Whats the difference between ikev2 and ipsec sa

MSJ1 · ‎01-10-2023

Hi

Whats the difference between following 2 commans

show crypto ikev2 sa

show crypto ipsec sa

Rob Ingram · ‎01-10-2023

@MSJ1 the purpose of IKE (v1 or v2) is used to establish a secure communication channel (1 bidirectional SA) through which the IPSec SA is securely negotiated. Once the IPSec SAs (2 unidirectional SA) has been established, all data is securely transmitted over this IPSec VPN.

So "show crypto ikev2 sa" represents the IKEv2 SA and "show crypto ipsec sa" represents the IPSec SAs.

MHM Cisco World · ‎01-10-2023

friend it same only the IKE version different
dont confuse
show crypto ipsec sa <<- phase2 sa detail of IKEv1
show crypto ikev2 sa <<- phase2 sa detail of IKEv2
there is no different at all.

Rob Ingram · ‎01-10-2023

@MHM Cisco World wrote:

friend it same,
show crypto ipsec sa <<- phase2 sa detail of IKEv1
show crypto ikev2 sa <<- phase2 sa detail of IKEv2
there is no different at all.

that's not correct. "show crypto ikev2 sa" is control plane (IKE) and "show crypto ipsec sa" is data plane (IPSec).

MHM Cisco World · ‎01-10-2023

so please give me what value appear in show crypto ipsec sa and not appear in show crypto ikev2 sa.
I need to know.

Rob Ingram · ‎01-10-2023

@MHM Cisco World observe the difference in the output of those commands in this post

"show crypto ikev1 sa" is the equivalent of "show crypto ikev2 sa" just using IKEv2 protocol, they perform the same task.

Regardless of whether you are using IKEv1 or IKEv2 "show crypto ipsec sa" is the encrypted data plane, which would be negotiated with IKEv1 or IKEv2.

MHM Cisco World · ‎01-10-2023

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/s1/sec-s1-cr-book/sec-cr-s3.html

this command reference, I dont see show crypto ikev1 sa !!!
or I am wrong ?

Rob Ingram · ‎01-10-2023

@MHM Cisco World "show crypto ikev1 sa" is the syntax for ASA/FTD - https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/show-cr-to-show-cz-commands.html#wp1242471814 - On IOS routers you use isakmp in place of IKEv1 to display the IKEv1 SA.

IKEv2 - https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/show-cr-to-show-cz-commands.html#wp4061035436

IPSec SA - https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/S/asa-command-ref-S/show-cr-to-show-cz-commands.html#wp4192597247

MHM Cisco World · ‎01-10-2023

Yes now we talk,
what we want to know from phase 2 is local/remote proxy and SPI for inbound/outbound
IKEv1

show crypto isakmp sa <<- phase1
show crypto ipsec sa <<- phase 2

IKEv2

show crypto ikev2 sa <<- phase1 & phase2 (phase2 because it can show us SPI and local/remote proxy )
show crypto ipsec sa <<- phase2 BUT I want to mention that it can show packet encrypt/decrypt count.

MHM Cisco World · ‎01-10-2023

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html
this link also there is no show crypto ikev1 sa, instead you can use show crypto ipsec sa <<- this give detail about phase2 of IKE.

MSJ1 · ‎01-10-2023

why do they have different DH group 5 and 14 for ikev2 sa and ipsec sa command ?

FW# show crypto ikev2 sa

IKEv2 SAs:

Session-id:2, Status:UP-ACTIVE, IKE count:1, CHILD count:2

Tunnel-id Local Remote Status Role

1063293681 Head_End_IP/500 Remote_Head_End_IP/500 READY INITIATOR\

Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:5, Auth sign: PSK, Auth verify: PSK

Life/Active Time: 86400/69018 sec
Child sa: local selector 10.XX.XXX.0/0 - 10.XX.XXX.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x77595683/0x5d6f8285

Child sa: local selector YY.YY.YY.YY/0 - YY.YY.YY.YY/65535
remote selector XX.XX.XX.XX/0 - XX.XX.XX.XX/65535

ESP spi in/out: 0xaca7647e/0xb091149b

==========================================================

FW# show crypto ipsec sa
interface: outside
Crypto map tag: outside_map, seq num: 1, local addr: XXXXXXXXX

access-list outside_cryptomap extended permit ip XXXXXX 255.255.255.0 any4
local ident (addr/mask/prot/port): (XXXXXX/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer: XXXXXXXX

#pkts encaps: 67753167, #pkts encrypt: 67673173, #pkts digest: 67673173
#pkts decaps: 123372327, #pkts decrypt: 123372327, #pkts verify: 123372327
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 67753170, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 79992, #fragments created: 0
#PMTUs sent: 79992, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 1, #recv errors: 26

local crypto endpt.: XXXX/500, remote crypto endpt.: XXXX/500
path mtu 1500, ipsec overhead 78(44), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 5D6F8285
current inbound spi : 77595683

inbound esp sas:
spi: 0x77595683 (2002343555)
SA State: active

transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }

slot: 0, conn_id: 26, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4236342/28327)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:
spi: 0x5D6F8285 (1567588997)
SA State: active

transform: esp-aes-256 esp-sha-256-hmac no compression
in use settings ={L2L, Tunnel, PFS Group 14, IKEv2, }

slot: 0, conn_id: 26, crypto-map: outside_map
sa timing: remaining key lifetime (kB/sec): (4006416/28327)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

MHM Cisco World · ‎01-10-2023

because the IKEv2 can use two DH group
one group of phase1 DH =5
other group of phase 2 DH=14 with PFS