Hi all,
I have R1 as KS and R2 and R3 as GM, i have crated 1 loopback on each GM
50.1.1.1 on R2 and 40.1.1.1 on R3 the policy I have given in KS is
access-list 100 permit ip host 50.1.1.1 host 40.1.1.1
access-list 100 permit ip host 40.1.1.1 host 50.1.1.1
Now I see many IPSEC SA on the GM's, any reason ?
here is my output on R2
===========================================
R2#sh crypto gdoi
GROUP INFORMATION
Group Name : GETVPN_GROUP_GM
Group Identity : 1234
Rekeys received : 3
IPSec SA Direction : Both
Active Group Server : 10.1.1.1
Group Server list : 10.1.1.1
GM Reregisters in : 2482 secs
Rekey Received(hh:mm:ss) : 00:01:03
Rekeys received
Cumulative : 3
After registration : 3
Rekey Acks sent : 3
ACL Downloaded From KS 10.1.1.1:
access-list permit ip host 50.1.1.1 host 40.1.1.1
access-list permit ip host 40.1.1.1 host 50.1.1.1
KEK POLICY:
Rekey Transport Type : Unicast
Lifetime (secs) : 299
Encrypt Algorithm : 3DES
Key Size : 192
Sig Hash Algorithm : HMAC_AUTH_SHA
Sig Key Length (bits) : 1024
TEK POLICY:
FastEthernet0/0:
IPsec SA:
sa direction:inbound
spi: *0x652D3A4B*(1697462859)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1379)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0x652D3A4B(1697462859)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1379)
Anti-Replay : Disabled
IPsec SA:
sa direction:inbound
spi: *0xBDEF7FB6*(3186589622)
--------------------------------------(Why
do I see this SPI)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2636)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0xBDEF7FB6(3186589622)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2636)
Anti-Replay : Disabled
IPsec SA:
sa direction:inbound
spi: 0x652D3A4B(1697462859)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1379)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: 0x652D3A4B(1697462859)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (1379)
Anti-Replay : Disabled
IPsec SA:
sa direction:inbound
spi:* 0xBDEF7FB6*(3186589622)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2636)
Anti-Replay : Disabled
IPsec SA:
sa direction:outbound
spi: *0xBDEF7FB6*(3186589622)
transform: esp-3des esp-md5-hmac
sa timing:remaining key lifetime (sec): (2636)
Anti-Replay : Disabled
R2#
====================================================================
outpput on R1 (KS)
GROUP INFORMATION
Group Name : GETVPN_GROUP (Unicast)
Group Identity : 1234
Group Members : 2
IPSec SA Direction : Both
Active Group Server : Local
Group Rekey Lifetime : 300 secs
Group Rekey
Remaining Lifetime : 170 secs
Rekey Retransmit Period : 10 secs
Rekey Retransmit Attempts: 2
Group Retransmit
Remaining Lifetime : 0 secs
IPSec SA Number : 1
IPSec SA Rekey Lifetime: 3600 secs
Profile Name : GETVPN_PROFILE
Replay method : Count Based
Replay Window Size : 64
SA Rekey
Remaining Lifetime : 2571 secs
ACL Configured : access-list 100
Group Server list : Local
R1#
R1#sh crypto gdoi ipsec sa
SA created for group GETVPN_GROUP:
R1#
============================================================
When I ping from R2 to R3
I see the ESP traffic as
71 347.125000 50.1.1.1 40.1.1.1 ESP ESP
(SPI=0x652d3a4b)
and from R3 to R2
84 376.469000 40.1.1.1 50.1.1.1 ESP ESP
(SPI=0x652d3a4b)
So this shows that SPI used here is same and in both direction on both
routers i.e 0x652d3a4b. Then why I am seeing this SPI *0xBDEF7FB6.*
* *
Let me know if more info is required.
Rgerads
Imran
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
