I have configured a tunnel between 2 sites. I had originally configured Diffie Hellman Group 1 on the ISAKMP policy on remote and Hub end.
I have changed the DH group to 2 now. I can see that the Tunnels and Eigrp are up still, and traffic is flowing across as well (getting encrypted etc ).
But, when I do a "Show crypto isakmp sa", I do not get any output. Does that mean there is no SA running between these 2 devices?? How can the tunnels be UP if there is no SA?
Appreciate your reply.
There are perhaps 2 parts in the answer to your question.
1) there is an SA for ISAKMP and an SA for IPSec. Encryption of traffic uses the IPSec SA and not the ISAKMP SA. So it is possible that traffic is being encrypted because there is an IPSec SA while there may not be an ISAKMP SA.
2) an SA has a lifetime and then it expires. It is possible that there was an ISAKMP SA (which is required to negotiate the IPSec SA) and that the ISAKMP SA expired by the time you looked for it.