07-10-2019 09:27 PM
Hi All,
What command is used to check the crypto map running for the tunnel? Suppose if the client says the crypto map 50, then which is the best way to view the crypto map?
Sh crypto isakmp sa- I am getting the src and dstn peer IP.
Sh crypto ipsec sa- I am getting the encryption, auth, hashing policy associated in it.
Whether sh run | sec crypto map command will work?
Thanks.
Solved! Go to Solution.
07-10-2019 11:27 PM - edited 07-10-2019 11:28 PM
Hello Satish,
show isakmp sa provides you the peer address and the local address a good state should be QM_IDLE
show crypto ipsec sa provides you info on what IPsec SA are active and provides info about for what traffic (source internal IP subnet, Remote LAN subnet) the rule will encrypt and decrpyt (for traffic coming on the opposite direction).
show run | begin crypto-map
or
show run | sec crypto-map
can provide you the configuration details.
To be noted the two parties don't need to agree on the crypto map sequence number used, they need to agree on the type of encapsulation used (tunnel/transport) on usage of ESP only or AH+ ESP on encryption algorithms and HMAC algorithms and on the access-list defining the interesting traffic to be encrypted (that must be a mirror of each other, avoid using any keyword in these ACLs) and on the peer identity (IP addresses of FQDN) and local identity (again IP address or FQDN)
Hope to help
Giuseppe
07-10-2019 11:27 PM - edited 07-10-2019 11:28 PM
Hello Satish,
show isakmp sa provides you the peer address and the local address a good state should be QM_IDLE
show crypto ipsec sa provides you info on what IPsec SA are active and provides info about for what traffic (source internal IP subnet, Remote LAN subnet) the rule will encrypt and decrpyt (for traffic coming on the opposite direction).
show run | begin crypto-map
or
show run | sec crypto-map
can provide you the configuration details.
To be noted the two parties don't need to agree on the crypto map sequence number used, they need to agree on the type of encapsulation used (tunnel/transport) on usage of ESP only or AH+ ESP on encryption algorithms and HMAC algorithms and on the access-list defining the interesting traffic to be encrypted (that must be a mirror of each other, avoid using any keyword in these ACLs) and on the peer identity (IP addresses of FQDN) and local identity (again IP address or FQDN)
Hope to help
Giuseppe
07-11-2019 09:16 PM
07-11-2019 11:26 PM
Hello Satish,
you need to mantain a table of customer name / IPSec peer addresse(s) in an excel file for example.
If you know the IP address used by the customer as peer you can use
show run | begin set peer <customer-IP-address>
this will provide you the running-configuration from the point where the command is applied in the crypto map, you will not see the crypto map sequence number, but you can find out the next-sequence number in the crypto map, and if you use a standard numbering scheme the required sequence number will be: next-sequence-number -10.
Hope to help
Giuseppe
07-11-2019 07:30 AM
hi,
is this for a router for an ASA FW?
i usually issue a show run | sec crypto on a router and show run crypto on an ASA FW to see what crypto commands are applied.
07-11-2019 09:18 PM
07-11-2019 12:27 PM
Hello,
you could also try:
sh crypto session remote peer-ip detail
It will show you whether the tunnel is up and what the encryption domain is.
--tim
07-11-2019 10:06 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide