Re: show crypto isakmp sa

konn · ‎01-18-2003

When I do a show crypto isakmp sa, there 's no data. But when I do a ping then there's data, does it mean there's no data when there's no activity.

In that case how can I know whether my VPN tunnel is up.

Pls advice.

engel · ‎01-18-2003

Yes, there will be no entry in the "sho crypto isakmp sa" output, if you are not generating an interesting traffic to be encrypted by the router. To verify your tunnel is up use "sh crypto isakmp sa" for Phase1 SA and "sh crypto ipsec sa" for Phase2 SA. To see whether the traffic is flowing through the tunnel, see if the "encrypt" and "decrypt" counter at sh crypto ipsec sa, are changing.

Hope that helps.

Engel

konn · ‎01-18-2003

I have a concentrator located in another country but when I ping to the concentrator ethernet port / private IP, it fail. So what is the best way for me to check whether my router and the concentrator is properly configured.

engel · ‎01-18-2003

Failing to create a tunnel means that some of the parameters are not configured the same between the Concentrator and the router. Coordination with the engineer at the Concentrator side is needed, so that parameters are configured correctly at both devices. Check these parameters:

ISAKMP Phase1: Encryption (DES or 3DES), Hash (MD5 or SHA1), Authentication (Pre-shared ), D-H group (group1 or 2), Lifetime,

Phase2: Encryption (DES or 3DES), Hash (MD5 or SHA1), D-H group (group1 or 2), Lifetime, crypto access-list.

Debugging is helpfull also to locate the problem. Try "debug crypto isakmp" and "debug crypto ipsec" , see whether you can locate the problem.

HTH,

Engel

konn · ‎01-19-2003

1. What is meant by phase1 and phase2 and how can I check them.

2. After I key in "debug crypto isakmp" and "debug crypto ipsec" , nothing

appear, what command should I issue.

3. Should I use Easy VPN client to configure router to talk to the concentrator,

t is the requirements and how can I obtain the Easy VPN client ?

Pls advice.