Scribd
Upload
25 views29 pages

IPSEC Multi-Tunnel Backup Test Report

Tes multinunnel report

Uploaded by

Rikci Hendri Santoso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
25 views29 pages

IPSEC Multi-Tunnel Backup Test Report

Tes multinunnel report

Uploaded by

Rikci Hendri Santoso
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 29

IPSEC multi-tunnel backup

test report
Test Devices and Versions

The test refers to Maipu 1800X router(CORE),Maipu 2900X router

The software versions of Maipu devices is :


MP 1800X-40E(E2)
Software Version : 7.5.3.6.1(R)(integrity)
Software Image File : flash0: /flash/rp46-7.5.3.6.1(R).pck
Compiled : Jul 16 2019, 11:19:06

MP 2900X
Software Version : 7.5.3.6.1(R)(integrity)
Software Image File : flash0: /flash/rp34-7.5.3.6.1(R).pck
Compiled : Jul 16 2019, 12:16:56
01 IPSEC multi-tunnel backup on
normal configuration
Test No. 01
Test Item IPSEC multi-tunnel backup on normal configuration
Test Sub-item
Test Topology

Test Steps 1. Set up the network environment as shown in the above figure.
2. The router uses g2 to connect PC;
3. Connect the console to the R1, and login in by putty or secureCRT
4. Keep ping 10.1.1.1 on the PC,and shut down the tunnel left.
5. Check if the PC can ping 10.1.1.1 through tunnel right successfully after a
few seconds.
Test Key configuration:
Environment Core router(MP1800X):
Data
crypto ike key 123456 any

crypto ike proposal 1


encryption 3des
exit

crypto ipsec proposal 1


esp 3des
exit

crypto tunnel left


local address 12.1.1.1
peer any
set local-id CORE-ROUTER
set authentication preshared
set ike proposal 1
set ipsec proposal 1
exit
crypto tunnel right
local address 13.1.1.1
peer any
set local-id CORE-ROUTER
set authentication preshared
set ike proposal 1
set ipsec proposal 1
exit

crypto policy 1
flow host 10.1.1.1 host 5.5.5.5 ip tunnel left right
set reverse-route

R4(MP2900X):
crypto ike key 123456 address 12.1.1.1
crypto ike key 123456 address 13.1.1.1
crypto ike key 123456 identity CORE-ROUTER

crypto ike proposal 1


encryption 3des
exit

crypto ipsec proposal 1


esp 3des
exit

crypto tunnel left


local address 24.1.1.4
peer address 12.1.1.1
set local-id R4-left
set authentication preshared
set ike proposal 1
set ipsec proposal 1
set auto-up
exit
crypto tunnel right
local address 34.1.1.4
peer address 13.1.1.1
set local-id R4-RIGHT
set authentication preshared
set ike proposal 1
set ipsec proposal 1
set auto-up
exit

crypto policy p1
flow host 5.5.5.5 host 10.1.1.1 ip tunnel left right
set reverse-route
Expected Result Normally, data is transferred through the tunnel left, and when the left fails, the
tunnel switches to right after a few seconds.
Remarks
Test Result
Before tunnel left break down:
Core router(MP1800X):
R1#sho crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity tunnel-name

50 STATE_QUICK_R2 13.1.1.1 34.1.1.4 R4-RIGHT right

48 STATE_MAIN_R3 13.1.1.1 34.1.1.4 R4-RIGHT right

51 STATE_QUICK_R2 12.1.1.1 24.1.1.4 R4-left left

49 STATE_MAIN_R3 12.1.1.1 24.1.1.4 R4-left left

R1#sho crypto ipsec sa

policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

policy name : subflow-1610612736, the parent policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

