Which of the following commands can be used to determine the SPI that a router will use to reach an active IPSec peer? (Select the best answer.)
- show crypto ipsec sa
- show crypto session
- show crypto isakmp sa active
- show crypto ipsec securityassociation
The show crypto ipsec sa command can be used to determine the Security Parameter Index (SPI) that a router will use to reach an active IP Security (IPSec) peer. Each IPSec security association (SA) is uniquely identified by its corresponding IPSec peer address, security protocol, and SPI. Because IPSec SAs are unidirectional, two SAs are required between active IPSec peers: an inbound SA and an outbound SA. The SPI associated with the outbound SA is generated by the local peer during phase 2 of the Internet Key
Exchange (IKE) negotiation process and is used by the remote peer as the inbound SPI associated with this SA. Likewise, the SPI associated with the inbound SA on the local peer corresponds to the outbound SPI that was generated by the remote peer during its portion of phase 2 negotiations.
The show crypto ipsec sa command displays detailed information about IPSec SAs, including the IP addresses of the crypto endpoints (IPSec peers), the number of packets encrypted and decrypted, the security protocol, and the corresponding SPIs. For example, the following partial command output shows the SPIs associated with the SAs between the local peer, 10.10.10.2, and the remote peer 10.20.20.2 on interface FastEthernet 0/0:
The show crypto session command displays a summary of all current IKE SAs and their corresponding IPSec SAs? however, the command does not display the SPI that a router will use to reach an active IPSec peer. Sample output from the show crypto sessioncommand is shown below:
The show crypto isakmp sa active command displays active IKE SAs, not configuration and operational details of an IPSec connection. SA information is displayed in a summarized format, as shown below:
dst src state connid slot status
10.20.20.2 10.10.10.2 QM_IDLE 1 0 ACTIVE
For each SA, the dst field displays the IP address of the remote IKE peer, whereas the src field reveals the IP address of a local interface. An active IKE SA is typically in the QM_IDLE state, as indicated by the state field. The state field indicates the IKE negotiation state of an SA. An SA in the QM_IDLE state indicates that phase 1 negotiations have completed and that the SA is ready for quick mode negotiation of an IPSec SA. Because multiple SAs can exist between a particular source and destination, each SA is assigned a unique connection ID, as shown in the connid field. You should issue the show crypto isakmp sa command without the active keyword to display all current IKE SAs.
The show crypto ipsec securityassociation command displays the SA lifetime configured for an existing IPSec SA. You can issue the crypto ipsec security association lifetime seconds seconds command from global configuration mode to configure the SA lifetime. The command output below displays a default SA lifetime configuration:
Security association lifetime: 4608000 kilobytes/3600 seconds