04-19-2021 09:10 AM
Hello Experts @Marvin Rhoads @Rob @Sheraz.Salim @balaji.bandi @Mohammed al Baqari @Richard Burts
Whenever I configure IPsec tunnels, I checked Phase DH group and encryptions (DES/AES/SHA etc) and in Phase 2 select the local and remote subnets with same encryption.
What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?
What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?
Thanks,
Lovejit
Solved! Go to Solution.
04-19-2021 09:26 AM - edited 04-19-2021 09:26 AM
Phase 1 establishes an IKE Security Associations (SA) these IKE SAs are then used to securely negotiate the IPSec SAs (Phase 2). Data is transmitted securely using the IPSec SAs.
Phase 1 = "show crypto isakmp sa" or "show crypto ikev1 sa" or "show crypto ikev2 sa"
Phase 2 = "show crypto ipsec sa"
To confirm data is actually sent and received over the VPN, check the output of "show crypto ipsec sa" and confirm the counters for encaps|decaps are increasing.
04-19-2021 01:10 PM
as Rob mentioned he is right.but just to put you in more specific point of direction
What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?
- show crypto isakmp sa details | b x.x.x.x.x where x.x.x.x is your remote peer ip address.
What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?
-show crypto ipsec sa peer x.x.x.x.x
also you can use the command on ASA
show vpn-sessiondb detail l2l filter ipaddress x.x.x.x.x
This command will show you the in full detail of phase 1 setting and phase 2 setting.
04-20-2021 05:37 AM - edited 04-20-2021 05:38 AM
Well, just to add my two cents.
What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?
As Rob has already mentioned, this part of the process establishes a tunnel to securely agree upon the encryption keys to be used when encrypting traffic. So I like think of this as a type of management tunnel.
commands to be used here are:
show crypto ikev1 sa
show crypto ikev2 sa
What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?
This is where the VPN devices agree upon what method will be used to encrypt data traffic. The keys, or security associations, will be exchanged using the tunnel established in phase 1. Once this exchange is successful all data traffic will be encrypted using this second tunnel. The only time phase 1 tunnel will be used again is for the rekeys.
commands to use:
show crypto ipsec sa peer x.x.x.x !(where x.x.x.x is the IP of the remote peer)
04-19-2021 09:26 AM - edited 04-19-2021 09:26 AM
Phase 1 establishes an IKE Security Associations (SA) these IKE SAs are then used to securely negotiate the IPSec SAs (Phase 2). Data is transmitted securely using the IPSec SAs.
Phase 1 = "show crypto isakmp sa" or "show crypto ikev1 sa" or "show crypto ikev2 sa"
Phase 2 = "show crypto ipsec sa"
To confirm data is actually sent and received over the VPN, check the output of "show crypto ipsec sa" and confirm the counters for encaps|decaps are increasing.
04-19-2021 01:10 PM
as Rob mentioned he is right.but just to put you in more specific point of direction
What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?
- show crypto isakmp sa details | b x.x.x.x.x where x.x.x.x is your remote peer ip address.
What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?
-show crypto ipsec sa peer x.x.x.x.x
also you can use the command on ASA
show vpn-sessiondb detail l2l filter ipaddress x.x.x.x.x
This command will show you the in full detail of phase 1 setting and phase 2 setting.
04-19-2021 06:02 PM
Encrypt inside Encrypt.
first Encrypt use the Private/Public Asymmetric Algorithm to be more secure But this is very slow.
Second encrypt use mostly the PSK Symmetric Algorithm this is Fast but not so sure this is why we need the first encrypt to protect it.
04-20-2021 05:37 AM - edited 04-20-2021 05:38 AM
Well, just to add my two cents.
What does specifically phase one does ? on Cisco ASA which command i can use to see if phase 1 is operational/up?
As Rob has already mentioned, this part of the process establishes a tunnel to securely agree upon the encryption keys to be used when encrypting traffic. So I like think of this as a type of management tunnel.
commands to be used here are:
show crypto ikev1 sa
show crypto ikev2 sa
What does specifically phase two does ? on cisco ASA which command I can use to see if phase 2 is up/operational ?
This is where the VPN devices agree upon what method will be used to encrypt data traffic. The keys, or security associations, will be exchanged using the tunnel established in phase 1. Once this exchange is successful all data traffic will be encrypted using this second tunnel. The only time phase 1 tunnel will be used again is for the rekeys.
commands to use:
show crypto ipsec sa peer x.x.x.x !(where x.x.x.x is the IP of the remote peer)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide