12-17-2012 12:42 PM - edited 02-21-2020 06:33 PM
Hi everyone,
When we do sh crypto ipsec sa it shows lo tof info
Need to know what does loal and remote ident mean?
local ident (addr/mask/prot/port): (10.0.x.x/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.x.x/255.255.255.255/0/0)
What does conn id: and flow_id mean?
What does packet digest mean?
Thanks
Mahesh
Solved! Go to Solution.
12-18-2012 09:45 AM
Hello Mahesh,
Basically each SA will show you the traffic that is being sent over the VPN (who is innitiating the traffic) In this case we can see that we are sending over the VPN tunnel the traffic being sourced from 10.10.x.x to the other 10 subnet.
Regards,
Julio
12-18-2012 10:11 AM
For every interesting traffic flow in VPN or every crypto ACL a corresponding IPSEC SA is configure where in PROXY identities implies local and remote identites which in turn provide detail of interesting traffic between local network and remote network which will be encrypted over the tunnel.
Now how this traffic flows is that it depends upon the IPSEC SA, for each traffic flow corresponding IPSEC SA is built for encryption as well as decryption. This is why we see two IPSEC SA for one proxy identity.
These SA's as refeshed after a specific interval i.e. after rekey and then new SA's are created. These SA's are dependent upon the VPN context IDs and usage data IDs that are deleted and created everytime after rekey. For checking this out you can use command "show asp table context" and "show asp table classify crypto".
Whenever any packet fails to encrypt or decrypt due to any random reason then we should be able see errs in IPSEC SA.
Regards,
Anuj
12-17-2012 05:57 PM
The local and remote ident are the key bits. Within a VPN tunnel (the isakmp sa), there are one or more ipsec sas. Each ipsec sa is a pair of networks (and, optionally, further restricted by protocols and ports) that may communicate via the tunnel.
12-18-2012 07:30 AM
Hi Marvin,
Can you please explain in more detail?
Thanks
MAhesh
12-18-2012 09:45 AM
Hello Mahesh,
Basically each SA will show you the traffic that is being sent over the VPN (who is innitiating the traffic) In this case we can see that we are sending over the VPN tunnel the traffic being sourced from 10.10.x.x to the other 10 subnet.
Regards,
Julio
12-18-2012 10:11 AM
For every interesting traffic flow in VPN or every crypto ACL a corresponding IPSEC SA is configure where in PROXY identities implies local and remote identites which in turn provide detail of interesting traffic between local network and remote network which will be encrypted over the tunnel.
Now how this traffic flows is that it depends upon the IPSEC SA, for each traffic flow corresponding IPSEC SA is built for encryption as well as decryption. This is why we see two IPSEC SA for one proxy identity.
These SA's as refeshed after a specific interval i.e. after rekey and then new SA's are created. These SA's are dependent upon the VPN context IDs and usage data IDs that are deleted and created everytime after rekey. For checking this out you can use command "show asp table context" and "show asp table classify crypto".
Whenever any packet fails to encrypt or decrypt due to any random reason then we should be able see errs in IPSEC SA.
Regards,
Anuj
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide