Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7464
Views
6
Helpful
5
Replies

ASA - Can you see the used DH-Group or ISAKMP Policy?

Go to solution
Eric Snijders
Level 1
Level 1

‎03-26-2019 12:32 AM - edited ‎03-26-2019 12:33 AM

Hi guys and girls,

I have a pretty simple question: is there a way to see which DH-group and/or ISAKMP policy was used in a IPsec VPN tunnel?
I know that you can see which encryption and hashing was used with "show crypto isakmp sa", but i was wondering if there was any way to see what DH-group or which ISAKMP policy (if you have multiple) was used.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-26-2019 02:48 AM

Hi, You can use the command show vpn-sessiondb detail l2l to identity the algorithms used, included DH group.

 

ASA-1(config-if)# show vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 3.3.3.1
Index : 8 IP Addr : 3.3.3.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 09:45:36 UTC Tue Mar 26 2019
Duration : 0h:00m:48s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID : 8.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86351 Seconds
D/H Group : 2

 

HTH

View solution in original post

5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎03-26-2019 02:48 AM

Hi, You can use the command show vpn-sessiondb detail l2l to identity the algorithms used, included DH group.

 

ASA-1(config-if)# show vpn-sessiondb detail l2l

Session Type: LAN-to-LAN Detailed

Connection : 3.3.3.1
Index : 8 IP Addr : 3.3.3.1
Protocol : IKEv1 IPsec
Encryption : IKEv1: (1)AES256 IPsec: (1)AES256
Hashing : IKEv1: (1)SHA1 IPsec: (1)SHA1
Bytes Tx : 400 Bytes Rx : 400
Login Time : 09:45:36 UTC Tue Mar 26 2019
Duration : 0h:00m:48s

IKEv1 Tunnels: 1
IPsec Tunnels: 1

IKEv1:
Tunnel ID : 8.1
UDP Src Port : 500 UDP Dst Port : 500
IKE Neg Mode : Main Auth Mode : preSharedKeys
Encryption : AES256 Hashing : SHA1
Rekey Int (T): 86400 Seconds Rekey Left(T): 86351 Seconds
D/H Group : 2

 

HTH

Go to solution
Deepak Kumar
VIP Alumni
VIP Alumni
In response to Rob Ingram

‎03-26-2019 03:20 AM

Hi,

the same you can also check with command "sh crypto ipsec sa"
sh-crypto-ipsec-sa.png

 

 

 

 

 

 

 

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

Go to solution
Eric Snijders
Level 1
Level 1
In response to Deepak Kumar

‎03-26-2019 08:37 AM

Hi Deepak,

Thanks for the help! I was looking for the commando RJI supplied, but i'll be configuring PFS within a few days so definitely useful to know where to look regarding PFS.

0 Helpful

Go to solution
Eric Snijders
Level 1
Level 1
In response to Rob Ingram

‎03-26-2019 08:36 AM

Hi RJI,

Many thanks! I did look into the "show vpn-sessiondb detail l2l" but i just missed the D/H line. This was exactly what i was looking for!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Eric Snijders

‎03-26-2019 08:45 AM

Good to hear.

FYI, the command I provided will also identify the IPSec algorithms in use, so therefore will idenitify the PFS DH group if configured. I didn't include it in the output I previously provided, as you were only enquiring about the ISAKMP DH group.

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card