Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1291
Views
10
Helpful
2
Replies

Output of show crypto ipsec sa

DaeHeon Kang
Level 1
Level 1

‎12-21-2021 07:32 PM

Hi,

 

I see some IPSec SA show subnet information at the part of local iden and remote ident with show crypto ipsec sa command, but some show 0.0.0.0 like below.

There are encry packet counts with the SA.

What does 0.0.0.0 mean?

 

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

Labels:
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎12-22-2021 12:03 AM

@DaeHeon Kang from 0.0.0.0 we can determine it's a route based VPN. Any traffic routed (via static or dynamic routing protocol) to the tunnel interface will be encrypted, without having to be explictly permitted via an ACL. If you have other SAs which identify a specific local and remote subnet, then this is a Policy Based VPN.

DaeHeon Kang
Level 1
Level 1
In response to Rob Ingram

‎12-23-2021 05:31 PM

Hi Rob,

Following is the part of VPN configuration.

It seems we're running Policy-based VPN according to what you explained.

But, how could some SAs show 0.0.0.0 which is Routing-based VPN?

I don't see 0.0.0.0 ACL. 

 

 

crypto dynamic-map DYNAMIC 100
set transform-set AES256-SHA
set reverse-route distance 100
match address VPN-DYNAMIC
reverse-route

 

crypto map INTERNET-VPN-MAP 10 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime kilobytes 102400000
set transform-set transform-ipsec-proposal-set
set isakmp-profile aaa-profile1
match address VPN-AAA
crypto map INTERNET-VPN-MAP 350 ipsec-isakmp dynamic DYNAMIC

 

ip access-list extended VPN-AAA
permit ip 10.x.x.0 0.127.255.255 10.1xx.0.0 0.0.255.255
permit ip 10.1xx.0.0 0.31.255.255 10.1xx.0.0 0.0.255.255
permit ip 10.1xx.0.0 0.0.255.255 10.1xx.0.0 0.0.255.255
permit ip 10.1xx.0.0 0.1.255.255 10.1xx.0.0 0.0.255.255
permit ip 10.1xx.0.0 0.3.255.255 10.1xx.0.0 0.0.255.255
permit ip 10.1xx.0.0 0.7.255.255 10.1xx.0.0 0.0.255.255
permit ip 10.176.0.0 0.15.255.255 10.160.0.0 0.0.255.255
permit ip 10.192.0.0 0.63.255.255 10.160.0.0 0.0.255.255


ip access-list extended VPN-DYNAMIC
permit ip 10.x1.xx.1xx 0.0.0.15 10.1xx.0.0 0.3.255.255
permit ip 10.x1.xx.192 0.0.0.63 10.1xx.0.0 0.3.255.255
permit ip 10.x1.xx4.0 0.0.1.255 10.1xx.0.0 0.3.255.255
permit ip 1xx.1xx.1xx.0 0.0.0.255 10.1xx.0.0 0.3.255.255
permit ip 10.x0.1xx.0 0.0.1.255 10.1xx.0.0 0.3.255.255
permit ip 10.1xx.1xx.0 0.0.1.255 10.1xx.0.0 0.3.255.255
permit ip 10.1xx.2xx.0 0.0.1.255 10.1xx.0.0 0.3.255.255
permit ip 10.1xx.2xx.0 0.0.0.255 10.1xx.0.0 0.3.255.255

 

interface GigabitEthernet4
vrf forwarding INTERNET
ip address x.x.x.1 255.255.255.240
ip nat outside
crypto map INTERNET-VPN-MAP
end

 

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents