Hi, I am buffled on what I see here, a SRX-650 (running 12.1X46-D40.2) has an IPsec tunnel to a remote gateway, IPsec SA is active and traffic is flowing fine, but I don't see anything on IKE phase I security association, it has always been my understanding that IPsec SA comes after IKE Phase one SA, how can an IPsec SA exists without corresponding IKE phase one SA to the same gateway?!!
root# run show security ipsec security-associations vpn-name VPN-ATL
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<211812365 ESP:aes-cbc-256/sha1 8a6377a1 1560/ 4607445 - root 500 63.92.6.156
>211812365 ESP:aes-cbc-256/sha1 ef95ca4c 1560/ 4607445 - root 500 63.92.6.156
[edit]
root# run show security ike security-associations 63.92.6.156 detail <= No IKE SA
[edit]