cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
7
Replies

Site to site VPN

Hi All,

 

What command is used to check the crypto map running for the tunnel? Suppose if the client says the crypto map 50, then which is the best way to view the crypto map?

 

Sh crypto isakmp sa- I am getting the src and dstn peer IP.

Sh crypto ipsec sa- I am getting the encryption, auth, hashing policy associated in it.

 

Whether sh run | sec crypto map command will work?

 

Thanks.

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello Satish,

show isakmp sa provides you the peer address and the local address a good state should be QM_IDLE

show crypto ipsec sa provides you info on what IPsec SA are active and provides info about for what traffic (source internal IP subnet, Remote LAN subnet) the rule will encrypt and decrpyt (for traffic coming on the opposite direction).

 

show run | begin crypto-map

or

show run | sec crypto-map

can provide you the configuration details.

To be noted the two parties don't need to agree on the crypto map sequence number used, they need to agree on the type of encapsulation used (tunnel/transport) on usage of ESP only or AH+ ESP on encryption algorithms and HMAC algorithms and on the access-list defining the interesting traffic to be encrypted (that must be a mirror of each other,  avoid using any keyword in these ACLs) and on the peer identity (IP addresses of FQDN) and local identity (again IP address or FQDN)

 

Hope to help

Giuseppe

 

 

View solution in original post

7 Replies 7

Giuseppe Larosa
Hall of Fame Master Hall of Fame Master
Hall of Fame Master

Hello Satish,

show isakmp sa provides you the peer address and the local address a good state should be QM_IDLE

show crypto ipsec sa provides you info on what IPsec SA are active and provides info about for what traffic (source internal IP subnet, Remote LAN subnet) the rule will encrypt and decrpyt (for traffic coming on the opposite direction).

 

show run | begin crypto-map

or

show run | sec crypto-map

can provide you the configuration details.

To be noted the two parties don't need to agree on the crypto map sequence number used, they need to agree on the type of encapsulation used (tunnel/transport) on usage of ESP only or AH+ ESP on encryption algorithms and HMAC algorithms and on the access-list defining the interesting traffic to be encrypted (that must be a mirror of each other,  avoid using any keyword in these ACLs) and on the peer identity (IP addresses of FQDN) and local identity (again IP address or FQDN)

 

Hope to help

Giuseppe

 

 

Thanks for your response Giuseppe. The problem in my situation is that the we are running both IKEV1 and V2 and there are around 120 crypto map was created. The command sh run | sec crypto, sh run | be crypto works but it take time.

Hello Satish,

you need to mantain a table of customer name  / IPSec peer addresse(s) in an excel file for example.

If you know the IP address used by the customer as peer you can use

 

show run | begin set peer <customer-IP-address>

 

this will provide you the running-configuration from the point where the command is applied in the crypto map, you will not see the crypto map sequence number, but you can find out the next-sequence number in the crypto map, and if you use a standard numbering scheme the required sequence number will be: next-sequence-number -10.

 

Hope to help

Giuseppe

 

johnlloyd_13
Engager
Engager

hi,

is this for a router for an ASA FW?

 

i usually issue a show run | sec crypto on a router and show run crypto on an ASA FW to see what crypto commands are applied.

We are running in an router.the command sh run | sec crypto works, we are running more than 100 crypto map. For eg: if the client says the crypto number as 80 how can I get into the correct line?

trfinkenstadt
Beginner
Beginner

Hello,

 

you could also try:

 

sh crypto session remote peer-ip detail

 

It will show you whether the tunnel is up and what the encryption domain is.

 

--tim

 

 

Thanks for your reply. I have an another query, whether do we NAT the local identifier segment when it pass through the tunnel? Does it is necessary?
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers