Hi all, hopefully someone can provide some clarity on what is happening.
I have two routers, R1 and R2, tunneling to eachother R1 - R3 - R2
I am labbing some IPsec tunnels using Crypto maps, IPsec profiles, and VTI.
When I use a crypto MAP, I get a single isakmp SA and a single IPsec SA (outbound and inbound)
When I use IPsec profiles I end up seeing duplicate isakmp sa on each router with a single IPsec SA (inbound and outbound)
R1
dst src state conn-id status
200.200.200.1 200.200.200.6 QM_IDLE 1030 ACTIVE
200.200.200.6 200.200.200.1 QM_IDLE 1031 ACTIVE
R2
dst src state conn-id status
200.200.200.6 200.200.200.1 QM_IDLE 1031 ACTIVE
200.200.200.1 200.200.200.6 QM_IDLE 1030 ACTIVE
When I do IPsec using VTI, I see the same duplicate isakmp SA but I also see duplicate IPsec SA (2 inbound and 2 outbound)
I am clearing my crypto sessions in between each re configuration using clear crypto session.
Can anyone explain what is going on here? Thanks for any help
Attached are my running configs for the VTI configuration: