reset ike sa

Usage Scenario

To clear an IPSec tunnel established through IKE negotiation, run the reset ike sa command to clear the IKE SA that is used to negotiate the IPSec tunnel.

There are two types of SAs established by IKE negotiation: IKE SAs in phase 1 and IPSec SAs in phase 2. IKE SAs in phase 1 are used for IKE negotiation. Under the protection of these IKE SAs, IPSec SAs in phase 2 are used to protect data flows.

• If the specified conn-id parameter corresponds to an IKE SA in phase 1, IKE peers do not automatically negotiate an IKE SA after the IKE SA is cleared. The IKE peers re-negotiate an IKE SA in phase 1 only when data flows match ACL rules in the IPSec policy again.
• If the specified conn-id parameter corresponds to an IPSec SA in phase 2, either of the following will occur:
  • Automatic triggering mode: The IKE peers re-negotiate an IPSec SA in phase 2 under the protection of the IKE SA in phase 1 after the IPSec SA is cleared.
  • Traffic-based triggering mode: The IKE peers do not automatically negotiate an IPSec SA after the IPSec SA is cleared. They re-negotiate an IPSec SA in phase 2 under the protection of the IKE SA in phase 1 only when data flows match ACL rules in the IPSec policy again.
• If the conn-id parameter is not specified, all IKE SAs in phase 1 are cleared, and IKE negotiation process is similar to that described above.

Precautions

After dependency between IPSec SA and IKE SA during IKEv1 negotiation is disabled using the undo ikev1 phase1-phase2 sa dependent command, running the reset ike sa conn-id command to delete an IKE SA will also delete the corresponding IPSec SA.