03-26-2019 12:32 AM - edited 03-26-2019 12:33 AM
Hi guys and girls,
I have a pretty simple question: is there a way to see which DH-group and/or ISAKMP policy was used in a IPsec VPN tunnel?
I know that you can see which encryption and hashing was used with "show crypto isakmp sa", but i was wondering if there was any way to see what DH-group or which ISAKMP policy (if you have multiple) was used.
Solved! Go to Solution.
03-26-2019 02:48 AM
Hi, You can use the command show vpn-sessiondb detail l2l to identity the algorithms used, included DH group.
ASA-1(config-if)# show vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 3.3.3.1
Index : 8 IP Addr : 3.3.3.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 09:45:36 UTC Tue Mar 26 2019
Duration : 0h:00m:48s
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 8.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86351 Seconds
D/H Group : 2
HTH
03-26-2019 02:48 AM
Hi, You can use the command show vpn-sessiondb detail l2l to identity the algorithms used, included DH group.
ASA-1(config-if)# show vpn-sessiondb detail l2l
Session Type: LAN-to-LAN Detailed
Connection : 3.3.3.1
Index : 8 IP Addr : 3.3.3.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 09:45:36 UTC Tue Mar 26 2019
Duration : 0h:00m:48s
IKEv1 Tunnels: 1
IPsec Tunnels: 1
IKEv1:
Tunnel ID : 8.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86351 Seconds
D/H Group : 2
HTH
03-26-2019 03:20 AM
Hi,
the same you can also check with command "sh crypto ipsec sa"
Regards,
Deepak Kumar
03-26-2019 08:37 AM
Hi Deepak,
Thanks for the help! I was looking for the commando RJI supplied, but i'll be configuring PFS within a few days so definitely useful to know where to look regarding PFS.
03-26-2019 08:36 AM
Hi RJI,
Many thanks! I did look into the "show vpn-sessiondb detail l2l" but i just missed the D/H line. This was exactly what i was looking for!
03-26-2019 08:45 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide