HostedDB - Dedicated UNIX Servers
index_171
UNCLASSIFIED Advanced Security Services  Version 1.0g  UNCLASSIFIED 171        current outbound spi: 1B908AE      inbound esp sas:       spi: 0xEFA038E(251265934)         transform: esp-3des esp-sha-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 2, crypto map: pipe-1         sa timing: remaining key lifetime (k/sec): (4607999/3459)         IV size: 8 bytes         replay detection support: Y      inbound ah sas:      outbound esp sas:       spi: 0x1B908AE(28903598)         transform: esp-3des esp-sha-hmac ,         in use settings ={Tunnel, }         slot: 0, conn id: 3, crypto map: pipe-1         sa timing: remaining key lifetime (k/sec): (4607999/3459)         IV size: 8 bytes         replay detection support: Y      outbound ah sas: Troubleshooting Most current IPSec implementations, including Cisco’s, can be very temperamental. If any one of many parameters are not set properly, the construction of the IPSec tunnel will not succeed. And even when a tunnel is established, a few Cisco IOS releases have demonstrated unstable functionality: in some cases packets which should be protected by the tunnel are passed in the clear.   If your routers do not correctly establish the IPSec tunnels that you need, the following suggestions will help reset the IPSec relevant router parameters and hopefully allow for a tunnel to be constructed.    1.     Re-initialize the IPSec parameters by removing the IPSec and IKE security associations When an attempt is made to construct an IPSec tunnel between two peers, the IOS stores certain information about both of their IPSec configuration files. If the tunnel fails to be constructed, this information will reside in IOS memory and hinder future attempts at constructing tunnels between these two peers. To remove this information and allow the routers to begin a fresh IPSe c negotiation of tunnel parameters, several things can be done. First, if the crypto maps are removed from the interfaces where they were placed (e.g. interface eth0/0 on both North and Remote above), then the information will be removed. If the crypto maps are in use by established tunnels, then removing them is not a viable option. Hence, several commands may be used to