local tunnel endpoint : 12.1.1.1 remote tunnel endpoint : 24.1.1.4

the pairs of ESP ipsec sa : id : 51, algorithm : 3DES

inbound esp ipsec sa : spi : 0x95e48830(2514782256) crypto

m_context(s_context) : 0x7149ce60 / 0x7149cdf8

current input 9 packets, 0 kbytes

encapsulation mode : Tunnel


replay protection : OFF

remaining lifetime (seconds/kbytes) : 24818/4294967294

uptime is 1 hour 6 minute 22 second

outbound esp ipsec sa : spi : 0x9a4e308f(2588815503) crypto

m_context(s_context) : 0x7149cb88 / 0x7149cb20

current output 19 packets, 1 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 24818/4294967293

uptime is 1 hour 6 minute 22 second

local tunnel endpoint : 13.1.1.1 remote tunnel endpoint : 34.1.1.4

the pairs of ESP ipsec sa : id : 50, algorithm : 3DES

inbound esp ipsec sa : spi : 0x9a4a882f(2588575791) crypto

m_context(s_context) : 0x71cc61c8 / 0x7149cf98

current input 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 24818/4294967295

uptime is 1 hour 6 minute 22 second

outbound esp ipsec sa : spi : 0xc92b308e(3375050894) crypto

m_context(s_context) : 0x7149ccc0 / 0x7149cc58

current output 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 24818/4294967295

uptime is 1 hour 6 minute 22 second

total sa and sa group is 2

R4(MP2900X):
R4#show crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity

61 STATE_QUICK_I2 34.1.1.4 13.1.1.1 CORE-ROUTER


60 STATE_MAIN_I4 34.1.1.4 13.1.1.1 CORE-ROUTER

62 STATE_QUICK_I2 24.1.1.4 12.1.1.1 CORE-ROUTER

59 STATE_MAIN_I4 24.1.1.4 12.1.1.1 CORE-ROUTER

R4#show crypto ipsec sa

policy name : p1

f (src, dst, protocol, src port, dst port) : 5.5.5.5/32 10.1.1.1/32 ip any any

local tunnel endpoint : 24.1.1.4 remote tunnel endpoint : 12.1.1.1

the pairs of ESP ipsec sa : id : 62, algorithm : 3DES

inbound esp ipsec sa : spi : 0x9a4e308f(2588815503) crypto

m_context(s_context) : 0x556aa56248 / 0x556aabff18

current input 19 packets, 1 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 16473/4294967293

uptime is 3 hour 25 minute 27 second

outbound esp ipsec sa : spi : 0x95e48830(2514782256) crypto

m_context(s_context) : 0x556aabfe90 / 0x556aabfe08

current output 9 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 16473/4294967294

uptime is 3 hour 25 minute 27 second

local tunnel endpoint : 34.1.1.4 remote tunnel endpoint : 13.1.1.1

the pairs of ESP ipsec sa : id : 61, algorithm : 3DES

inbound esp ipsec sa : spi : 0xc92b308e(3375050894) crypto

m_context(s_context) : 0x556aa56578 / 0x556aa564f0

current input 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 16473/4294967295

uptime is 3 hour 25 minute 27 second


outbound esp ipsec sa : spi : 0x9a4a882f(2588575791) crypto

m_context(s_context) : 0x556aa56468 / 0x556aa563e0

current output 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 16473/4294967295

uptime is 3 hour 25 minute 27 second

total sa and sa group is 2

Ping the intranet 10.1.1.1:

When the tunnel left break down:


Core router(MP1800X):
R1#sho crypto ike sa
sa-id negotiation-state localaddr peeraddr peer-identity tunnel-name

