IKE phase 1, such as show crypto isakmp sa detail, will show no IKE phase 1 tunnel.
show commands for the IKE phase 2 SAs will show the tunnel details for IKE phase 2, such as show crypto ipsec sa.
Ref: https://learningnetwork.cisco.com/thread/21724
Wednesday, January 18, 2012
IKE phase explained
IKE phase 1 is built as a management tunnel between the 2 peers. This IKE phase 1 tunnel lifetime is controlled by the parameter in the "crypto isakmp policy x" and the lower value of the two peers is used for this life time. When this tunnel is built, it is used by the peers for negotiating the next tunnel (the IKE phase 2 tunnel, which is coming next). If the lifetime for the IKE phase 1 tunnel is 90 seconds, and within that 90 seconds the two peers build the IKE phase 2 tunnel (which has its own lifetime too, controlled by the "set security-association lifetime" command in the crypto map), then the IKE phase 1 tunnel may not be needed any more, if the IKE phase 2 tunnel lifetime is an hour, and that 2nd tunnel is still fine. In this case, the original IKE phase 1 tunnel would time out after 90 seconds, and the IKE phase 2 SA (tunnel) would go on strong for the duration of its lifetime.
If, after an hour, the IKE phase 2 tunnel expires, and there is more traffic that needs to be encrypted, a new IKE phase 1 tunnel will be built, and used to negotiate a new IPSec SA (phase 2 tunnel), and the process would repeat.
IKE phase 1, such as show crypto isakmp sa detail, will show no IKE phase 1 tunnel.
show commands for the IKE phase 2 SAs will show the tunnel details for IKE phase 2, such as show crypto ipsec sa.
Ref: https://learningnetwork.cisco.com/thread/21724
IKE phase 1, such as show crypto isakmp sa detail, will show no IKE phase 1 tunnel.
show commands for the IKE phase 2 SAs will show the tunnel details for IKE phase 2, such as show crypto ipsec sa.
Ref: https://learningnetwork.cisco.com/thread/21724
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment