy sources
gdoi Show crypto gdoi
ha Crypto High Availability
information
identity Show crypto identity list
ikev2 Shows ikev2 info
ipsec Show IPSEC policy
isakmp Show ISAKMP
key Show long term public keys
map Crypto maps
mib Show Crypto-related MIB
Parameters
optional Optional Encryption Status
pki Show PKI
route Show crypto VPN routes
ruleset Show crypto rules on outgoing packets
session Show crypto sessions (tunnels)
sockets Secure Socket Information
tech-support Displays relevant crypto information
No comments:
Post a Comment