Solved: ikev and transform in ipsec

suthomas1 · ‎06-21-2020

Hello,

I see the following output in our asa having an ipsec vpn to one of our vendors. please help me understanding the below.

a) What does esp-aes-256 & esp-sha-hmac both mean in transfor, both these entries are different so why is it showing both?

b) what does IKEv1 indicate?

inbound esp sas:
spi: 0x21342104 (557060440)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 212406151, crypto-map: verti_vend
sa timing: remaining key lifetime (kB/sec): (4371273/8464)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF

outbound esp sas:
spi: 0x957DB7F1 (2504380561)
transform: esp-aes-256 esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 212406151, crypto-map: verti_vend
sa timing: remaining key lifetime (kB/sec): (4365423/8428)
IV size: 16 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

Rob Ingram · ‎06-21-2020

Hi,
"esp-aes-256" refers to encryption algorithm and "esp-sha-hmac" is the hashing algorithm, they perform different functions and are used together.

IKEv1 is the Key Exchange protocol used to establish a bi-directional IKE Security Association (SA), over that SA 2 un-directional IPSec SAs (inbound esp and outbound esp) are negotiated. IPSec SAs are then used to encrypt the data.

HTH

View solution in original post

Rob Ingram · ‎06-21-2020

Hi,
"esp-aes-256" refers to encryption algorithm and "esp-sha-hmac" is the hashing algorithm, they perform different functions and are used together.

IKEv1 is the Key Exchange protocol used to establish a bi-directional IKE Security Association (SA), over that SA 2 un-directional IPSec SAs (inbound esp and outbound esp) are negotiated. IPSec SAs are then used to encrypt the data.

HTH