In certain cases an IPsec tunnel may show what appear to be duplicate IKE (Phase 1) or Child (Phase 2) security association (SA) entries. redacted crypto map OUTSIDE_VPN 80 set ikev1 transform-set L2L_AZURE crypto map OUTSIDE_VPN 80 set security-association lifetime seconds 3600 crypto map OUTSIDE_VPN 80 set.
The most common problem with IPsec VPN tunnels is a mismatch between the proposals offered between each party. The period between each renegotiation is known as the lifetime. IPSec configuration! ! This section specifies encryption, authentication, and lifetime properties for the Phase 2 negotiation and the quick! mode security association.Source and destination IP address of the resulting IPsec header.Each security association defines the following parameters:
Since these SAs are unidirectional the ESP/AH header contains only the SPI of the destination's inbound SA (unlike the IKE header which always contains both SPIs). Example: > show security ike security-association > show security ipsec security-association Total active tunnels: 1 IKE lifetime or SA/IPsec lifetime are not set to the same values on each end of the tunnel respectively.
