How to clear crypto sa

I have in one endpoint of the vpn a cisco router and on the other endpoint a cisco pix. I would like to delete the connection to the vpn in the cisco router and that when i do that, the crypro sa (isakmp and ipsec) in the cisco pix, also gets deleted. Is this possible? Thanks everyone very much in advance.

Reply to
Loading thread data ...

"clear crypto isakmp", but it clears all the Security Associations.

Or you can specify which SA to clear using the ID. In order to see the IDs type "show crypto isakmp sa"

the conn-id field should be what you need.

Never tried before

HTH Alex

Reply to

Do I understand correctly that your goal is to be able to issue a command on -one- of the devices, and that the phase 1 and phase 2 SA's on -both- of the devices will be dropped?

(And that what you are seeing now is that when you issue the command on the router, the SA's continue to exist on the PIX ?)

The closest that I can think of at the moment, is:

1) temporarily replace the crypto map ACL with one that tunnels only icmp from the router to the PIX, 2) lower the isakmp lifetime to the minimum (120 seconds on the PIX), 3) clear the SA's on the router, 4) ping from the router to the PIX, 5) stop the ping, 6) wait twice the lifetime configured in #2.

When you are ready to reestablish traffic,

7) change the lifetime back to something more reasonable, 8) change the crypto map ACL back to the one for full traffic, 9) clear the SA's

The basis of this is that when a device reestablishes VPN contact (it lost contact when you cleared the SA's; it reestablishes when it sees the ping in #4), then the device sends an ISAKMP token that means "delete all previous SA's that match this identity". So all the previous stuff would get cleared out on the PIX, but you'd be left with a new Phase 1 SA and Phase 2 SA due to the ping. You stopped the ping and then let the link go idle for twice the natural isakmp lifetime, so the normal IPSec tunnel expiration processes will get rid of those temporary SA's, leaving no SA on either end.

Reply to
Walter Roberson Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.