Solved

what does this mean ?

Posted on 2006-11-09
4
196 Views
Last Modified: 2010-05-18
I get this on the router and i can't find out what it means

outbound esp sas:

outbound ah sas:

Is it saying that i don't have any out bound Authentication and encryption?

400
0
Comment
Question by:iamuser
  • 2
  • 2
4 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
You are most likely only using ESP so nothing under "ah sas" is okay.  You may not have an ESP SA (one sa per source and destination pair) because there is no active VPN traffic or traffic is flowing over another SA.  If you generate traffic that matches the crypto ACL, do you see an esp sa?  Has this worked or are you trying to get it to work and it is not working?
0
 

Author Comment

by:iamuser
Comment Utility
but what does "ah SAS" mean? I mean what does outbound ah sas mean?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 400 total points
Comment Utility
It is your outbound "authentication header" (AH) Security Association (SA).  There is one SA per flow per direction hence why you have an inbound SA and an outbound SA.  If you are not using AH in your IPSEC transform set, you will not have any AH SAS whether inbound or outbound.

Some definitions from Cisco:

Authentication Header (AH)—This is a security protocol that provides authentication and optional replay-detection services. AH is embedded in the data to be protected, for example, a full IP datagram. AH can be used either by itself or with Encryption Service Payload (ESP). Refer to the RFC 2402

SA (Security Association):

Security Association (SA)—This is an instance of security policy and keying material applied to a data flow. Both IKE and IPsec use SAs, although SAs are independent of one another. IPsec SAs are unidirectional and they are unique in each security protocol. A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPsec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).

IKE negotiates and establishes SAs on behalf of IPsec. A user can also establish IPsec SAs manually.

An IKE SA is used by IKE only. Unlike the IPsec SA, it is bi-directional.

0
 

Author Comment

by:iamuser
Comment Utility
yeah i am only using ESP SA i just didn't quite get what that output meant and the cisco books don't explain that output line. Thanks for the help

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Management Network in CIsco L2 Switch 3 29
Transfer IOS from server to router via tftp 3 18
EIGRP Summary 2 31
NSD FAIL 2 19
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now