® VPN Internal Service Module (VPN ISM) is a module for the Cisco Integrated Services Routers Generation 2 (ISR G2) that provides the capability to considerably increase performance for VPN encrypted traffic. The module has a multicore processor that operates independently of the host router resources, helping ensure maximum concurrent encrypted application performance while maintaining competitive performance for other types of traffic. The Cisco VPN ISM supports the latest versions of cryptography standards, including stronger National Security Agency (NSA) regulated cryptographic algorithms such as Suite B Cryptography.
The Cisco VPN ISM is ready to use, allowing quick and easy installation of the module for increasing VPN encryption performance on Cisco ISR G2 routers. The VPN ISM is compatible with all Cisco ISR G2 routers that support the ISM card slot and runs the same level of feature-rich functions as found on the Cisco ISR G2. It integrates all elements necessary to optimize branch-office IT infrastructure for delivery of encrypted application data from the data center and deployment of branch-office applications on demand, and houses them under a single chassis - the Cisco ISR G2.
Figure 1 shows the Cisco VPN Internal Service Module (VPN ISM).
Figure 1. Cisco VPN Internal Service Module (VPN ISM)
Features and Benefits
Table 1 describes the features supported by the Cisco VPN ISM and Table 2 describes the benefits of the Cisco VPN ISM features.
Table 1. Supported Features of Cisco VPN ISM
The Cisco VPN ISM fits in the ISM slot in the Cisco ISR G2.
The Cisco VPN ISM supports the Cisco 1941 and the Cisco 2900 and 3900 Series Integrated Services Routers (ISRs).
An ISM slot for the Cisco 1941 and the Cisco 2900 and 3900 Series is required.
IP Security (IPsec) encryption supported
• Rivest, Shamir, and Adelman (RSA)
• Elliptic-Curve Digital Signature Algorithm (ECDSA)
• Advanced Encryption Standard (AES) in Galois Message Authentication Code (GMAC)
• Diffie Hellman and Elliptic-Curve Diffie Hellman (ECDH)
The Cisco VPN ISM supports SSL VPN encryption with DES, 3DES and AES.
Note: VPN ISM does not support DTLS.
Number of encryption modules per router
The Cisco VPN ISM uses one encryption module per router.
Minimum Cisco IOS Software version required
The Cisco VPN ISM requires Cisco IOS Software Version 15.2(1)T1 or later. The SEC-K9 and HSEC-K9 licenses are required.
Maximum number of IPsec encrypted tunnels
The Cisco VPN ISM supports up to 500 tunnels on the Cisco 1941, up to 2000 tunnels on the Cisco 2900 Series, and up to 3000 tunnels on the Cisco 3900 Series.
The Cisco VPN ISM supports the IPsec Internet Key Exchange (IKE): RFCs 2401 to 2410, 2411, 2451, 4306, 4718, 4869, and 5996.
Table 2. Features and Benefits of Cisco VPN ISM
Ability to offload encryption to a dedicated service module
Dedicated encryption protects performance while using CPU for other services.
Small physical, energy, and carbon footprint
You can save on energy bills, hardware support contracts, and onsite visits.
Maximum performance while also maintaining strong encryption protection
You have two to three times better onboard performance with the strongest Suite B encryption support.
High-overhead IPsec processing from the main processor
Critical processing resources are reserved for other services such as routing, firewall, and voice.
Cisco IPsec configuration can be monitored and can be integrated into a variety of VPN management solutions.
Certificate support to facilitate automatic authentication using digital certificates
Encryption use scales for large networks requiring secure connections between multiple sites.
Easy integration of VPN modules into existing Cisco 1941 and Cisco 2900 and 3900 Series Routers
System costs, management complexity, and deployment effort are reduced significantly compared to multiple-device solutions.
Confidentiality, data integrity, and data origin authentication through IPsec
Secure use of public switched networks and the Internet for WANs is facilitated.
Cisco IOS SSL VPN
Businesses can securely and transparently extend their networks to any Internet-enabled location using SSL VPN. The Cisco IOS SSL VPN supports Cisco AnyConnect Client, enabling full network access remotely to virtually any application.
