IPSEC questions

alanchia2000 · ‎03-21-2016

Hi

Does QM_IDLE mean that phase 1 & phase 2 has been established?
Or does it just mean phase 1 have been established?

cisco-pre-mmh#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.2.0.1 200.84.0.30 QM_IDLE 1047 ACTIVE

Does the following command show that phase2 is established? Or is this the right command to use?
If I am unable to connect to the remote encryption domain, I would like to be able to tell if the problem was in phase 2 or was the remote host.

cisco-pre-mmh#show cry session
Crypto session current status

Interface: GigabitEthernet1
Session status: DOWN
Peer: 200.84.0.30 port 500
IPSEC FLOW: permit ip host 10.2.0.60 host 192.168.101.52
Active SAs: 0, origin: crypto map

Philip D'Ath · ‎03-21-2016

"show cry isa sa" only shows phase 1, so it only indicates that phase 1 is established.

"show crypto ipsec sa" will show you the phase 2 results. You want to see that it has negotiated a compatible set of crypto settings.

alanchia2000 · ‎03-22-2016

Am I right in saying that once you see a set of negotiated crypto settings in "show cry ipsec sa". That means phase 2 is up? What if the encryption domain is wrong? Would phase 2 be still up?

Philip D'Ath · ‎03-22-2016

Correct, if you see a negotiated set of settings in "show crypto ipsec sa" phase 2 is up.

What if the encryption domain is wrong? A slightly more complex question. The devices can negotiate a more restrictive encryption domain if the two domains have some overlap but are different, but otherwise if there is no overlap it will fail to negotiate phase 2 and nothing will show up as negotiated in "show crypto ipsec sa".

Philip D'Ath · ‎03-21-2016

Actually the "Active SAs: 0" indicates phase 2. And in this case, there is no active phase 2.