Can you perform a show crypto ipsec sa | in ident|spi|inbound|outbound this should show you the related SPI's in respect to the identity information. You will be able to tell what the sa's are currently being used for. There should be an inbound and outbound sa for each GM and KS on each GM.
_____ From: [email protected] [mailto:[email protected]] On Behalf Of imran mohammed Sent: Friday, October 30, 2009 1:17 AM To: Cisco certification; OSL CCIE Security Lab Exam Subject: [OSL | CCIE_Security] GETVPN IPSEC SA Issue Hi all, I have R1 as KS and R2 and R3 as GM, i have crated 1 loopback on each GM 50.1.1.1 on R2 and 40.1.1.1 on R3 the policy I have given in KS is access-list 100 permit ip host 50.1.1.1 host 40.1.1.1 access-list 100 permit ip host 40.1.1.1 host 50.1.1.1 Now I see many IPSEC SA on the GM's, any reason ? here is my output on R2 =========================================== R2#sh crypto gdoi GROUP INFORMATION Group Name : GETVPN_GROUP_GM Group Identity : 1234 Rekeys received : 3 IPSec SA Direction : Both Active Group Server : 10.1.1.1 Group Server list : 10.1.1.1 GM Reregisters in : 2482 secs Rekey Received(hh:mm:ss) : 00:01:03 Rekeys received Cumulative : 3 After registration : 3 Rekey Acks sent : 3 ACL Downloaded From KS 10.1.1.1: access-list permit ip host 50.1.1.1 host 40.1.1.1 access-list permit ip host 40.1.1.1 host 50.1.1.1 KEK POLICY: Rekey Transport Type : Unicast Lifetime (secs) : 299 Encrypt Algorithm : 3DES Key Size : 192 Sig Hash Algorithm : HMAC_AUTH_SHA Sig Key Length (bits) : 1024 TEK POLICY: FastEthernet0/0: IPsec SA: sa direction:inbound spi: 0x652D3A4B(1697462859) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (1379) Anti-Replay : Disabled IPsec SA: sa direction:outbound spi: 0x652D3A4B(1697462859) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (1379) Anti-Replay : Disabled IPsec SA: sa direction:inbound spi: 0xBDEF7FB6(3186589622) --------------------------------------(Why do I see this SPI) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (2636) Anti-Replay : Disabled IPsec SA: sa direction:outbound spi: 0xBDEF7FB6(3186589622) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (2636) Anti-Replay : Disabled IPsec SA: sa direction:inbound spi: 0x652D3A4B(1697462859) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (1379) Anti-Replay : Disabled IPsec SA: sa direction:outbound spi: 0x652D3A4B(1697462859) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (1379) Anti-Replay : Disabled IPsec SA: sa direction:inbound spi: 0xBDEF7FB6(3186589622) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (2636) Anti-Replay : Disabled IPsec SA: sa direction:outbound spi: 0xBDEF7FB6(3186589622) transform: esp-3des esp-md5-hmac sa timing:remaining key lifetime (sec): (2636) Anti-Replay : Disabled R2# ==================================================================== outpput on R1 (KS) GROUP INFORMATION Group Name : GETVPN_GROUP (Unicast) Group Identity : 1234 Group Members : 2 IPSec SA Direction : Both Active Group Server : Local Group Rekey Lifetime : 300 secs Group Rekey Remaining Lifetime : 170 secs Rekey Retransmit Period : 10 secs Rekey Retransmit Attempts: 2 Group Retransmit Remaining Lifetime : 0 secs IPSec SA Number : 1 IPSec SA Rekey Lifetime: 3600 secs Profile Name : GETVPN_PROFILE Replay method : Count Based Replay Window Size : 64 SA Rekey Remaining Lifetime : 2571 secs ACL Configured : access-list 100 Group Server list : Local R1# R1#sh crypto gdoi ipsec sa SA created for group GETVPN_GROUP: R1# ============================================================ When I ping from R2 to R3 I see the ESP traffic as 71 347.125000 50.1.1.1 40.1.1.1 ESP ESP (SPI=0x652d3a4b) and from R3 to R2 84 376.469000 40.1.1.1 50.1.1.1 ESP ESP (SPI=0x652d3a4b) So this shows that SPI used here is same and in both direction on both routers i.e 0x652d3a4b. Then why I am seeing this SPI 0xBDEF7FB6. Let me know if more info is required. Rgerads Imran
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
