01-10-2023 09:13 AM
01-10-2023 09:24 AM
@MSJ1 the purpose of IKE (v1 or v2) is used to establish a secure communication channel (1 bidirectional SA) through which the IPSec SA is securely negotiated. Once the IPSec SAs (2 unidirectional SA) has been established, all data is securely transmitted over this IPSec VPN.
So "show crypto ikev2 sa" represents the IKEv2 SA and "show crypto ipsec sa" represents the IPSec SAs.
01-10-2023 09:39 AM - edited 01-10-2023 09:42 AM
friend it same only the IKE version different
dont confuse
show crypto ipsec sa <<- phase2 sa detail of IKEv1
show crypto ikev2 sa <<- phase2 sa detail of IKEv2
there is no different at all.
01-10-2023 09:48 AM
@MHM Cisco World wrote:
friend it same,
show crypto ipsec sa <<- phase2 sa detail of IKEv1
show crypto ikev2 sa <<- phase2 sa detail of IKEv2
there is no different at all.
that's not correct. "show crypto ikev2 sa" is control plane (IKE) and "show crypto ipsec sa" is data plane (IPSec).
01-10-2023 09:52 AM
so please give me what value appear in show crypto ipsec sa and not appear in show crypto ikev2 sa.
I need to know.
01-10-2023 10:07 AM
@MHM Cisco World observe the difference in the output of those commands in this post
"show crypto ikev1 sa" is the equivalent of "show crypto ikev2 sa" just using IKEv2 protocol, they perform the same task.
Regardless of whether you are using IKEv1 or IKEv2 "show crypto ipsec sa" is the encrypted data plane, which would be negotiated with IKEv1 or IKEv2.
01-10-2023 10:16 AM
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s3.html
this command reference, I dont see show crypto ikev1 sa !!!
or I am wrong ?
01-10-2023 10:25 AM
@MHM Cisco World "show crypto ikev1 sa" is the syntax for ASA/FTD - https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/show-cr-to-show-cz-commands.html#wp1242471814 - On IOS routers you use isakmp in place of IKEv1 to display the IKEv1 SA.
01-10-2023 10:30 AM - edited 01-10-2023 11:38 AM
Yes now we talk,
what we want to know from phase 2 is local/remote proxy and SPI for inbound/outbound
IKEv1
show crypto isakmp sa <<- phase1
show crypto ipsec sa <<- phase 2
IKEv2
show crypto ikev2 sa <<- phase1 & phase2 (phase2 because it can show us SPI and local/remote proxy )
show crypto ipsec sa <<- phase2 BUT I want to mention that it can show packet encrypt/decrypt count.
01-10-2023 10:18 AM
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
this link also there is no show crypto ikev1 sa, instead you can use show crypto ipsec sa <<- this give detail about phase2 of IKE.
01-10-2023 11:30 AM
why do they have different DH group 5 and 14 for ikev2 sa and ipsec sa command ?
FW# show crypto ikev2 sa
IKEv2 SAs:
Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:2
Tunnel-id Local Remote Status Role
1063293681 Head_End_IP/500 Remote_Head_End_IP/500 READY INITIATOR\
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/69018 sec
Child sa: local selector 10.XX.XXX.0/0 - 10.XX.XXX.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x77595683/0x5d6f8285
Child sa: local selector YY.YY.YY.YY/0 - YY.YY.YY.YY/65535
remote selector XX.XX.XX.XX/0 - XX.XX.XX.XX/65535
ESP spi in/out: 0xaca7647e/0xb091149b
==========================================================
FW# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: XXXXXXXXX
access-list outside_cryptomap extended permit ip XXXXXX 255.255.255.0 any4
local ident (addr/mask/prot/port): (XXXXXX/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: XXXXXXXX
#pkts encaps: 67753167, #pkts encrypt: 67673173, #pkts digest: 67673173
#pkts decaps: 123372327, #pkts decrypt: 123372327, #pkts verify: 123372327
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 67753170, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 79992, #fragments created: 0
#PMTUs sent: 79992, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 1, #recv errors: 26
local crypto endpt.: XXXX/500, remote crypto endpt.: XXXX/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5D6F8285
current inbound spi : 77595683
inbound esp sas:
spi: 0x77595683 (2002343555)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
slot: 0, conn_id: 26, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4236342/28327)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0x5D6F8285 (1567588997)
SA State: active
transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }
slot: 0, conn_id: 26, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4006416/28327)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
01-10-2023 11:33 AM
because the IKEv2 can use two DH group
one group of phase1 DH =5
other group of phase 2 DH=14 with PFS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide