show crypto isakmp sa [to view the security association]
Show crypto isakmp sa | i [destination IP]
show crypto isakmp sa detail
show crypto isakmp stats
show crypto ipsec sa [to view the IPSec SA between VPN peers]
show crypto session | include [destination IP]
show crypto session interface [interface] detail | sec [IP]
show crypto session brief [summarized view of active crypto sessions]
clear crypto sa
clear crypto session [to clear tunnel]
show crypto ca cert [to check vert start date/end date]
show crypto pki cert
show crypto ikev1 stats
show crypto ikev2 stats
show crypto ipsec sa peer [destination IP] detail
show crypto isakmp policy
show crypto ipsec profile »> IPSec timers
show vpn-sessiondb
show crypto session remote [destination peer IP address] » if this is up/up to check for policy mis-match. Policies must match on both devices. Transform sets must always match.
crypto debug pki transactions
crypto debug pki scep
Checking IPSec Protocol Status:
Problem
You want to check the status of a VPN
Solution
There are several useful commands for displaying IPSec parameters.
The command show crypto isakmp sa shows all of the ISAKMP security associations.
Router1# show crypto isakmp sa
And you can look at the IPSec security associations with this command:
Router1# show crypto ipsec sa
Even if you aren't using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:
Router1# show crypto engine connections active
And this closely related command will tell you about the packet drops within the encryption engine:
Router1# show crypto engine connections dropped-packet
The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, whether or not they are in use:
Router1# show crypto map
And you can specify a particular crypto map with the tag keyword:
Router1# show crypto map tag TUNNELMAP
For information about dynamic crypto maps, you can use the following command:
Router1# show crypto dynamic-map
Discussion
The show crypto isakmp command lets you see information about the current state of any ISAKMP key exchange that the router is involved in:
Router1# show crypto isakmp sa
dst
src
state
conn-id
slot
172.22.1.4
172.22.1.3
QM_IDLE
1
0
Table shows all of the possible ISAKMP SA states:
Main Mode
MM_NO_STATE
There is an ISAKMP SA, but none of the parameters have been negotiated yet.
MM_SA_SETUP
The devices have negotiated a set of parameters for the SA, but have not yet exchanged any key information.
MM_KEY_EXCH
The devices have used the Diffie-Helman algorithm to create a common key, but they have not yet authenticated the session.
MM_KEY_AUTH
The devices have authenticated the SA. The can now proceed to Quick Mode.
Aggressive Mode
AG_NO_STATE
There is an ISAKMP SA, but none of the parameters have been negotiated yet.
AG_INIT_EXCH
The devices have initiated an Aggressive Mode exchange.
AG_AUTH
The devices have completed an Aggressive Mode exchange and authenticated the SA. They can now proceed to Quick Mode.
Quick Mode
QM_IDLE
The SA is authenticated and ready for use.
Aggressive Mode allows faster SA setup by combining SA parameter negotiation, key exchange, and authentication information into the same packet. This has the disadvantage of not hiding the identity information on the peer devices, however. In Main Mode exchanges, this identity information is exchanged separately in encrypted form. Main Mode is the default. Because the extra overhead is minimal, you generally don't need to resort to Aggressive Mode for ISAKMP.
Quick Mode is only possible after the initial ISAKMP exchange has happened at least once. The routers then use this mode when periodically renegotiating the SA information of an SA that has been active for a while. Quick Mode can take advantage of the existing SA to encrypt its exchange.
Use the following rather verbose command to look at IPSec Security Associations:
Router1# show crypto ipsec sa
intface: FastEthernet0/1
Crypto map tag: TUNNELMAP, local addr. 172.22.1.3
local ident (addr/mask/prot/port): (172.22.1.3/255.255.225.255/0/0)
remote ident (addr/mask/prot/port): (172.22.1.4/255.255.225.255/0/0)
current_peer: 172.22.1.4
PERMIT, flags={transport_parent, }
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4
path mtu 1500, media mtu 1500
current outbound spi: 0
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
local ident (addr/mask/prot/port): (172.22.1.3/255.255.225.255/47/0)
remote ident (addr/mask/prot/port): (172.22.1.4/255.255.225.255/47/0)
current_peer: 172.22.1.4
PERMIT, flags={origin_is_acl, transport_parent, parent_is_transport,}
#pkts encaps: 466, #pkts encrypt: 466, #pkts digest 466
#pkts decaps: 1156, #pkts decrypt: 1156, #pkts verify 1156
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4
path mtu 1500, media mtu 1500
current outbound spi: EB99FB6C
inbound esp sas:
spi: 0x5A48ACC4(1514712260)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: TUNNELMAP
sa timing: remaining key lifetime (k/sec): (4606612/3392)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xEB99FB6C(3952737132)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: TUNNELMAP
sa timing: remaining key lifetime (k/sec): (4607955/3392)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
There is clearly a lot of information in this output. It breaks out the inbound and outbound information, and shows what crpyto maps have been applied to which interfaces. Is also includes information about the number of packets that the router has been both sent and received, as well as how much time remains before the SA must be renogtiated.
The show crypto engine command allows you to see some of this same information in a more compact form. With the connections active keywords, this command tells you what interfaces are involved in IPSec SA's, the peer IP addresses, the algorithm used, and the number of packets sent and received through the encryption engine.
Router1# show crypto engine connections active
ID
Interface
IP-Address
State
Algorithm
Encrypt
Decrypt
1
<none>
<none>
set
HMAC_SHA+3DES_56_C
0
0
2088
FastEhternet0/1
172.22.1.3
set
HMAC_SHA+3DES_56_C
0
5
2099
FastEhternet0/1
172.22.1.3
set
HMAC_SHA+3DES_56_C
202
0
With the connections dropped-packet keywords, you get some simple statistics on dropped packets. In the following example, the encryption engine was forced to drop five packets because the router tried to send them before it had a valid connection:
Router1# show crypto engine connections dropped-packet
Packets dropped because of connection not established:
Interface
IP-Address
Drop Count
FastEhternet0/1
172.22.1.3
5
The command show crypto map displays information about all of the configured crypto maps on the router, including which interfaces are currently using them. Note that just because a particular interface is using a particular crypto map, this does not imply that there any active IPSec SAs. It only means that you have applied this map to this interface by using the crypto map interface configuration command:
Router1# show crypto map
Interfaces using crypto map VPN_MAP:
Crypto Map “CRYPTOMAP” 10 ipsec-isakmp
Dynamic map template tag: VPN-USER-MAP
Interfaces using crypto map CRYPTOMAP:
Crypto Map “TUNNELMAP” 10 ipsec-isakmp
Peer = 172.22.1.4
Extended IP access list 116
access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Current peer: 172.22.1.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ TUNNEL-TRANSFORM, }
Interfaces using crypto map TUNNELMAP:
FastEthernet0/1
If you have several crypto maps configured on your router, you can look at a particular one with the tag keyword:
Router1# show crypto map tag TUNNELMAP
Crypto Map “TUNNELMAP” 10 ipsec-isakmp
Peer = 172.22.1.4
Extended IP access list 116
access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Current peer: 172.22.1.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ TUNNEL-TRANSFORM, }
Interfaces using crypto map TUNNELMAP:
FastEthernet0/1
And if there are any dynamic maps, you can see more information about them with the following command:
Router1# show crypto dynamic-map
Crytpo Map Template “VPN-USER-MAP” 50
Extended IP access list 115
access-list 115 permit tcp any port = 80 any
access-list 115 permit tcp any port = 80
access-list 115 deny ip any 224.0.0.0 31.255.255.255
Current peer: 0.0.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ VPN-TRANSFORMS, }