Checking IPSec Protocol Status

Checking IPSec Protocol Status

Problem

You want to check the status of a VPN.

Solution

There are several useful commands for displaying IPSec parameters.

The command show crypto isakmp sa shows all of the ISAKMP security associations.

Router1#show crypto isakmp sa

And you can look at the IPSec security associations with this command:

Router1#show crypto ipsec sa

Even if you aren't using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:

Router1#show crypto engine connections active

And this closely related command will tell you about packet drops within the encryption engine:

Router1#show crypto engine connections dropped-packet 

The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, whether or not they are in use:

Router1#show crypto map

And you can specify a particular crypto map with the tag keyword:

Router1#show crypto map tag TUNNELMAP

For information about dynamic crypto maps, you can use the following command:

Router1#show crypto dynamic-map 

Discussion

The show crypto isakmp sa command lets you see information about the current state of any ISAKMP key exchanges that the router is involved in:

Router1#show crypto isakmp sa
dst src state conn-id slot
172.22.1.4 172.22.1.3 QM_IDLE 1 0

Router1#

Table 12-3 shows all of the possible ISAKMP SA states.

Table 12-3. ISAKMP SA states
Mode State name Description
Main Mode MM_NO_STATE There is an ISAKMP SA, but none of the parameters have been negotiated yet.
MM_SA_SETUP The devices have negotiated a set of parameters for the SA, but have not yet exchanged any key information.
MM_KEY_EXCH The devices have used the Diffie-Hellman algorithm to create a common key, but they have not yet authenticated the session.
MM_KEY_AUTH The devices have authenticated the SA. They can now proceed to Quick Mode.
Aggressive Mode AG_NO_STATE There is an ISAKMP SA, but none of the parameters have been negotiated yet.
AG_INIT_EXCH The devices have initiated an Aggressive Mode exchange.
AG_AUTH The devices have completed an Aggressive Mode exchange and authenticated the SA. They can now proceed to Quick Mode.
Quick Mode QM_IDLE The SA is authenticated and ready for use.


We used Main Mode in all of the examples in this chapter. Aggressive Mode allows faster SA setup by combining SA parameter negotiation, key exchange, and authentication information into the same packet. This has the disadvantage of not hiding the identity information on the peer devices, however. In Main Mode exchanges, this identity information is exchanged separately in encrypted form. Main Mode is the default. Because the extra overhead is minimal, you generally don't need to resort to Aggressive Mode for ISAKMP.

Quick Mode is only possible after the initial ISAKMP exchange has happened at least once. The routers then use this mode when periodically renegotiating the SA information of an SA that has been active for a while. Quick Mode can take advantage of the existing SA to encrypt its exchange.

Use the following rather verbose command to look at IPSec Security Associations:

Router1#show crypto ipsec sa

interface: FastEthernet0/1
Crypto map tag: TUNNELMAP, local addr. 172.22.1.3

local ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/0/0)
current_peer: 172.22.1.4
PERMIT, flags={transport_parent,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4
path mtu 1500, media mtu 1500
current outbound spi: 0

inbound esp sas:

inbound ah sas:

inbound pcp sas:

outbound esp sas:

outbound ah sas:

outbound pcp sas:


local ident (addr/mask/prot/port): (172.22.1.3/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (172.22.1.4/255.255.255.255/47/0)
current_peer: 172.22.1.4
PERMIT, flags={origin_is_acl,transport_parent,parent_is_transport,}
#pkts encaps: 466, #pkts encrypt: 466, #pkts digest 466
#pkts decaps: 1156, #pkts decrypt: 1156, #pkts verify 1156
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0

local crypto endpt.: 172.22.1.3, remote crypto endpt.: 172.22.1.4
path mtu 1500, media mtu 1500
current outbound spi: EB99FB6C

inbound esp sas:
spi: 0x5A48ACC4(1514712260)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: TUNNELMAP
sa timing: remaining key lifetime (k/sec): (4606612/3392)
IV size: 8 bytes
replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xEB99FB6C(3952737132)
transform: esp-3des esp-sha-hmac ,
in use settings ={Transport, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: TUNNELMAP
sa timing: remaining key lifetime (k/sec): (4607955/3392)
IV size: 8 bytes
replay detection support: Y

outbound ah sas:

outbound pcp sas:


Router1#

There is clearly a lot of information in this output. It breaks out the inbound and outbound information, and shows what crypto maps have been applied to which interfaces. It also includes information about the number of packets that the router has been both sent and received, as well as how much time remains before the SA must be renegotiated.

The show crypto engine commands allow you to see some of this same information in a more compact form. With the connections active keywords, this command tells you what interfaces are involved in IPSec SA's, the peer IP addresses, the algorithms used, and the number of packets sent and received through the encryption engine:

Router1#show crypto engine connections active

ID Interface IP-Address State Algorithm Encrypt Decrypt
1 set HMAC_SHA+3DES_56_C 0 0
2088 FastEthernet0/1 172.22.1.3 set HMAC_SHA+3DES_56_C 0 5
2089 FastEthernet0/1 172.22.1.3 set HMAC_SHA+3DES_56_C 202 0

Router1#

With the connections dropped-packet keywords, you get some simple statistics on dropped packets. In the following example, the encryption engine was forced to drop five packets because the router tried to send them before it had a valid connection:

Router1#show crypto engine connections dropped-packet 

Packets dropped because of connection not established:
Interface IP-Address Drop Count
FastEthernet0/1 172.22.1.3 5

Router1#

The command show crypto map displays information about all of the configured crypto maps on the router, including which interfaces are currently using them. Note that just because a particular interface is using a particular crypto map, this does not imply that there are any active IPSec SAs. It only means that you have applied this map to this interface by using the crypto map interface configuration command:

Router1#show crypto map
Interfaces using crypto map VPN-MAP:

Crypto Map "CRYPTOMAP" 10 ipsec-isakmp
Dynamic map template tag: VPN-USER-MAP
Interfaces using crypto map CRYPTOMAP:

Crypto Map "TUNNELMAP" 10 ipsec-isakmp
Peer = 172.22.1.4
Extended IP access list 116
access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Current peer: 172.22.1.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ TUNNEL-TRANSFORM, }
Interfaces using crypto map TUNNELMAP:
FastEthernet0/1

Router1#

If you have several crypto maps configured on your router, you can look at a particular one with the tag keyword:

Router1#show crypto map tag TUNNELMAP
Crypto Map "TUNNELMAP" 10 ipsec-isakmp
Peer = 172.22.1.4
Extended IP access list 116
access-list 116 permit gre host 172.22.1.3 host 172.22.1.4
Current peer: 172.22.1.4
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ TUNNEL-TRANSFORM, }
Interfaces using crypto map TUNNELMAP:
FastEthernet0/1

Router1#

And if there are any dynamic maps, you can see more information about them with the following command:

Router1#show crypto dynamic-map 
Crypto Map Template"VPN-USER-MAP" 50
Extended IP access list 115
access-list 115 permit tcp any port = 80 any
access-list 115 permit tcp any any port = 80
access-list 115 deny ip any 224.0.0.0 31.255.255.255
Current peer: 0.0.0.0
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Transform sets={ VPN-TRANSFORMS, }
Router1#