50 STATE_QUICK_R2 13.1.1.1 34.1.1.4 R4-RIGHT right

48 STATE_MAIN_R3 13.1.1.1 34.1.1.4 R4-RIGHT right

R1#sho crypto ipsec sa


policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

policy name : subflow-1610612736, the parent policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

local tunnel endpoint : 13.1.1.1 remote tunnel endpoint : 34.1.1.4


the pairs of ESP ipsec sa : id : 50, algorithm : 3DES

inbound esp ipsec sa : spi : 0x9a4a882f(2588575791) crypto

m_context(s_context) : 0x71cc61c8 / 0x7149cf98

current input 4 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 15395/4294967294

uptime is 3 hour 43 minute 25 second

outbound esp ipsec sa : spi : 0xc92b308e(3375050894) crypto

m_context(s_context) : 0x7149ccc0 / 0x7149cc58

current output 4 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 15395/4294967294

uptime is 3 hour 43 minute 25 second

total sa and sa group is 1

R4(MP2900X):
R4#show crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity

61 STATE_QUICK_I2 34.1.1.4 13.1.1.1 CORE-ROUTER

60 STATE_MAIN_I4 34.1.1.4 13.1.1.1 CORE-ROUTER

68 STATE_MAIN_I1 24.1.1.4 12.1.1.1 (none)

R4#show crypto ipsec sa

policy name : p1

f (src, dst, protocol, src port, dst port) : 5.5.5.5/32 10.1.1.1/32 ip any any

local tunnel endpoint : 34.1.1.4 remote tunnel endpoint : 13.1.1.1

the pairs of ESP ipsec sa : id : 61, algorithm : 3DES

inbound esp ipsec sa : spi : 0xc92b308e(3375050894) crypto

m_context(s_context) : 0x556aa56578 / 0x556aa564f0

current input 4 packets, 0 kbytes


encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 15246/4294967294

uptime is 3 hour 45 minute 54 second

outbound esp ipsec sa : spi : 0x9a4a882f(2588575791) crypto

m_context(s_context) : 0x556aa56468 / 0x556aa563e0

current output 4 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 15246/4294967294

uptime is 3 hour 45 minute 54 second

total sa and sa group is 1

Ping the intranet 10.1.1.1:

Lose three packets under the normal configuration

02 SLA
Test No. 02
Test Item SLA
Test Sub-
item
Test
Topology

Test Steps 1. Set up the network environment as shown in the above figure.
2. The router uses G0 to connect PC;
3. Connected the console to the R1, and login in by putty or secureCRT.
4. Configure the SLA on the 2900X router and 1800X router.
5. Keep ping 10.1.1.1 on the PC,and shut down the tunnel left.
6. Check if the PC can ping 10.1.1.1 through tunnel right successfully immediately.
Test Key configuration:
Environment Core router(MP1800X):
Data
crypto ike key 123456 any

crypto ike proposal 1

encryption 3des

exit

crypto ipsec proposal 1

esp 3des

exit

crypto tunnel left

local address 12.1.1.1

peer any
set local-id CORE-ROUTER

set authentication preshared

set ike proposal 1

set ipsec proposal 1

exit

crypto tunnel right

local address 13.1.1.1

peer any

set local-id CORE-ROUTER

set authentication preshared

set ike proposal 1

set ipsec proposal 1

exit

crypto policy 1

flow host 10.1.1.1 host 5.5.5.5 ip tunnel left right

set reverse-route

set peer-track-aware

exit

R4(MP2900X):
crypto ike key 123456 address 12.1.1.1
crypto ike key 123456 address 13.1.1.1
crypto ike key 123456 identity CORE-ROUTER

crypto ike proposal 1


encryption 3des
exit

crypto ipsec proposal 1


esp 3des
exit

crypto tunnel left


local address 24.1.1.4
peer address 12.1.1.1
set local-id R4-left
set authentication preshared
set ike proposal 1
set ipsec proposal 1
set auto-up
set track 1
exit
crypto tunnel right
local address 34.1.1.4
peer address 13.1.1.1
set local-id R4-RIGHT
set authentication preshared
set ike proposal 1
set ipsec proposal 1
set auto-up
exit

crypto policy p1
flow host 5.5.5.5 host 10.1.1.1 ip tunnel left right
set reverse-route
set track-aware
exit

rtr enable

rtr 1 icmpecho
set 10.1.1.1 1 70 2 3 extend 24.1.1.4 0 TRUE FALSE
CreatedTime Fri Jul 26 15:21:38 2019
LatestModifiedTime Fri Jul 26 15:31:20 2019
exit

rtr group 1
member 1
exit

rtr schedule 1 group 1 start now ageout 10000 life forever


Expected Normally, data is transferred through the tunnel left, and when the left fails, the
Result tunnel switches to right immediately.
Remarks
Test Result
Before tunnel left break down:
Core router(MP1800X):
R1#sho crypto ike sa
sa-id negotiation-state localaddr peeraddr peer-identity tunnel-name

