Re: [OSL | CCIE_Security] Question after a long time

Wed, 18 May 2011 00:51:29 -0700 

Hello Piotr,

Thanks for the clarification. Awesome. I got a doubt because when i ran the
"debug crypto isakmp" command, i wasn't noticing any Phase 1 exchange
happening on lifetime expiry.

However, now i ran the "debug crypto engine" command and i found a
difference between config with/without PFS.

*Without PFS ( on expiry )*

*Mar  1 03:22:52.083: crypto_engine: Decrypt IKE packet
*Mar  1 03:22:52.087: crypto_engine: Generate IKE hash
*Mar  1 03:22:52.091: crypto_engine: Generate IKE hash
*Mar  1 03:22:52.095: crypto_engine: Generate IKE QM keys
*Mar  1 03:22:52.095: crypto_engine: Create IPSec SA (by keys)
*Mar  1 03:22:52.099: crypto_engine: Generate IKE QM keys
*Mar  1 03:22:52.099: crypto_engine: Create IPSec SA (by keys)
*Mar  1 03:22:52.103: crypto_engine: Encrypt IKE packet
*Mar  1 03:22:52.111: crypto engine: updating MTU size of IPSec SA 20
*Mar  1 03:22:52.111: crypto_engine: Set IPSec MTU
*Mar  1 03:22:52.295: crypto_engine: Decrypt IKE packet
R2#
*Mar  1 03:22:52.295: crypto_engine: Generate IKE hash
R2#
*Mar  1 03:23:24.755: crypto engine: deleting IPSec SA 17
*Mar  1 03:23:24.755: crypto_engine: Delete IPSec SA
*Mar  1 03:23:24.759: crypto engine: deleting IPSec SA 18
*Mar  1 03:23:24.763: crypto_engine: Generate IKE hash
*Mar  1 03:23:24.763: crypto_engine: Encrypt IKE packet
*Mar  1 03:23:24.771: crypto_engine: Delete IPSec SA

*With PFS*

*Mar  1 03:20:04.307: crypto_engine: Generate IKE hash
*Mar  1 03:20:04.307: crypto_engine: Encrypt IKE packet
**Mar  1 03:20:04.315: crypto_engine: Create DH *
*Mar  1 03:20:04.559: crypto_engine: Decrypt IKE packet
*Mar  1 03:20:04.563: crypto_engine: Generate IKE hash
*Mar  1 03:20:04.571: crypto_engine: Create DH shared secret
*Mar  1 03:20:04.767: crypto_engine: Generate IKE hash
*Mar  1 03:20:04.771: crypto_engine: Generate IKE QM keys
*Mar  1 03:20:04.771: crypto_engine: Create IPSec SA (by keys)
*Mar  1 03:20:04.775: crypto_engine: Generate IKE QM keys
*Mar  1 03:20:04.775: crypto_engine: Create IPSec SA (by keys)
*Mar  1 03:20:04.779: crypto engine: deleting DH phase 2 21
*Mar  1 03:20:04.779: crypto_engine: Delete DH shared secret
*Mar  1 03:20:04.779: crypto engine: deleting DH 19
*Mar  1 03:20:04.783: crypto_engine: Encrypt IKE packet

Cheers,
TacACK

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to