Thanks TacACK.
I noticed something else, which was weird. So like you said, 2001 say will
be incoming and 2002 outgoing encrypted traffic. However, this doesnt change
when you look at the output on the remote router. I'd have expected it to be
2002 incoming and 2001 outgoing, but its not.
When I run the "show crypto ipsec sa" on both routers, they display the same
ID for their Inbound SA and outbound SA.
Here is the output from both routers R1 and R3:
CCIELAB-ROUTER-R1#show crypto engin conn active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE MD5+3DES 0 0 10.100.10.1
2001 IPsec 3DES+MD5 0 4 10.100.10.1
2002 IPsec 3DES+MD5 4 0 10.100.10.1
CCIELAB-ROUTER-R1#show crypto ipsec sa
interface: FastEthernet0/0.10
Crypto map tag: VPN, local addr 10.100.10.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
current_peer 10.100.3.3 port 500
PERMIT, flags={origin_is_acl,ipsec_sa_request_sent}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
local crypto endpt.: 10.100.10.1, remote crypto endpt.: 10.100.3.3
*inbound esp sas:*
spi: 0xD017892B(3491203371)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
*conn id: 2001*, flow_id: FPGA:1, sibling_flags 80000046, crypto
map: VPN
sa timing: remaining key lifetime (k/sec): (4587973/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
* outbound esp sas:*
spi: 0x6C7CA4D6(1820107990)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
*conn id: 2002*, flow_id: FPGA:2, sibling_flags 80000046, crypto
map: VPN
sa timing: remaining key lifetime (k/sec): (4587973/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
*On Remote router R3:*
CCIELAB-ROUTER-R3#show crypto engin conn active
Crypto Engine Connections
ID Type Algorithm Encrypt Decrypt IP-Address
1001 IKE MD5+3DES 0 0 10.100.3.3
2001 IPsec 3DES+MD5 0 4 10.100.3.3
2002 IPsec 3DES+MD5 4 0 10.100.3.3
CCIELAB-ROUTER-R3#show crypto ipsec sa
interface: GigabitEthernet0/0.3
Crypto map tag: VPN, local addr 10.100.3.3
protected vrf: (none)
local ident (addr/mask/prot/port): (3.3.3.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
current_peer 10.100.10.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
local crypto endpt.: 10.100.3.3, remote crypto endpt.: 10.100.10.1
*inbound esp sas:*
spi: 0x6C7CA4D6(1820107990)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
*conn id: 2001*, flow_id: NETGX:1, sibling_flags 80000046, crypto
map: VPN
Status: ACTIVE
* outbound esp sas:*
spi: 0xD017892B(3491203371)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
* conn id: 2002*, flow_id: NETGX:2, sibling_flags 80000046, crypto
map: VPN
sa timing: remaining key lifetime (k/sec): (4386702/3343)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
On Mon, Jun 6, 2011 at 10:11 PM, Vybhav Ramachandran <[email protected]>wrote:
> Hello Mark,
>
> Also, for every ACE in the "Interesting traffic" ACL, an IPSec negotiation
> happens and 2 new IPSEC SAs are added in that show command output.
>
> Regards,
> TacACK
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