16 STATE_QUICK_R2 13.1.1.1 34.1.1.4 R4-RIGHT right

15 STATE_MAIN_R3 13.1.1.1 34.1.1.4 R4-RIGHT right

6 STATE_QUICK_R2 12.1.1.1 24.1.1.4 R4-left left

5 STATE_MAIN_R3 12.1.1.1 24.1.1.4 R4-left left

R1#sho crypto ipsec sa

policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

policy name : subflow-1610612736, the parent policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

local tunnel endpoint : 12.1.1.1 remote tunnel endpoint : 24.1.1.4

the pairs of ESP ipsec sa : id : 16, algorithm : 3DES

inbound esp ipsec sa : spi : 0x7fb68834(2142668852) crypto

m_context(s_context) : 0x714abd90 / 0x71cc6298

current input 10 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28197/4294967295

uptime is 0 hour 10 minute 3 second

outbound esp ipsec sa : spi : 0x61e63096(1642475670) crypto

m_context(s_context) : 0x714abec8 / 0x714abc58

current output 10 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28197/4294967295

uptime is 0 hour 10 minute 3 second

local tunnel endpoint : 13.1.1.1 remote tunnel endpoint : 34.1.1.4

the pairs of ESP ipsec sa : id : 6, algorithm : 3DES

inbound esp ipsec sa : spi : 0x574f882f(1464829999) crypto

m_context(s_context) : 0x71cc6368 / 0x71cc6300

current input 0 packets, 0 kbytes


encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 25920/4294967293

uptime is 0 hour 48 minute 0 second

outbound esp ipsec sa : spi : 0x263091(2502801) crypto m_context(s_context) :

0x71cc61c8 / 0x714abf98

current output 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 25920/4294967293

uptime is 0 hour 48 minute 0 second

total sa and sa group is 2

R4(MP2900X):
R4#show crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity

215 STATE_QUICK_I2 24.1.1.4 12.1.1.1 CORE-ROUTER

214 STATE_MAIN_I4 24.1.1.4 12.1.1.1 CORE-ROUTER

217 STATE_QUICK_I2 34.1.1.4 13.1.1.1 CORE-ROUTER

216 STATE_MAIN_I4 34.1.1.4 13.1.1.1 CORE-ROUTER

R4#show crypto ipsec sa

policy name : p1

f (src, dst, protocol, src port, dst port) : 5.5.5.5/32 10.1.1.1/32 ip any any

local tunnel endpoint : 24.1.1.4 remote tunnel endpoint : 12.1.1.1

the pairs of ESP ipsec sa : id : 215, algorithm : 3DES

inbound esp ipsec sa : spi : 0x47a63099(1202073753) crypto

m_context(s_context) : 0x556aa56688 / 0x556afd7348

current input 11 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28630/4294967295


uptime is 0 hour 2 minute 50 second

outbound esp ipsec sa : spi : 0xd748837(225740855) crypto

m_context(s_context) : 0x556aabfe08 / 0x556aa569b8

current output 11 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28630/4294967295

uptime is 0 hour 2 minute 50 second

local tunnel endpoint : 34.1.1.4 remote tunnel endpoint : 13.1.1.1

the pairs of ESP ipsec sa : id : 217, algorithm : 3DES

inbound esp ipsec sa : spi : 0x34f9309a(888746138) crypto

m_context(s_context) : 0x556aabfcf8 / 0x556aa56600

current input 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28640/4294967294

uptime is 0 hour 2 minute 40 second

outbound esp ipsec sa : spi : 0x1e0a8838(504006712) crypto

m_context(s_context) : 0x556aabfd80 / 0x556aabff18

current output 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28640/4294967294

uptime is 0 hour 2 minute 40 second

total sa and sa group is 2

Ping the intranet 10.1.1.1:


