Additional Troubleshooting Commands

This section contains some additional commands that may be useful when troubleshooting IPSec VPNs.

show crypto engine connections active

The show crypto engine connections active command (see Example 8-112) shows active IKE and IPSec SAs.

Example 8-112. Active IKE and IPSec SAs
Tokyo#show crypto engine connections active
  ID Interface        IP-Address      State  Algorithm           Encrypt  Decrypt
   3 <none>           <none>          set    HMAC_MD5+DES_56_CB        0        0
						2000 Serial4/0        172.16.5.1      set    HMAC_MD5+DES_56_CB        0        5
						2001 Serial4/0        172.16.5.1      set    HMAC_MD5+DES_56_CB       11        0
Tokyo#

Highlighted line 1 shows an IKE SA with connection ID 3. Note that the encrypt and decrypt counters both remain at zero.

Highlighted lines 2 and 3 show an inbound and an outbound IPSec SA associated with interface serial 4/0. Also shown is the IP address configured on the interface, as well as the hash and encryptions algorithms in use.

Note the encrypt and decrypt counters. You will notice that the decrypt counter in highlighted line 2 is a nonzero value. This is because highlighted line 2 shows an inbound IPSec SA. In highlighted line 3, the encrypt counter is a nonzero value. This is because highlighted line 3 shows an outbound IPSec SA.

As you can see, this command can be very useful for verifying that traffic is being sent and received over the IPSec tunnel.

show crypto key mypubkey rsa

The show crypto key mypubkey rsa command can be used to display the router's RSA public keys.

Example 8-113 shows the output of this command.

Example 8-113. show crypto key mypubkey rsa Command Output
Tokyo#show crypto key mypubkey rsa
						% Key pair was generated at: 16:40:43 GMT Mar 17 2003
						Key name: Tokyo.mjlnet.com
						Usage: General Purpose Key
 Key Data:
  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00E3D7D5
  83D2063A 1725567C 7A9F9173 3001B06A C87208D7 9B990301 AC9A03D6 1FD87656
  903ED06F EBE17FD1 CF672EC7 391CDF3C A40247E4 8FC09102 02E09D98 2D097C5F
  DEA636BA 9B1DA643 6B765C71 57CE58DD 5DCACF8B E20ACF8C D10E478E F32C501D
  00412C0B 787CD246 3E886C06 351D4829 19076F7F 12669970 188ADDA5 21020301 0001
% Key pair was generated at: 18:40:50 GMT Mar 17 2003
Key name: Tokyo.mjlnet.com.server
 Usage: Encryption Key
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00D199FE 2DFE34C5
  E53DB392 96AF3FFD 50DE1DE7 0E913F9E 660C3031 95A31A44 24AD606B FFABFCD5
  240913CC B84183CF 9E8AF126 214C8E0A 1D1DA5C9 B6D317C2 50B8FDAB F7F258CD
  3FD9BCD5 2F5CF4C0 47C14E47 78CB0233 C302DFF1 64E532D6 9B020301 0001
Tokyo#

Highlighted line 1 shows the time when the keys were generated. Then in highlighted lines 2 and 3, the key name and usage are shown.

show crypto key pubkey-chain rsa

The show crypto key pubkey-chain rsa command shows peer RSA keys.

Example 8-114 shows the output of the show crypto key pubkey-chain rsa command.

Example 8-114. show crypto key pubkey-chain rsa Command Output
Tokyo#show crypto key pubkey-chain rsa
Codes: M - Manually configured, C - Extracted from certificate
Code Usage   IP-Address       Name
C    Signing                  X.500 DN name:
                              CN = mjlnetca
                               OU = mjlnet
                               O = MJL Network Services
                               L = London
                               ST = London
                               C = UK
                               EA = [email protected]

Tokyo#

As you can see, this command shows the key, its usage, and the associated name.

show crypto ipsec dynamic-map

Use the show crypto ipsec dynamic-map command to display dynamic crypto map sets.

Example 8-115 shows the output of the show crypto ipsec dynamic-map command.

Example 8-115. show crypto ipsec dynamic-map Command Outpu
Tokyo#show crypto dynamic-map
Crypto Map Template"mjlnetDyn" 10
        No matching address list set.
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                mjlnetTrans,
        }
Tokyo#

show crypto ipsec security-association lifetime

The show crypto ipsec security-association lifetime command can be used to display the SA associated with crypto maps.

Example 8-116 shows the output of the show crypto ipsec security-association lifetime command.

Example 8-116. show crypto ipsec security-association lifetime Command Output
Tokyo#show crypto ipsec security-association-lifetime
Security association lifetime: 4608000 kilobytes/3600 seconds
Tokyo#

debug crypto ipsec

The debug crypto ipsec command is used to examine IPSec events.

Examples 8-117 and 8-118 show the output of the debug crypto ipsec command.

Example 8-117. debug crypto ipsec Command Output
Tokyo#debug crypto ipsec
Crypto IPSEC debugging is on
Tokyo#
Mar  8 22:50:00.147 GMT: IPSEC(sa_request): ,
  (key eng. msg.) src= 172.16.5.1, dest= 172.16.6.2,
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0xDE162122(3725992226), conn_id= 0, keysize= 0, flags= 0x4004
Mar  8 22:50:00.567 GMT: IPSEC(validate_proposal_request): proposal part #1,
  (key eng. msg.) dest= 172.16.6.2, src= 172.16.5.1,
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 0s and 0kb,
    spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x4
Mar  8 22:50:00.571 GMT: IPSEC(key_engine): got a queue event

In highlighted line 1, user traffic matching the crypto access list has caused router Tokyo to initiate IPSec SA setup to the peer router.

IPSec SAs are then negotiated via IKE quick mode, and in highlighted line 2, Tokyo validates an IPSec SA proposal. Example 8-118 shows a continuation of the debug.

Example 8-118. debug crypto ipsec Command Output (Continued from Example 8-117)
						Mar  8 22:50:00.571 GMT: IPSEC(initialize_sas): ,
  (key eng. msg.) dest= 172.16.5.1, src= 172.16.6.2,
    dest_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    src_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0xDE162122(3725992226), conn_id= 2000, keysize= 0, flags= 0x4
Mar  8 22:50:00.571 GMT: IPSEC(initialize_sas): ,
  (key eng. msg.) src= 172.16.5.1, dest= 172.16.6.2,
    src_proxy= 10.1.1.0/255.255.255.0/0/0 (type=4),
    dest_proxy= 10.2.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-md5-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0xD28E6C84(3532549252), conn_id= 2001, keysize= 0, flags= 0x4
Mar  8 22:50:00.571 GMT: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.5.1, sa_prot= 50,
    sa_spi= 0xDE162122(3725992226),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2000
Mar  8 22:50:00.571 GMT: IPSEC(create_sa): sa created,
  (sa) sa_dest= 172.16.6.2, sa_prot= 50,
    sa_spi= 0xD28E6C84(3532549252),
    sa_trans= esp-des esp-md5-hmac , sa_conn_id= 2001
Tokyo#

In highlighted lines 1 and 2, inbound and outbound IPSec SAs are initialized in the security association database (SADB). Finally, in highlighted lines 3 and 4, the inbound and outbound SAs are created, and the IPSec tunnel is up.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.156.250