Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
10
Helpful
4
Replies

Break in tunnel - IPSEC

Go to solution
jewedo828417539
Level 1
Level 1

‎10-20-2020 05:41 AM

Hi all,

 

I have these 2 questions looming in my mind for some time. Please throw some light on these.

1. Can the terms SA and tunnel  be used interchangeably?

2. What is the exact purpose of doing a'a crypto ipsec sa'? Can we say that it is done due to a 'break in tunnel'?

 

Thanks in advance

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-20-2020 08:05 AM

#1 I don't believe so.  IPSec might be used to encrypt, for example, a whole packet, which in turn, is encapsulated within another packet.  The encapsulation, not the encryption, would be what would constitute the tunnel.

Or, for example, a packet's data segment, alone, might be encrypted, but the whole packet is not, so no encapsulation and so no tunnel.

BTW, on Cisco routers you can define GRE/IPSec tunnels in either "transport" or "tunnel" mode.  See https://www.ciscopress.com/articles/article.asp?p=25477 

#2 Do you mean "show crypto ipsec sa"?  If so, it show information about ipsec session(s).  Unsure what you mean by "break", unless by it showing that a session isn't active.

View solution in original post

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jewedo828417539

‎10-20-2020 09:22 AM

Ah well, if a IPSec session isn't working, not passing traffic, checking the SA session status would show whether the session appears to be up.  If not, then there's some problem between the SA peers.  Possibly a lost in network connectivity between the peers, or perhaps something like the session key has been changed on one side and not the other.  So, in that sense, using this show command would help debug/detect a "break".

If the SA session looks good, but there's still no passing traffic, perhaps there's some other problem other than IPSec issues.

Tunneling Protocol (better than what I might briefly write)

View solution in original post

4 Replies 4

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎10-20-2020 08:05 AM

#1 I don't believe so.  IPSec might be used to encrypt, for example, a whole packet, which in turn, is encapsulated within another packet.  The encapsulation, not the encryption, would be what would constitute the tunnel.

Or, for example, a packet's data segment, alone, might be encrypted, but the whole packet is not, so no encapsulation and so no tunnel.

BTW, on Cisco routers you can define GRE/IPSec tunnels in either "transport" or "tunnel" mode.  See https://www.ciscopress.com/articles/article.asp?p=25477 

#2 Do you mean "show crypto ipsec sa"?  If so, it show information about ipsec session(s).  Unsure what you mean by "break", unless by it showing that a session isn't active.

Go to solution
jewedo828417539
Level 1
Level 1
In response to Joseph W. Doherty

‎10-20-2020 08:38 AM - edited ‎10-20-2020 08:41 AM

Thanks. In the second question, what I meant was whether 'clear crypto ipsec sa' is done due to a 'break in tunnel'

Also, could you elaborate a little on what you said about what constitutes a tunnel? (You mentioned it is the encapsulation, not the encryption what constitutes a tunnel. I couldn't really catch that.)

Thanks in advance

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jewedo828417539

‎10-20-2020 09:22 AM

Ah well, if a IPSec session isn't working, not passing traffic, checking the SA session status would show whether the session appears to be up.  If not, then there's some problem between the SA peers.  Possibly a lost in network connectivity between the peers, or perhaps something like the session key has been changed on one side and not the other.  So, in that sense, using this show command would help debug/detect a "break".

If the SA session looks good, but there's still no passing traffic, perhaps there's some other problem other than IPSec issues.

Tunneling Protocol (better than what I might briefly write)

Go to solution
jewedo828417539
Level 1
Level 1
In response to Joseph W. Doherty

‎10-20-2020 10:31 AM

Thanks Mr. Doherty.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card