Refer to the following partial sample output from the show crypto ipsec sa command:
<output omitted>
interface: FastEthernet0/0
Crypto map tag: aesmap, local addr 10.10.10.2
protected vrf: (none)
local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0) remote ident
(addr/mask/prot/port): (172.16.17.0/255.255.255.0/0/0)
current_peer 10.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2, #pkts encrypt: 2, #pkts digest: 2
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.2, remote crypto endpt.:
10.20.20.2 path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0 current outbound spi:
0x82E64150(2196128080)
PFS (Y/N): N, DH group: none
<output omitted>
Which of the following statements is true? (Select the best answer.)
A.
There is a configuration mismatch between the local peer IP address and the local subnet address.
B.
No DH group is configured in the IKE policy.
C.
All encrypted traffic will be tagged with the value “aesmap”.
D.
At least one IPSec SA is established and operational.
Explanation:
The following partial output from the show crypto ipsec sa command indicates that at least one IP Security
(IPSec) security association (SA) is established and operational:
<output omitted>
interface: FastEthernet0/0
Crypto map tag: aesmap, local addr 10.10.10.2
protected vrf: (none) local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0) remote ident
(addr/mask/prot/port): (172.16.17.0/255.255.255.0/0/0)
current_peer 10.20.20.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2243, #pkts encrypt: 2243, #pkts digest: 2243
#pkts decaps: 2210, #pkts decrypt: 2210, #pkts verify: 2210
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.10.10.2, remote crypto endpt.:
10.20.20.2 path mtu 1500, ip mtu 1500, ip mtu idb
FastEthernet0/0
current outbound spi: 0x82E64150(2196128080)
PFS (Y/N): N, DH group: none
<output omitted>
The show crypto ipsec sa command displays detailed information about IPSec SAs, including the IP addresses
of the crypto endpoints (IPSec peers), the number of packets encrypted and decrypted, the security protocol,
and the corresponding Security Parameter Indices (SPIs). In this scenario, the partial command output
indicates that the router should use the outbound SPI with a value of 0x82E64150 (2196128080) when
sending encrypted packets from the local peer, 10.10.10.2, to the remote peer 10.20.20.2. The SPI is one of
the components used to uniquely identify an IPSec SA.
Each IPSec SA is uniquely identified by its corresponding IPSec peer address, security protocol, and SPI.
Because IPSec SAs are unidirectional, two SAs are required between active IPSec peers: an inbound SA and
an outbound SA. The SPI associated with the outbound SA is generated by the local peer during phase
2 of the Internet Key Exchange (IKE) negotiation process and is used by the remote peer as the inbound SPI
associated with this SA. Likewise, the SPI associated with the inbound SA on the local peer corresponds to the
outbound SPI that was generated by the remote peer during its portion of phase 2 negotiations. Once phase 2
negotiations are complete and at least one IPSec SA is operational, the router can begin sending and receiving
encrypted traffic. In this scenario, the partial command output indicates that 2,243 packets have been encrypted
and 2,210 packets have been decrypted since IKE phase 2 negotiations completed and the IPSec SA was
created.
The command output in this scenario does not indicate that a DiffieHellman (DH) group is not configured in the
IKE policy. Although the output contains a field named DH groupwith a value of none, this field corresponds to
the DH group configured for perfect forward secrecy (PFS), not to the DH group configured in an IKE policy.
PFS is used to optionally encrypt IKE keying data during phase 1 negotiations. The PFS (Y/N): N field in the
partial output indicates that PFS has not been configured and thus no corresponding DH can be found.
The command output does not indicate that all encrypted traffic will be tagged with the value “aesmap”. The
Crypto map tag: aesmap field in the partial command output indicates the name of the IPSec crypto map that is
associated with the displayed interface. A crypto map describes which traffic should be encrypted, the remote
peer IP address, and the transform set that should be used to encrypt the data.