3 Replies Latest reply: Nov 9, 2010 1:35 PM by Paul Stewart - CCIE Security RSS

    Tunnel Session status: UP-NO-IKE


      Hi Guys


      I came accross one situation in that crypto tunnel status is UP-NO-IKE.


      Router#sh crypto isakmp sa


      shows nothing


      Router#sh crypto session remote x.x.x.x

      Session status: UP-NO-IKE


      i can see the encap/decap increasing.


      I googled for this; one cisco doc says


      IKE SA---> Exist, inactive

      IPSec SA--> Exist(flow exist)




      What does this means:- Tunnel should work; or some thing need to fix to get UP status of tunnel



      Amarjeet !

        • 1. Re: Tunnel Session status: UP-NO-IKE
          Paul Stewart  -  CCIE Security

          I guess my first guess is that IKE is not creating the phase 2 sa's.  In other words, are the SA's nailed up and configured with a manual ESP key?

          • 2. Re: Tunnel Session status: UP-NO-IKE

            Paul; yes we are using pre -shared key as authentication.

            • 3. Re: Tunnel Session status: UP-NO-IKE
              Paul Stewart  -  CCIE Security

              It actually sounds to me like you are using static encryption keys as opposed to pre-shared authentication.  See if the snippet of config below looks familiar.  I'm pretty sure that is what creates a "up-no-ike" status.  If so, this is a static encryption key as opposed to any type of phase 1 authentication.  Generally, encryption keys change and we authenticate in phase one.  The configuration that I think you have actually eliminates ike and nails up an SA using this static key set.  In which case the keys never change.  The drawback to this is if someone can ever compromise the key, they can see all traffic and all traffic they may have gathered.  Additionally, since the key is never changed it is easier to compromise the key.


              crypto map testcase 8 ipsec-manual 
               set peer
               set session-key inbound esp 1000 cipher abcd1234abcd1234 authenticator 20 
               set session-key outbound esp 1001 cipher 1234abcd1234abcd authenticator 20 
               set transform-set encrypt-des