When the tunnel left break down:
Core router(MP1800X):
R1#sho crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity tunnel-name

24 STATE_QUICK_R2 13.1.1.1 34.1.1.4 R4-RIGHT right

23 STATE_MAIN_R3 13.1.1.1 34.1.1.4 R4-RIGHT right

R1#sho crypto ipsec sa

policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

policy name : subflow-1610612738, the parent policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

local tunnel endpoint : 13.1.1.1 remote tunnel endpoint : 34.1.1.4

the pairs of ESP ipsec sa : id : 24, algorithm : 3DES

inbound esp ipsec sa : spi : 0x1e0a8838(504006712) crypto

m_context(s_context) : 0x714ab980 / 0x714abab8

current input 41 packets, 2 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28100/4294967292

uptime is 0 hour 11 minute 40 second

outbound esp ipsec sa : spi : 0x34f9309a(888746138) crypto

m_context(s_context) : 0x71cc64a0 / 0x714abcc0


current output 41 packets, 2 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28100/4294967292

uptime is 0 hour 11 minute 40 second

total sa and sa group is 1

R4(MP2900X):
R4#show crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity

218 STATE_MAIN_I1 24.1.1.4 12.1.1.1 (none)

217 STATE_QUICK_I2 34.1.1.4 13.1.1.1 CORE-ROUTER

216 STATE_MAIN_I4 34.1.1.4 13.1.1.1 CORE-ROUTER

R4#show crypto ipsec sa

policy name : p1

f (src, dst, protocol, src port, dst port) : 5.5.5.5/32 10.1.1.1/32 ip any any

local tunnel endpoint : 34.1.1.4 remote tunnel endpoint : 13.1.1.1

the pairs of ESP ipsec sa : id : 217, algorithm : 3DES

inbound esp ipsec sa : spi : 0x34f9309a(888746138) crypto

m_context(s_context) : 0x556aabfcf8 / 0x556aa56600

current input 42 packets,2 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28309/4294967293

uptime is 0 hour 8 minute 11 second

outbound esp ipsec sa : spi : 0x1e0a8838(504006712) crypto

m_context(s_context) : 0x556aabfd80 / 0x556aabff18

current output 42 packets, 2 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28309/4294967293

uptime is 0 hour 8 minute 11 second


total sa and sa group is 1

Ping the intranet 10.1.1.1:

03 BFD
Test No. 03
Test Item BFD
Test Sub-item
Test Topology
Test Steps 1. Set up the network environment as shown in the above figure.
2. The router uses G0 to connect PC;
3. Connected the console to the R1, and login in by putty or secureCrt.
4. Configure the BFD on the 2900X router and 1800X router.
5. Keep ping 10.1.1.1 on the PC,and shut down the tunnel left.
6. Check if the PC can ping 10.1.1.1 through tunnel right successfully
immediately.
Test Key configuration:
Environment Core router(MP1800X):
Data
interface vlan1

ip address 12.1.1.1 255.255.255.0

bfd echo multihop local-ip 12.1.1.1

exit

interface vlan2

ip address 13.1.1.1 255.255.255.0

exit

crypto ike key 123456 any

crypto ike proposal 1

encryption 3des

exit

crypto ipsec proposal 1

esp 3des

exit

crypto tunnel left

local address 12.1.1.1

peer any

set local-id CORE-ROUTER

set authentication preshared

set ike proposal 1

set ipsec proposal 1


exit

crypto tunnel right

local address 13.1.1.1

peer any

set local-id CORE-ROUTER

set authentication preshared

set ike proposal 1

set ipsec proposal 1

exit

crypto policy 1

flow host 10.1.1.1 host 5.5.5.5 ip tunnel left right

set reverse-route

set peer-track-aware

R4(MP2900X):
track 3
bfd dialer interface gigabitethernet0 remote-ip 12.1.1.1
logic operator AND
exit

