Showing results for 
Search instead for 
Did you mean: 

Output of show crypto ipsec sa

DaeHeon Kang



I see some IPSec SA show subnet information at the part of local iden and remote ident with show crypto ipsec sa command, but some show like below.

There are encry packet counts with the SA.

What does mean?


local ident (addr/mask/prot/port): (

remote ident (addr/mask/prot/port): (

2 Replies 2

Rob Ingram
VIP Master VIP Master
VIP Master

@DaeHeon Kang from we can determine it's a route based VPN. Any traffic routed (via static or dynamic routing protocol) to the tunnel interface will be encrypted, without having to be explictly permitted via an ACL. If you have other SAs which identify a specific local and remote subnet, then this is a Policy Based VPN.

Hi Rob,

Following is the part of VPN configuration.

It seems we're running Policy-based VPN according to what you explained.

But, how could some SAs show which is Routing-based VPN?

I don't see ACL. 



crypto dynamic-map DYNAMIC 100
set transform-set AES256-SHA
set reverse-route distance 100
match address VPN-DYNAMIC


crypto map INTERNET-VPN-MAP 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 102400000
set transform-set transform-ipsec-proposal-set
set isakmp-profile aaa-profile1
match address VPN-AAA
crypto map INTERNET-VPN-MAP 350 ipsec-isakmp dynamic DYNAMIC


ip access-list extended VPN-AAA
permit ip 10.x.x.0 10.1xx.0.0
permit ip 10.1xx.0.0 10.1xx.0.0
permit ip 10.1xx.0.0 10.1xx.0.0
permit ip 10.1xx.0.0 10.1xx.0.0
permit ip 10.1xx.0.0 10.1xx.0.0
permit ip 10.1xx.0.0 10.1xx.0.0
permit ip
permit ip

ip access-list extended VPN-DYNAMIC
permit ip 10.x1.xx.1xx 10.1xx.0.0
permit ip 10.x1.xx.192 10.1xx.0.0
permit ip 10.x1.xx4.0 10.1xx.0.0
permit ip 1xx.1xx.1xx.0 10.1xx.0.0
permit ip 10.x0.1xx.0 10.1xx.0.0
permit ip 10.1xx.1xx.0 10.1xx.0.0
permit ip 10.1xx.2xx.0 10.1xx.0.0
permit ip 10.1xx.2xx.0 10.1xx.0.0


interface GigabitEthernet4
vrf forwarding INTERNET
ip address x.x.x.1
ip nat outside






Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers