Verify your configuration—Because of the complexity of the configurations, it is
a good idea to verify your configuration. Remember that both peers must have
an exactly matched phase 1 policy for the key exchange to occur, which is the
first step in establishing the VPN connection. As always, the show command is
a very effective tool for checking your configuration. You can get extended
output with show isakmp policy, or you can see the commands that were input
with show isakmp. You get the same output with write terminal as with show
isakmp. Here is some sample output from show isakmp:
tgpix# show isakmp
isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des
isakmp policy 10 group 2
isakmp policy 10 hash md5
isakmp policy 10 lifetime 86400
isakmp enable outside
isakmp key ***** 192.168.2.1 netmask 255.255.255.255
You can see that policy 10 uses preshared secrets for authentication,
3DES encryption, the group 2 (1024-bit) Diffie-Hellman key exchange,
MD5 hash, and a connection lifetime of 86,400 seconds (24 hours), and
it is enabled on the outside interface.
Here is some sample output from show isakmp policy:
tgpix# show isakmp policy
Protection suite or priority 10
encryption algorithm: Three key triple DES
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default protection suite
encryption algorithm: DES - Data Encryption Standard (56-bit keys)
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
348 Chapter 13: Virtual Private Networks
In this output, you can see the two ISAKMP policies that are configured
on the firewall (policy 10 and default). If you do not configure a specific
ISAKMP policy, the default values are used.