IKE negotiates the IPSec security associations (SAs). This process requires that the IPSec systems first authenticate themselves to each other and establish ISAKMP, or IKE, shared keys.
Phase one, IKE creates an authenticated secure channel between the two IKE peers that is called the IKE Security Association. The Diffie-Hellman key agreement is always performed in this phase.
Phase two, IKE negotiates the IPSec security associations and generates the required key material for IPSec. The sender offers one or more transform sets that are used to specify an allowed combination of transforms with their respective settings. The sender also indicates the data flow to which the transform set is to be applied. The sender must offer at least one transform set. The receiver then sends back a single transform set, which indicates the mutually agreed-on transforms and algorithms for this particular IPSec session. A new Diffie-Hellman agreement can be done in phase two, or the keys can be derived from the phase one shared secret.
1] #show crypto map - verify cryptographic config and show SA lifetimes
ISR2811#show crypto map
Crypto Map "Virtual-Template123-head-0" 65536 ipsec-isakmp
ISAKMP Profile: PHASE1_ISAKMP_PROFILE
Profile name: PHASE2_IPSEC_PROFILE
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Transform sets={
TRANSFORM_DATA: { esp-aes esp-md5-hmac } ,
}
Interfaces using crypto map Virtual-Template123-head-0:
Virtual-Template123
2] #show crypto ipsec sa - verify current IPsec settings in used by SA
ISR2811#show crypto ipsec sa
interface: Virtual-Access5 Crypto map tag: Virtual-Access5-head-0, local addr 1.9.110.41
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.20.11/255.255.255.255/0/0)
current_peer 219.92.89.235 port 58427
PERMIT, flags={origin_is_acl,}
#pkts encaps: 125, #pkts encrypt: 125, #pkts digest: 125
#pkts decaps: 141, #pkts decrypt: 141, #pkts verify: 141
local crypto endpt.: 1.9.110.41, remote crypto endpt.: 219.92.89.235
path mtu 1492, ip mtu 1492, ip mtu idb Virtual-Access5
current outbound spi: 0x2FE7C7D6(803719126)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xDAE64FD9(3672526809)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2059, flow_id: NETGX:59, sibling_flags 80000046, crypto map: Virtual-Access5-head-0
sa timing: remaining key lifetime (k/sec): (4396346/3506)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x2FE7C7D6(803719126)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2060, flow_id: NETGX:60, sibling_flags 80000046, crypto map: Virtual-Access5-head-0
sa timing: remaining key lifetime (k/sec): (4396341/3506)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
3] #show crypto isakmp sa - verify current isakmp SA
ISR2811#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.9.110.41 219.92.89.235 QM_IDLE 1026 ACTIVE
4] #clear crypto sa - delete IPsec security association
VPN connection still on - IPsec will reestablish again
5] #clear crypto isakmp - delete active IKE connection
All VPN connection will be terminated
ISR2811#clear crypto ?
call Clear crypto call admission info
ctcp cTCP connections
datapath Clear crypto data path counters
dh Clear stored DH values
engine Clear crypto engine
gdoi Clear crypto gdoi
ipsec IPSec
isakmp Flush the ISAKMP database
mtree Clear Mtree Manager Command Stats
pki pki subsystem
sa Clear all crypto SAs
session clear crypto sessions (tunnels)
No comments:
Post a Comment