Cisco VPN ISM acceleration module platform support is outlined in Table 3.
Table 3. Supported Platforms
Cisco VPN ISM IPsec VPN Performance
• The Cisco 1941 Series Module (ISM-VPN-19) can provide hardware-based IPSec encryption services of 140 and 500 Mbps in the Cisco 1941 (IPSec Internet mix [IMIX] and 1400-byte packets).
• The Cisco 2900 Series Module (ISM-VPN-29) can provide hardware-based IPSec encryption services of 145 and 550 Mbps in the Cisco 2901, 150 and 600 Mbps in the Cisco 2911, 220 and 700 Mbps in the Cisco 2921, and 385 and 900 Mbps in the Cisco 2951 (IPSec IMIX and 1400-byte packets).
• The Cisco 3900 Series Module (ISM-VPN-39) can provide hardware-based IPSec encryption services of 550 and 1100 Mbps in the Cisco 3925 and 600 and 1200 Mbps in the Cisco 3945 (IPSec IMIX and 1400-byte packets).
Table 4 gives specifications for the Cisco VPN ISM.
Table 4. Cisco VPN ISM Product Specifications
Product part number
Internal network interfaces
Gigabit Ethernet connectivity to router backplane
Cisco IOS Software
15.2(1)T1 or higher
Data Encryption Standard (DES), 3DES, Advanced Encryption Standard (AES) in Cipher-Block Chaining (CBC) and Galois/Counter Mode (GCM) (128-, 192-, and 256-bit)
Diffie Hellman (DH) and Elliptic-Curve Diffie Hellman (ECDH)
Rivest, Shamir, and Adelman (RSA) and Elliptic-Curve Digital Signature Algorithm (ECDSA)
Message Digest Algorithm 5 (MD5), Secure Hash Algorithm 1 and 2 (SHA-1 and SHA-2, respectively) (384- and 512-bit), and AES-GMAC (128-, 192-, 256- bit)
Power consumption (maximum)
Dimensions (H x W x D)
0.85 x 4 x 6.1 in. (2.2 x 10.2 x 15.5 cm)
Shipping dimensions (H x W x D with packaging)
9.45 x 7.18 x 2.38 in. (24 x 18.4 x 6.05 cm)
0.5 lb (0.206 kg)
Cisco 1941 and 2901: 32 to 104°F (0 to 40°C) normal
Cisco 2911, 2921, 2951, 3925, and 3945: 32 to 122°F (0 to 50°C) normal
10 to 95% operating
104°F (40°C) at sea level
104°F (40°C) at 6,000 ft (1,800m)
86°F (30°C) at 13,000 ft (4,000m)
81°F (27.2°C) at 15,000 ft (4,600m)
Note: De-rate 34.5°F (1.4°C) per 1,000 ft above 6,000 ft (per 300m above 2,600m)
Transportation and Storage Conditions
-4 to 149°F (-20 to +65°C)
9 to 95% operating
10,000 ft (3,050m)
• UL 60950-1, 2nd Edition, Standard for safety for information deployable platform technology equipment (US)
• CAN/CSA-C22.2 No. 60950-1-03, Safety of information technology equipment including electrical business equipment (Canada)
• IEC 60950-1:3
rd edition [PRC] Safety of information technology equipment/Second Edition [Mexico]
• EN 60950 -1:2001, Safety of information technology equipment (CENELEC; includes EU and EFTA)
• AS/NZS 60950-1, Safety of information technology equipment including electrical business equipment (Australia)
• 47 CFR Part 15 Class A
• CISPR22 Class A
• EN300386 Class A
• EN55022 Class A
• ICES Class A
• KN 22 Class A
• VCCI Class I
For information about how to order the Cisco VPN Internal Service Module, please visit the
Cisco ISR G2 Ordering Guide. To place an order, visit the
Cisco Ordering Home Page and refer to Tables 5 and 6. For additional product numbers, including the Cisco VPN ISM bundle offerings, please check the Cisco price list or contact your local Cisco account representative.
Cisco VPN ISM hardware service and support is covered by the Cisco SMARTnet
® Service contract for the router in which the module will reside. For more information about Cisco Technical Services visit