Previous section   Next section

Recipe 12.9 Check IPSec Protocol Status

12.9.1 Problem

You want to check the status of a VPN.

12.9.2 Solution

There are several useful commands for displaying IPSec parameters.

The command show crypto isakmp sa shows all of the ISAKMP security associations:

Router1#show crypto isakmp sa

You can look at the IPSec security associations with this command:

Router1#show crypto ipsec sa

Even if you aren't using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:

Router1#show crypto engine connections active

This closely related command will tell you about packet drops within the encryption engine:

Router1#show crypto engine connections dropped-packet 

The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, in use or not:

Router1#show crypto map

You can specify a particular crypto map with the tag keyword:

Router1#show crypto map tag TUNNELMAP

For information about dynamic crypto maps, you can use the following command:

Router1#show crypto dynamic-map 

12.9.3 Discussion

The show crypto isakmp sa command lets you see information about the current state of any ISAKMP key exchanges that the router is involved in:

Router1#show crypto isakmp sa
dst             src             state           conn-id    slot
172.22.1.4      172.22.1.3      QM_IDLE               1       0
   
Router1#

Table 12-3 shows all of the possible ISAKMP SA states.

Table 12-3. ISAKMP SA states

Mode

State name

Description

Main Mode

MM_NO_STATE

There is an ISAKMP SA, but none of the parameters have been negotiated yet.

 

MM_SA_SETUP

The devices have negotiated a set of parameters for the SA, but have not yet exchanged any key information.

 

MM_KEY_EXCH

The devices have used the DH algorithm to create a common key, but they have not yet authenticated the session.

 

MM_KEY_AUTH

The devices have authenticated the SA. They can now proceed to Quick Mode.

Aggressive Mode

AG_NO_STATE

There is an ISAKMP SA, but none of the parameters have been negotiated yet.

 

AG_INIT_EXCH

The devices have initiated an Aggressive Mode exchange.

 

AG_AUTH

The devices have completed an Aggressive Mode exchange and authenticated the SA. They can now proceed to Quick Mode.

Quick Mode

QM_IDLE

The SA is authenticated and ready for use.

We used Main Mode in all of the examples in this chapter. Aggressive Mode allows faster SA setup by combining SA parameter negotiation, key exchange, and authentication information into the same packet. This has the disadvantage of not hiding the identity information on the peer devices, however. In Main Mode exchanges, this identity information is exchanged separately in encrypted form. Main Mode is the default. Because the extra overhead is minimal, you generally don't need to resort to Aggressive Mode for ISAKMP.

Quick Mode is possible only after the initial ISAKMP exchange has happened at least once. The routers then use this mode when periodically renegotiating the SA information of an SA that has been active for a while. Quick Mode can take advantage of the existing SA to encrypt its exchange.

You can use the following rather verbose command to look at IPSec SAs:

Router1#show crypto ipsec sa
   
interface: FastEthernet0/1
    Crypto map tag: TUNNELMAP, local addr. 172.22.1.3
   
   local  ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/0/0)
   current_peer: 172.22.1.4
     PERMIT, flags={transport_parent,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
   
     local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4
     path mtu 1500, media mtu 1500
     current outbound spi: 0
   
     inbound esp sas:
   
     inbound ah sas:
   
     inbound pcp sas:
   
     outbound esp sas:
   
     outbound ah sas:
   
     outbound pcp sas:
   
   
   local  ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/47/0)
   remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/47/0)
   current_peer: 172.22.1.4
     PERMIT, flags={origin_is_acl,transport_parent,parent_is_transport,}
    #pkts encaps: 466, #pkts encrypt: 466, #pkts digest 466
    #pkts decaps: 1156, #pkts decrypt: 1156, #pkts verify 1156
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0
          
     local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4
     path mtu 1500, media mtu 1500
     current outbound spi: EB99FB6C
   
     inbound esp sas:
      spi: 0x5A48ACC4(1514712260)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2000, flow_id: 1, crypto map: TUNNELMAP
        sa timing: remaining key lifetime (k/sec): (4606612/3392)
        IV size: 8 bytes
        replay detection support: Y
   
     inbound ah sas:
   
     inbound pcp sas:
   
     outbound esp sas:
      spi: 0xEB99FB6C(3952737132)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Transport, }
        slot: 0, conn id: 2001, flow_id: 2, crypto map: TUNNELMAP
        sa timing: remaining key lifetime (k/sec): (4607955/3392)
        IV size: 8 bytes
        replay detection support: Y
   
     outbound ah sas:
   
     outbound pcp sas:
   
   
Router1#

There is clearly a lot of information in this output. It breaks out the inbound and outbound information, and shows what crypto maps have been applied to which interfaces. It also includes information about the number of packets that the router has both been sent and received, as well as how much time remains before the SA must be renegotiated.

The show crypto engine commands allow you to see some of this same information in a more compact form. With the connections active keywords, this command tells you what interfaces are involved in IPSec SAs, the peer IP addresses, the algorithms used, and the number of packets sent and received through the encryption engine:

Router1#show crypto engine connections active
   
  ID Interface       IP-Address      State  Algorithm           Encrypt  Decrypt
   1 <none>          <none>          set    HMAC_SHA+3DES_56_C        0        0
2088 FastEthernet0/1 172.22.1.3      set    HMAC_SHA+3DES_56_C        0        5
2089 FastEthernet0/1 172.22.1.3      set    HMAC_SHA+3DES_56_C      202        0
   
Router1#

With the connections dropped-packet keywords, you get some simple statistics on dropped packets. In the following example, the encryption engine was forced to drop five packets because the router tried to send them before it had a valid connection:

Router1#show crypto engine connections dropped-packet 
   
Packets dropped because of connection not established:
Interface            IP-Address           Drop Count
FastEthernet0/1      172.22.1.3                    5
   
Router1#

The command show crypto map displays information about all of the configured crypto maps on the router, including which interfaces are currently using them. Note that just because a particular interface is using a particular crypto map, it does not follow that there are any active IPSec SAs. It only means that you have applied this map to this interface using the crypto map interface configuration command:

Router1#show crypto map
        Interfaces using crypto map VPN-MAP:
   
Crypto Map "CRYPTOMAP" 10 ipsec-isakmp
        Dynamic map template tag: VPN-USER-MAP
        Interfaces using crypto map CRYPTOMAP:
   
Crypto Map "TUNNELMAP" 10 ipsec-isakmp
        Peer = 172.22.1.4
        Extended IP access list 116
            access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
        Current peer: 172.22.1.4
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ TUNNEL-TRANSFORM, }
        Interfaces using crypto map TUNNELMAP:
                FastEthernet0/1
   
Router1#

If you have several crypto maps configured on your router, you can look at a particular one with the tag keyword:

Router1#show crypto map tag TUNNELMAP
Crypto Map "TUNNELMAP" 10 ipsec-isakmp
        Peer = 172.22.1.4
        Extended IP access list 116
            access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
        Current peer: 172.22.1.4
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ TUNNEL-TRANSFORM, }
        Interfaces using crypto map TUNNELMAP:
                FastEthernet0/1
   
Router1#

If there are any dynamic maps, you can see more information about them with the following command:

Router1#show crypto dynamic-map 
Crypto Map Template"VPN-USER-MAP" 50
        Extended IP access list 115
            access-list 115 permit tcp any port = 80 any
            access-list 115 permit tcp any any port = 80
            access-list 115 deny ip any 224.0.0.0 31.255.255.255
        Current peer: 0.0.0.0
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={ VPN-TRANSFORMS, }
Router1#

  Previous section   Next section
Top