index_171
UNCLASSIFIED
Advanced Security Services
Version 1.0g
UNCLASSIFIED
171
current outbound spi: 1B908AE
inbound esp sas:
spi: 0xEFA038E(251265934)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2, crypto map: pipe-1
sa timing: remaining key lifetime (k/sec): (4607999/3459)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x1B908AE(28903598)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3, crypto map: pipe-1
sa timing: remaining key lifetime (k/sec): (4607999/3459)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
Troubleshooting
Most current IPSec implementations, including Ciscos, can be very temperamental.
If any one of many parameters are not set properly, the construction of the IPSec
tunnel will not succeed. And even when a tunnel is established, a few Cisco IOS
releases have demonstrated unstable functionality: in some cases packets which
should be protected by the tunnel are passed in the clear.
If your routers do not correctly establish the IPSec tunnels that you need, the
following suggestions will help reset the IPSec relevant router parameters and
hopefully allow for a tunnel to be constructed.
1. Re-initialize the IPSec parameters by removing the IPSec and IKE security
associations
When an attempt is made to construct an IPSec tunnel between two peers, the IOS
stores certain information about both of their IPSec configuration files. If the tunnel
fails to be constructed, this information will reside in IOS memory and hinder future
attempts at constructing tunnels between these two peers. To remove this information
and allow the routers to begin a fresh IPSe c negotiation of tunnel parameters, several
things can be done. First, if the crypto maps are removed from the interfaces where
they were placed (e.g. interface eth0/0 on both North and Remote above), then the
information will be removed. If the crypto maps are in use by established tunnels,
then removing them is not a viable option. Hence, several commands may be used to