cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1083
Views
5
Helpful
1
Replies

What is the reason for two SA?

eduardomora473
Level 1
Level 1

Hello everyone, i do not understand why there are two SA in the output, when i configure ipsec in mode tunnel appear only one SA but when i configure ipsec in mode transport appear two SA, i am not really sure if i did a mistake or if the reason is about the mode of the tunnel.

here the running-config:

 

Building configuration...

Current configuration : 3700 bytes
!
! Last configuration change at 15:54:32 UTC Sun Aug 16 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key CISCO123 address 8.8.11.2
!
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 8.8.11.2
set transform-set AES_SHA
match address GRE_IPSEC_VPN
!
!
!
!
!
interface Tunnel100
bandwidth 4000
ip address 192.168.100.1 255.255.255.0
ip mtu 1400
tunnel source GigabitEthernet0/1
tunnel destination 8.8.11.2
!
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 8.8.10.2 255.255.255.0
duplex auto
speed auto
media-type rj45
crypto map VPN
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 1.1.1.1
network 10.1.1.1 0.0.0.0 area 1
network 192.168.100.1 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 8.8.11.2 255.255.255.255 8.8.10.1
!
ip access-list extended GRE_IPSEC_VPN
permit gre host 8.8.10.2 host 8.8.11.2
!
!
!

1 Reply 1

Hi

You will have 2 Security associations because the first one is used for the phase 1 (negotiation section between devices) and the second one for phase 2 (ipsec parameters negotiation)

 

show crypto isakmp sa

show crypto ipsec sa

 

Now based on your image, check the timing and it could be because the negotiation process was made twice, try restarting the device or clearing the crypto counter. probably other SA is stucked.

 

Regards. 




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: