Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
132
Views
5
Helpful
4
Replies

ASA: How to extract IKEv1 tunnel information from the configuration ?

Go to solution
swscco001
Level 3
Level 3

‎11-27-2024 12:59 AM

Hello everybody,

our customer has a Firepower 2130 running ASA image rel. 9.14(4)24.

They have several hundret S2S tunnels (see attached ASDM screen dump)
and I have the task to extract all group policy names that are using
IKEv1 and their peer IP adresses in ASCII format regardless if the
tunnels are up or not.

They also need the remote encrypted networks only for these IKEv1 tunnels.

I tried to find a command that lists all these group policy names
using IKEv1 and their peer IP adresses but did not find any.
The same is with the remote encrypted networks for the IKEv1 tunnels.

Are there such commands or do I have to go through the long configuration
and extract these information manually?

Every hint is welcome.

Thanks a lot!

 

Bye
R.

Preview file
549 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to swscco001

‎11-27-2024 08:35 AM

@swscco001 you could just apply a filter on show run - show run group-policy | i attributes|ikev1

The example below, only group-policy TWO and THREE have IKEv1 configured, a bit of filtering in notepad and you can easily remove the other group-policies that don't have IKEv1 configured.

ASA(config-group-policy)# show run group-policy | i attributes|ikev1
group-policy RAVPN attributes
group-policy THREE attributes
vpn-tunnel-protocol ikev1
group-policy ONE attributes
group-policy TWO attributes
vpn-tunnel-protocol ikev1

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-27-2024 01:12 AM - edited ‎11-27-2024 01:15 AM

Maybe you can do a small Python script to get out from the device and formulate how you are looking to present

 

 

show crypto ikev1 sa detail
show crypto ikev2 sa detail

 

You can use the below example and fine-tune what is required :

https://github.com/abdelens/Ipsec_Collector_Generator

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
swscco001
Level 3
Level 3
In response to balaji.bandi

‎11-27-2024 07:58 AM

Hi balaji,

thanks for your reply!

I think the command "show crypto ikevX sa detail" does only show the
information about tunnels those are currently up.

I need this information for all configured tunnels.

I am not familar with Python but will have a look in the description on github.

Thanks a lot!


Bye
R.

 

Go to solution
Rob Ingram
VIP
VIP
In response to swscco001

‎11-27-2024 08:35 AM

@swscco001 you could just apply a filter on show run - show run group-policy | i attributes|ikev1

The example below, only group-policy TWO and THREE have IKEv1 configured, a bit of filtering in notepad and you can easily remove the other group-policies that don't have IKEv1 configured.

ASA(config-group-policy)# show run group-policy | i attributes|ikev1
group-policy RAVPN attributes
group-policy THREE attributes
vpn-tunnel-protocol ikev1
group-policy ONE attributes
group-policy TWO attributes
vpn-tunnel-protocol ikev1

Go to solution
MHM Cisco World
VIP
VIP
In response to swscco001

‎11-27-2024 08:49 AM - edited ‎11-29-2024 09:59 PM

MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card