Solved: Re: Site to site VPN

SathishkumarSaravanan0348 · ‎07-10-2019

Hi All,

What command is used to check the crypto map running for the tunnel? Suppose if the client says the crypto map 50, then which is the best way to view the crypto map?

Sh crypto isakmp sa- I am getting the src and dstn peer IP.

Sh crypto ipsec sa- I am getting the encryption, auth, hashing policy associated in it.

Whether sh run | sec crypto map command will work?

Thanks.

Giuseppe Larosa · ‎07-10-2019

Hello Satish,

show isakmp sa provides you the peer address and the local address a good state should be QM_IDLE

show crypto ipsec sa provides you info on what IPsec SA are active and provides info about for what traffic (source internal IP subnet, Remote LAN subnet) the rule will encrypt and decrpyt (for traffic coming on the opposite direction).

show run | begin crypto-map

or

show run | sec crypto-map

can provide you the configuration details.

To be noted the two parties don't need to agree on the crypto map sequence number used, they need to agree on the type of encapsulation used (tunnel/transport) on usage of ESP only or AH+ ESP on encryption algorithms and HMAC algorithms and on the access-list defining the interesting traffic to be encrypted (that must be a mirror of each other, avoid using any keyword in these ACLs) and on the peer identity (IP addresses of FQDN) and local identity (again IP address or FQDN)

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎07-10-2019

Hello Satish,

show isakmp sa provides you the peer address and the local address a good state should be QM_IDLE

show crypto ipsec sa provides you info on what IPsec SA are active and provides info about for what traffic (source internal IP subnet, Remote LAN subnet) the rule will encrypt and decrpyt (for traffic coming on the opposite direction).

show run | begin crypto-map

or

show run | sec crypto-map

can provide you the configuration details.

To be noted the two parties don't need to agree on the crypto map sequence number used, they need to agree on the type of encapsulation used (tunnel/transport) on usage of ESP only or AH+ ESP on encryption algorithms and HMAC algorithms and on the access-list defining the interesting traffic to be encrypted (that must be a mirror of each other, avoid using any keyword in these ACLs) and on the peer identity (IP addresses of FQDN) and local identity (again IP address or FQDN)

Hope to help

Giuseppe

SathishkumarSaravanan0348 · ‎07-11-2019

Thanks for your response Giuseppe. The problem in my situation is that the we are running both IKEV1 and V2 and there are around 120 crypto map was created. The command sh run | sec crypto, sh run | be crypto works but it take time.

Giuseppe Larosa · ‎07-11-2019

Hello Satish,

you need to mantain a table of customer name / IPSec peer addresse(s) in an excel file for example.

If you know the IP address used by the customer as peer you can use

show run | begin set peer <customer-IP-address>

this will provide you the running-configuration from the point where the command is applied in the crypto map, you will not see the crypto map sequence number, but you can find out the next-sequence number in the crypto map, and if you use a standard numbering scheme the required sequence number will be: next-sequence-number -10.

Hope to help

Giuseppe

johnlloyd_13 · ‎07-11-2019

hi,

is this for a router for an ASA FW?

i usually issue a show run | sec crypto on a router and show run crypto on an ASA FW to see what crypto commands are applied.

SathishkumarSaravanan0348 · ‎07-11-2019

We are running in an router.the command sh run | sec crypto works, we are running more than 100 crypto map. For eg: if the client says the crypto number as 80 how can I get into the correct line?

trfinkenstadt · ‎07-11-2019

Hello,

you could also try:

sh crypto session remote peer-ip detail

It will show you whether the tunnel is up and what the encryption domain is.

--tim

SathishkumarSaravanan0348 · ‎07-11-2019

Thanks for your reply. I have an another query, whether do we NAT the local identifier segment when it pass through the tunnel? Does it is necessary?