cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1648
Views
0
Helpful
4
Replies
Highlighted
Frequent Contributor

Output of sh crypto ipsec sa

                   Hi everyone,

When we do sh crypto ipsec sa  it shows lo tof info

Need to know what does loal and remote ident mean?

local ident (addr/mask/prot/port): (10.0.x.x/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (10.0.x.x/255.255.255.255/0/0)

What does conn id: and  flow_id mean?

What does packet digest mean?

Thanks

Mahesh

Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Output of sh crypto ipsec sa

Hello Mahesh,

Basically each SA will show you the traffic that is being sent over the VPN (who is innitiating the traffic)  In this case we can see that we are sending over the VPN tunnel the traffic being sourced from 10.10.x.x to the other 10 subnet.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Beginner

Output of sh crypto ipsec sa

For every interesting traffic flow in VPN or every crypto ACL a corresponding IPSEC SA is configure where in PROXY identities implies local and remote identites which in turn provide detail of interesting traffic between local network and remote network which will be encrypted over the tunnel.

Now how this traffic flows is that it depends upon the IPSEC SA, for each traffic flow corresponding IPSEC SA is built for encryption as well as decryption. This is why we see two IPSEC SA for one proxy identity.

These SA's as refeshed after a specific interval i.e. after rekey and then new SA's are created. These SA's are dependent upon the VPN context IDs and usage data IDs that are deleted and created everytime after rekey. For checking this out you can use command "show asp table context" and "show asp table classify crypto".

Whenever any packet fails to encrypt or decrypt due to any random reason then we should be able see errs in IPSEC SA.

Regards,

Anuj

View solution in original post

4 REPLIES 4
Hall of Fame Guru

Output of sh crypto ipsec sa

The local and remote ident are the key bits. Within a VPN tunnel (the isakmp sa), there are one or more ipsec sas. Each ipsec sa is a pair of networks (and, optionally, further restricted by protocols and ports) that may communicate via the tunnel.

Frequent Contributor

Output of sh crypto ipsec sa

Hi Marvin,

Can you please explain in more detail?

Thanks

MAhesh

Output of sh crypto ipsec sa

Hello Mahesh,

Basically each SA will show you the traffic that is being sent over the VPN (who is innitiating the traffic)  In this case we can see that we are sending over the VPN tunnel the traffic being sourced from 10.10.x.x to the other 10 subnet.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Beginner

Output of sh crypto ipsec sa

For every interesting traffic flow in VPN or every crypto ACL a corresponding IPSEC SA is configure where in PROXY identities implies local and remote identites which in turn provide detail of interesting traffic between local network and remote network which will be encrypted over the tunnel.

Now how this traffic flows is that it depends upon the IPSEC SA, for each traffic flow corresponding IPSEC SA is built for encryption as well as decryption. This is why we see two IPSEC SA for one proxy identity.

These SA's as refeshed after a specific interval i.e. after rekey and then new SA's are created. These SA's are dependent upon the VPN context IDs and usage data IDs that are deleted and created everytime after rekey. For checking this out you can use command "show asp table context" and "show asp table classify crypto".

Whenever any packet fails to encrypt or decrypt due to any random reason then we should be able see errs in IPSEC SA.

Regards,

Anuj

View solution in original post