I thought of sharing ipsec debugging and troubleshooting steps with everyone. Being in VPN technology we explain this to many of our customers and thought of discussing it here on our support forum as well.

What is IPSEC?

IPSec stands for IP Security and the standard definition of IPSEC is--

“A security protocol in the network layer will be developed to provide cryptographic security services that will flexibly support combinations of authentication, integrity, access control, and confidentiality” (IETF)

It is a standard for privacy, integrity and authenticity.

IPSEC Protocol Architecture

IPSEC is a combination of three primary protocols ESP(protocol 50), AH(protocol 51) and IKE(UDP 500)

Authentication: Authentication Header (AH) and  Encapsulating Security Payload (ESP)

Integrity: Encapsulating Security Payload (ESP)

Confidentiality: Encapsulating Security Payload  (ESP)

Bringing it all together: Internet key Exchange (IKE)

IPSEC is implemented in the following five stages:

Decision to use IPSEC between two end points across internet

Configuration of the two gateways between the end points to support IPSEC

Initiation of an IPSEC tunnel between the two gateways due to ‘interesting traffic’

Negotiation of IPSEC/IKE parameters between the two gateways

Passage of encrypted traffic

IPSec Troubleshooting Steps

• Check  for interesting traffic to initiate tunnel, check crypto ACLs for hit      counts

–        If not, verify Routing (static or RRI)

• Verify  if IKE SA is up (QM_Idle) for that peer

–        If not, verify for matching Pre-shared keys

–        Verify that the IKE policies (encr, auth, DH) are matching

–        Verify for matching IKE Identities

• Verify  if IPSec SAs are up (Inbound and Outbound SPIs)

–        If not, verify for matching IPSec transform sets

–        Verify for mirrored crypto ACLs on each side

–        Verify that the Crypto Map is applied on the right interface

• Turn on IKE/IPSec debugs

IPSec Show Commands

• To show IKE SA information:

–        show crypto isakmp sa <vrf> [detail]

–        show crypto isakmp peer <ip-addr>

• To show IPSec SA information:

–        show crypto ipsec sa [ address | detail | interface | map | per | vrf ]

• To  show IKE and IPSec information together :

–        show crypto session  [ fvrf | group | ivrf ] username | detail ]

–        show crypto engine connection active

Cisco IOS IPSec Debugging

• These are the current IKE/IPSec debugs available; the highlighted ones are the      most useful typically
• Make  sure to use Crypto Conditional Debugs when trying to troubleshoot      production routers

        debug crypto isakmp

        debug crypto isakmp error

        debug crypto isakmp ha          

        debug crypto ipsec      

        debug crypto ipsec error         

        debug crypto routing       

        debug crypto ha        

        debug crypto engine error      

        debug crypto engine packet     

Crypto Conditional Debugging

We can use crypto conditional debugging when we are troubleshooting live networks and specially where there are multiple tunnels running on the device.

• The crypto conditional debug CLIs—debug crypto condition, debug crypto condition unmatched, and show crypto debug-condition— allow you to specify conditions (filter values) in which to generate and display debug messages related only to the specified conditions
• The router will perform conditional debugging only after at least one of the global crypto debug commands—debug crypto isakmp, debug crypto ipsec, or debug crypto engine—has been enabled; thi s requirement helps to ensure that the performance of the router will not be impacted when conditional debugging is not being used

• To  enable crypto conditional debugging:

–        debug crypto condition <cond-type> <cond-value>

–        debug crypto { isakmp | ipsec | engine }

• To view crypto condition debugs that have been enabled:

–        show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | username | connid | spi ]

• To disable crypto condition debugs:

–        debug crypto condition reset

Crypto Conditional Debugging

Clearing VPN Tunnel

• To clear IKE Phase ( Phase 1)
  

–         clear crypto isakmp sa

• To clear IPSEC Phase (Phase2)
  

Crypto Logging

Two crypto logging enhancements were introduced in recent Cisco IOS images

Hub(config)# crypto logging ?

–          ezvpn                  ezvpn logging enable/disable

–          session               logging up/down session

–        Crypto logging session, introduced in 12.3(14)T, displays tunnel up/down messages:

–        %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 40.10.1.1:500       Id: 40.10.1.1

–        %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 40.10.1.1:500       Id: 40.10.1.1

–        Crypto logging ezvpn, introduced in 12.4(4)T, displays EasyVPN connection messages

–        %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN.  Peer 2.2.2.2:500 f_vrf:  FVRF1     Id: cisco

–        %CRYPTO-6-EZVPN_CONNECTION_DOWN: (Server)  Mode=NEM  Client_type=CISCO_IOS  User=  Group=cisco  Client_public_addr=2.2.2.2  Server_public_addr=1.1.1.2  f_vrf=FVRF1

–        %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer 2.2.2.2:500 f_vrf:  FVRF1     Id: cisco

–        %CRYPTO-6-EZVPN_CONNECTION_UP: (Server)  Mode=NEM  Client_type=CISCO_IOS  User=  Group=cisco  Client_public_addr=2.2.2.2  Server_public_addr=1.1.1.2  f_vrf=FVRF1 

That’s all from my side today.

I am thinking of coming up with few known issues or scenarios in my next blog, hence looking forward to your inputs and feedbacks. Thanks