08-16-2020 10:20 AM
Hello everyone, i do not understand why there are two SA in the output, when i configure ipsec in mode tunnel appear only one SA but when i configure ipsec in mode transport appear two SA, i am not really sure if i did a mistake or if the reason is about the mode of the tunnel.
here the running-config:
Building configuration...
Current configuration : 3700 bytes
!
! Last configuration change at 15:54:32 UTC Sun Aug 16 2020
!
version 15.6
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
ethernet lmi ce
!
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
!
!
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 14
crypto isakmp key CISCO123 address 8.8.11.2
!
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
mode transport
!
!
!
crypto map VPN 10 ipsec-isakmp
set peer 8.8.11.2
set transform-set AES_SHA
match address GRE_IPSEC_VPN
!
!
!
!
!
interface Tunnel100
bandwidth 4000
ip address 192.168.100.1 255.255.255.0
ip mtu 1400
tunnel source GigabitEthernet0/1
tunnel destination 8.8.11.2
!
interface GigabitEthernet0/0
ip address 10.1.1.1 255.255.255.0
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
ip address 8.8.10.2 255.255.255.0
duplex auto
speed auto
media-type rj45
crypto map VPN
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/3
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
router ospf 1
router-id 1.1.1.1
network 10.1.1.1 0.0.0.0 area 1
network 192.168.100.1 0.0.0.0 area 0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 8.8.11.2 255.255.255.255 8.8.10.1
!
ip access-list extended GRE_IPSEC_VPN
permit gre host 8.8.10.2 host 8.8.11.2
!
!
!
08-16-2020 12:09 PM - edited 08-16-2020 12:55 PM
Hi
You will have 2 Security associations because the first one is used for the phase 1 (negotiation section between devices) and the second one for phase 2 (ipsec parameters negotiation)
show crypto isakmp sa
show crypto ipsec sa
Now based on your image, check the timing and it could be because the negotiation process was made twice, try restarting the device or clearing the crypto counter. probably other SA is stucked.
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide