Question Ref: VPN Encryption

Unanswered Question

I have a question that's puzzeling me, I have the below setup on my PIX 515 running Version 6.3(5) - both of the below VPN tunnels are up.

My question is...

When I do show isakmp sa detail, I observe for my VPN tunnel that is using transform-set Y456 using encryption 3des and Hash MD5, shouldn't I see:

encryption = AES and Hash = SHA as per transform-set Y456?

Has any one seen this before or am I running into a bug?

crypto ipsec transform-set X123 esp-3des esp-md5-hmac

crypto ipsec transform-set Y456 esp-aes-192 esp-sha-hmac

crypto map MYMAP 1 ipsec-isakmp

crypto map MYMAP 1 match address 103

crypto map MYMAP 1 set peer 123.456.789.100

crypto map MYMAP 1 set transform-set X123

crypto map MYMAP 2 ipsec-isakmp

crypto map MYMAP 2 match address 104

crypto map MYMAP 2 set peer 111.222.333.444

crypto map MYMAP 2 set transform-set Y456

crypto map MYMAP interface outside

isakmp enable outside

isakmp key <KEY1234> address 123.456.789.100 netmask

isakmp key <KEY5678> address 111.222.333.444 netmask

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

isakmp policy 2 authentication pre-share

isakmp policy 2 encryption aes-192

isakmp policy 2 hash sha

isakmp policy 2 group 5

isakmp policy 2 lifetime 1440

EURO_FW01# sho isakmp sa det

Local Remote Encr Hash Auth State Lifetime

222.333.444.555:500 111.222.333.444:500 3des md5 psk QM_IDLE 86082

222.333.444.555:500 123.456.789.100:500 3des md5 psk QM_IDLE 9316


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
michael.leblanc Wed, 06/04/2008 - 06:03
User Badges:
  • Silver, 250 points or more

You are confusing ISAKMP policy with IPSec policy.

The output of "show isakmp sa detail" is showing you the "ISAKMP" protection suite used for the bi-directional SA created during Phase 1.

Look at the "isakmp policy 1" parameters and you will see a match with the command output.

The transform-set you are referring to is the protection suite used for the two unidirectional IPSec SAs created during Phase II.

If you want to see the IPSec SA detail, you would likely use a command such as:

"show ipsec sa detail"


This Discussion