crypto ike key 123456 address 12.1.1.1


crypto ike key 123456 address 13.1.1.1
crypto ike key 123456 identity CORE-ROUTER

crypto ike proposal 1


encryption 3des
exit

crypto ipsec proposal 1


esp 3des
exit

crypto tunnel left


local address 24.1.1.4
peer address 12.1.1.1
set local-id R4-left
set authentication preshared
set ike proposal 1
set ipsec proposal 1
set auto-up
set track 3
exit
crypto tunnel right
local address 34.1.1.4
peer address 13.1.1.1
set local-id R4-RIGHT
set authentication preshared
set ike proposal 1
set ipsec proposal 1
set auto-up
exit

crypto policy p1
flow host 5.5.5.5 host 10.1.1.1 ip tunnel left right
set reverse-route
set track-aware
exit
Expected Result Normally, data is transferred through the tunnel left, and when the left fails, the
tunnel switches to right immediately.
Remarks
Test Result
Before tunnel left break down:
Core router(MP1800X):
R1#sho crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity tunnel-name

47 STATE_QUICK_R2 12.1.1.1 24.1.1.4 R4-left left

46 STATE_MAIN_R3 12.1.1.1 24.1.1.4 R4-left left

43 STATE_QUICK_R2 13.1.1.1 34.1.1.4 R4-RIGHT right

41 STATE_MAIN_R3 13.1.1.1 34.1.1.4 R4-RIGHT right

R1#sho crypto ipsec sa

policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

policy name : subflow-1610612741, the parent policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any
local tunnel endpoint : 12.1.1.1 remote tunnel endpoint : 24.1.1.4

the pairs of ESP ipsec sa : id : 51, algorithm : 3DES

inbound esp ipsec sa : spi : 0x17288845(388532293) crypto

m_context(s_context) : 0x714abb88 / 0x714abc58

current input 11 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28767/4294967294

uptime is 0 hour 0 minute 33 second

outbound esp ipsec sa : spi : 0x70a430a7(1889808551) crypto

m_context(s_context) : 0x714abd28 / 0x714abf98

current output 11 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28767/4294967294

uptime is 0 hour 0 minute 33 second

local tunnel endpoint : 13.1.1.1 remote tunnel endpoint : 34.1.1.4

the pairs of ESP ipsec sa : id : 50, algorithm : 3DES

inbound esp ipsec sa : spi : 0x26ef8844(653232196) crypto

m_context(s_context) : 0x714abe60 / 0x714abab8

current input 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28767/4294967295

uptime is 0 hour 0 minute 33 second

outbound esp ipsec sa : spi : 0x508830a6(1351102630) crypto

m_context(s_context) : 0x714ab980 / 0x714aba50

current output 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28767/4294967295

uptime is 0 hour 0 minute 33 second


total sa and sa group is 2

R4(MP2900X):
R4#show crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity

281 STATE_QUICK_I2 24.1.1.4 12.1.1.1 CORE-ROUTER

279 STATE_MAIN_I4 24.1.1.4 12.1.1.1 CORE-ROUTER

280 STATE_QUICK_I2 34.1.1.4 13.1.1.1 CORE-ROUTER

278 STATE_MAIN_I4 34.1.1.4 13.1.1.1 CORE-ROUTER

R4#show crypto ipsec sa

policy name : p1

f (src, dst, protocol, src port, dst port) : 5.5.5.5/32 10.1.1.1/32 ip any any

local tunnel endpoint : 24.1.1.4 remote tunnel endpoint : 12.1.1.1

the pairs of ESP ipsec sa : id : 281, algorithm : 3DES

inbound esp ipsec sa : spi : 0x70a430a7(1889808551) crypto

m_context(s_context) : 0x556aa56820 / 0x556aabfbe8

current input 11 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28663/4294967294

