Solved: Output of sh crypto ipsec sa

mahesh18 · ‎12-17-2012

Hi everyone,

When we do sh crypto ipsec sa it shows lo tof info

Need to know what does loal and remote ident mean?

local ident (addr/mask/prot/port): (10.0.x.x/255.255.255.255/0/0)

remote ident (addr/mask/prot/port): (10.0.x.x/255.255.255.255/0/0)

What does conn id: and flow_id mean?

What does packet digest mean?

Thanks

Mahesh

Julio Carvajal · ‎12-18-2012

Hello Mahesh,

Basically each SA will show you the traffic that is being sent over the VPN (who is innitiating the traffic) In this case we can see that we are sending over the VPN tunnel the traffic being sourced from 10.10.x.x to the other 10 subnet.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

anujsharma85 · ‎12-18-2012

For every interesting traffic flow in VPN or every crypto ACL a corresponding IPSEC SA is configure where in PROXY identities implies local and remote identites which in turn provide detail of interesting traffic between local network and remote network which will be encrypted over the tunnel.

Now how this traffic flows is that it depends upon the IPSEC SA, for each traffic flow corresponding IPSEC SA is built for encryption as well as decryption. This is why we see two IPSEC SA for one proxy identity.

These SA's as refeshed after a specific interval i.e. after rekey and then new SA's are created. These SA's are dependent upon the VPN context IDs and usage data IDs that are deleted and created everytime after rekey. For checking this out you can use command "show asp table context" and "show asp table classify crypto".

Whenever any packet fails to encrypt or decrypt due to any random reason then we should be able see errs in IPSEC SA.

Regards,

Anuj

View solution in original post

Marvin Rhoads · ‎12-17-2012

The local and remote ident are the key bits. Within a VPN tunnel (the isakmp sa), there are one or more ipsec sas. Each ipsec sa is a pair of networks (and, optionally, further restricted by protocols and ports) that may communicate via the tunnel.

mahesh18 · ‎12-18-2012

Hi Marvin,

Can you please explain in more detail?

Thanks

MAhesh

Julio Carvajal · ‎12-18-2012

Hello Mahesh,

Basically each SA will show you the traffic that is being sent over the VPN (who is innitiating the traffic) In this case we can see that we are sending over the VPN tunnel the traffic being sourced from 10.10.x.x to the other 10 subnet.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

anujsharma85 · ‎12-18-2012

For every interesting traffic flow in VPN or every crypto ACL a corresponding IPSEC SA is configure where in PROXY identities implies local and remote identites which in turn provide detail of interesting traffic between local network and remote network which will be encrypted over the tunnel.

Now how this traffic flows is that it depends upon the IPSEC SA, for each traffic flow corresponding IPSEC SA is built for encryption as well as decryption. This is why we see two IPSEC SA for one proxy identity.

These SA's as refeshed after a specific interval i.e. after rekey and then new SA's are created. These SA's are dependent upon the VPN context IDs and usage data IDs that are deleted and created everytime after rekey. For checking this out you can use command "show asp table context" and "show asp table classify crypto".

Whenever any packet fails to encrypt or decrypt due to any random reason then we should be able see errs in IPSEC SA.

Regards,

Anuj