Checking IPSec Protocol Status
Problem
You want to check the status of a VPN.
Solution
There are several useful commands for displaying IPSec parameters.
The command show crypto isakmp sa shows all of the ISAKMP security associations.
Router1#show crypto isakmp sa
And you can look at the IPSec security associations with this command:
Router1#show crypto ipsec sa
Even if you aren't using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:
Router1#show crypto engine connections active
And this closely related command will tell you about packet drops within the encryption engine:
Router1#show crypto engine connections dropped-packet
The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, whether or not they are in use:
Router1#show crypto map
And you can specify a particular crypto map with the tag keyword:
Router1#show crypto map tag TUNNELMAP
For information about dynamic crypto maps, you can use the following command:
Router1#show crypto dynamic-map
Discussion
The show crypto isakmp sa command lets you see information about the current state of any ISAKMP key exchanges that the router is involved in:
Router1#show crypto isakmp sa dst src state conn-id slot 172.22.1.4 172.22.1.3 QM_IDLE 1 0 Router1#
Table 12-3 shows all of the possible ISAKMP SA states.
Mode | State name | Description |
---|---|---|
Main Mode | MM_NO_STATE | There is an ISAKMP SA, but none of the parameters have been negotiated yet. |
MM_SA_SETUP | The devices have negotiated a set of parameters for the SA, but have not yet exchanged any key information. | |
MM_KEY_EXCH | The devices have used the Diffie-Hellman algorithm to create a common key, but they have not yet authenticated the session. | |
MM_KEY_AUTH | The devices have authenticated the SA. They can now proceed to Quick Mode. | |
Aggressive Mode | AG_NO_STATE | There is an ISAKMP SA, but none of the parameters have been negotiated yet. |
AG_INIT_EXCH | The devices have initiated an Aggressive Mode exchange. | |
AG_AUTH | The devices have completed an Aggressive Mode exchange and authenticated the SA. They can now proceed to Quick Mode. | |
Quick Mode | QM_IDLE | The SA is authenticated and ready for use. |
We used Main Mode in all of the examples in this chapter. Aggressive Mode allows faster SA setup by combining SA parameter negotiation, key exchange, and authentication information into the same packet. This has the disadvantage of not hiding the identity information on the peer devices, however. In Main Mode exchanges, this identity information is exchanged separately in encrypted form. Main Mode is the default. Because the extra overhead is minimal, you generally don't need to resort to Aggressive Mode for ISAKMP.
Quick Mode is only possible after the initial ISAKMP exchange has happened at least once. The routers then use this mode when periodically renegotiating the SA information of an SA that has been active for a while. Quick Mode can take advantage of the existing SA to encrypt its exchange.
Use the following rather verbose command to look at IPSec Security Associations:
Router1#show crypto ipsec sa interface: FastEthernet0/1 Crypto map tag: TUNNELMAP, local addr. 172.22.1.3 local ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/0/0) current_peer: 172.22.1.4 PERMIT, flags={transport_parent,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4 path mtu 1500, media mtu 1500 current outbound spi: 0 inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: local ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/47/0) remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/47/0) current_peer: 172.22.1.4 PERMIT, flags={origin_is_acl,transport_parent,parent_is_transport,} #pkts encaps: 466, #pkts encrypt: 466, #pkts digest 466 #pkts decaps: 1156, #pkts decrypt: 1156, #pkts verify 1156 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 1, #recv errors 0 local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4 path mtu 1500, media mtu 1500 current outbound spi: EB99FB6C inbound esp sas: spi: 0x5A48ACC4(1514712260) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } slot: 0, conn id: 2000, flow_id: 1, crypto map: TUNNELMAP sa timing: remaining key lifetime (k/sec): (4606612/3392) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xEB99FB6C(3952737132) transform: esp-3des esp-sha-hmac , in use settings ={Transport, } slot: 0, conn id: 2001, flow_id: 2, crypto map: TUNNELMAP sa timing: remaining key lifetime (k/sec): (4607955/3392) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas: Router1#
There is clearly a lot of information in this output. It breaks out the inbound and outbound information, and shows what crypto maps have been applied to which interfaces. It also includes information about the number of packets that the router has been both sent and received, as well as how much time remains before the SA must be renegotiated.
The show crypto engine commands allow you to see some of this same information in a more compact form. With the connections active keywords, this command tells you what interfaces are involved in IPSec SA's, the peer IP addresses, the algorithms used, and the number of packets sent and received through the encryption engine:
Router1#show crypto engine connections active ID Interface IP-Address State Algorithm Encrypt Decrypt 1 set HMAC_SHA+3DES_56_C 0 0 2088 FastEthernet0/1 172.22.1.3 set HMAC_SHA+3DES_56_C 0 5 2089 FastEthernet0/1 172.22.1.3 set HMAC_SHA+3DES_56_C 202 0 Router1#
With the connections dropped-packet keywords, you get some simple statistics on dropped packets. In the following example, the encryption engine was forced to drop five packets because the router tried to send them before it had a valid connection:
Router1#show crypto engine connections dropped-packet Packets dropped because of connection not established: Interface IP-Address Drop Count FastEthernet0/1 172.22.1.3 5 Router1#
The command show crypto map displays information about all of the configured crypto maps on the router, including which interfaces are currently using them. Note that just because a particular interface is using a particular crypto map, this does not imply that there are any active IPSec SAs. It only means that you have applied this map to this interface by using the crypto map interface configuration command:
Router1#show crypto map Interfaces using crypto map VPN-MAP: Crypto Map "CRYPTOMAP" 10 ipsec-isakmp Dynamic map template tag: VPN-USER-MAP Interfaces using crypto map CRYPTOMAP: Crypto Map "TUNNELMAP" 10 ipsec-isakmp Peer = 172.22.1.4 Extended IP access list 116 access-list 116 permit gre host 172.22.1.3 host 172.22.1.4 Current peer: 172.22.1.4 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ TUNNEL-TRANSFORM, } Interfaces using crypto map TUNNELMAP: FastEthernet0/1 Router1#
If you have several crypto maps configured on your router, you can look at a particular one with the tag keyword:
Router1#show crypto map tag TUNNELMAP Crypto Map "TUNNELMAP" 10 ipsec-isakmp Peer = 172.22.1.4 Extended IP access list 116 access-list 116 permit gre host 172.22.1.3 host 172.22.1.4 Current peer: 172.22.1.4 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ TUNNEL-TRANSFORM, } Interfaces using crypto map TUNNELMAP: FastEthernet0/1 Router1#
And if there are any dynamic maps, you can see more information about them with the following command:
Router1#show crypto dynamic-map Crypto Map Template"VPN-USER-MAP" 50 Extended IP access list 115 access-list 115 permit tcp any port = 80 any access-list 115 permit tcp any any port = 80 access-list 115 deny ip any 224.0.0.0 31.255.255.255 Current peer: 0.0.0.0 Security association lifetime: 4608000 kilobytes/3600 seconds PFS (Y/N): N Transform sets={ VPN-TRANSFORMS, } Router1#