uptime is 0 hour 2 minute 17 second

outbound esp ipsec sa : spi : 0x17288845(388532293) crypto

m_context(s_context) : 0x556aabfa50 / 0x556aabfad8

current output 11 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28663/4294967294

uptime is 0 hour 2 minute 17 second

local tunnel endpoint : 34.1.1.4 remote tunnel endpoint : 13.1.1.1

the pairs of ESP ipsec sa : id : 280, algorithm : 3DES

inbound esp ipsec sa : spi : 0x508830a6(1351102630) crypto


m_context(s_context) : 0x556aabfd80 / 0x556aa56468

current input 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28663/4294967295

uptime is 0 hour 2 minute 17 second

outbound esp ipsec sa : spi : 0x26ef8844(653232196) crypto

m_context(s_context) : 0x556aa56358 / 0x556aa56710

current output 0 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28663/4294967295

uptime is 0 hour 2 minute 17 second

total sa and sa group is 2

Ping the intranet 10.1.1.1:

When the tunnel left break down:


Core router(MP1800X):
sa-id negotiation-state localaddr peeraddr peer-identity tunnel-name

50 STATE_QUICK_R2 13.1.1. 34.1.1.4 R4-RIGHT right

48 STATE_MAIN_R3 13.1.1.1 34.1.1.4 R4-RIGHT right


R1#sho crypto ipsec sa

policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

policy name : subflow-1610612742, the parent policy name : 1

f (src, dst, protocol, src port, dst port) : 10.1.1.1/32 5.5.5.5/32 ip any any

local tunnel endpoint : 13.1.1.1 remote tunnel endpoint : 34.1.1.4

the pairs of ESP ipsec sa : id : 57, algorithm : 3DES

inbound esp ipsec sa : spi : 0xb8de8848(3101591624) crypto

m_context(s_context) : 0x71cc64a0 / 0x714ab9e8

current input 7 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28752/4294967294

uptime is 0 hour 0 minute 48 second

outbound esp ipsec sa : spi : 0xf10c30aa(4044107946) crypto

m_context(s_context) : 0x714abdf8 / 0x714abb20

current output 7 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28752/4294967294

uptime is 0 hour 0 minute 48 second

total sa and sa group is 1

R4(MP2900X):
R4#show crypto ike sa

sa-id negotiation-state localaddr peeraddr peer-identity

292 STATE_MAIN_I1 24.1.1.4 12.1.1.1 (none)

289 STATE_QUICK_I2 34.1.1.4 13.1.1.1 CORE-ROUTER

288 STATE_MAIN_I4 34.1.1.4 13.1.1.1 CORE-ROUTER

R4#show crypto ipsec sa

policy name : p1
f (src, dst, protocol, src port, dst port) : 5.5.5.5/32 10.1.1.1/32 ip any any

local tunnel endpoint : 34.1.1.4 remote tunnel endpoint : 13.1.1.1

the pairs of ESP ipsec sa : id : 289, algorithm : 3DES

inbound esp ipsec sa : spi : 0xf10c30aa(4044107946) crypto

m_context(s_context) : 0x556aa56688 / 0x556aabff18

current input 7 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28643/4294967294

uptime is 0 hour 2 minute 37 second

outbound esp ipsec sa : spi : 0xb8de8848(3101591624) crypto

m_context(s_context) : 0x556aa568a8 / 0x556aa56578

current output 7 packets, 0 kbytes

encapsulation mode : Tunnel

replay protection : OFF

remaining lifetime (seconds/kbytes) : 28643/4294967294

uptime is 0 hour 2 minute 37 second

total sa and sa group is 1

Ping the intranet 10.1.1.1:

You might also like