Configuring Cisco IOS IPSec for Pre-Shared Keys Site-to-Site |
259 |
As always, you have to be able to verify your configurations. The next section will guide you through this process.
Testing and Verifying IPSec
It’s test-and-verify time again. With network operations, you just can’t skip these steps. So now you’re going to take some time to review the commands you need to use to verify IPSec operation.
The show crypto isakmp sa command is one of the most widely used commands for verifying IKE operation after IPSec has been configured. It gives you information about all of the active IKE SAs on the device. Here’s a sample of the output you’ll get when you use this command:
Lab_A#show crypto isakmp sa |
|
|
||
dst |
src |
state |
conn-id |
slot |
10.1.1.2 |
10.1.1.1 |
QM_IDLE |
82 |
0 |
Have a problem? For troubleshooting, it may be important to reset IKE SAs using the clear crypto isakmp conn-id command. With it, you can clear a single IKE SA. Alternatively, you can use the clear crypto isakmp * command to clear all active IKE SAs.
If you need more information, use the debug crypto isakmp command to display messages about IKE events. In addition, you can use the debug crypto ipsec command to learn even more.
If you want to get a look at the configuration of all IPSec transform sets on a certain device, use the show crypto ipsec transform-set command. Here’s a sample of its output:
Lab_A#show crypto ipsec transform-set
Transform set test: { esp-des }
will negotiate = { Tunnel, },
The aptly named show crypto map command is what you use to display the configuration of all crypto maps currently configured on a device—a great way to find out if someone blew their crypto map configuration.
To verify that an IPSec SA is working okay, use the show crypto ipsec sa command. Below is a sample of its output:
Lab_A#show crypto ipsec sa interface: Serial0/0
Crypto map tag: test1, local addr. 10.1.1.1 local ident (addr/mask/prot/port): (10.1.1.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.1.1.2/255.255.255.255/0/0) current_peer: 10.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt: 10, #pkts digest 10
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |
260 Chapter 8 Cisco IOS IPSec Pre-Shared Keys and Certificate Authority Support
#pkts decaps: 10, #pkts decrypt: 10, #pkts verify 10 #send errors 10, #recv errors 0
local crypto endpt.: 10.1.1.1, remote crypto endpt.: 10.1.1.2 path mtu 1500, media mtu 1500
current outbound spi: 20890A6F
inbound esp sas:
spi: 0x257A1039(628756537) transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 26, crypto map: test1
sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes
replay detection support: Y
inbound ah sas:
outbound esp sas:
spi: 0x20890A6F(545852015) transform: esp-des ,
in use settings ={Tunnel, }
slot: 0, conn id: 27, crypto map: test1
sa timing: remaining key lifetime (k/sec): (4607999/90) IV size: 8 bytes
replay detection support: Y
outbound ah sas:
And there are also several commands that you can use to reset an IPSec SA. Table 8.2 lists these commands and describes what they do.
T A B L E 8 . 2 IPSec SA clear Commands
Command |
Purpose |
|
|
|
|
clear |
crypto sa |
Resets all IPSec SAs on a device |
clear |
crypto sa peer {ip-address | |
Resets the IPSec SA for the specified peer |
peer-name}
Copyright ©2003 SYBEX Inc., 1151 Marina Village Parkway, Alameda, CA 94501. |
www.sybex.com |