cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

4539
Views
5
Helpful
8
Replies
Beginner

How to find out which isakmp policy is in use?

If you have a fully established (phase 1 and 2) VPN, is there a show command that lets you see which isakmp policy is being selected for that tunnel?

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: How to find out which isakmp policy is in use?

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

View solution in original post

8 REPLIES 8
Highlighted
Rising star

Re: How to find out which isakmp policy is in use?

try "show crypto isa sa detail".

Beginner

Re: How to find out which isakmp policy is in use?

I've already tried this one and it shows you the values for encryption, hash, etc., but does not provide you with the number of the isakmp policy in use.

Rising star

Re: How to find out which isakmp policy is in use?

based "encrypted, hash ...", you can know which isakmp policy is matched. It just does not tell you exactly the number.

Beginner

Re: How to find out which isakmp policy is in use?

Thank you.  I am aware of this.  If the command I am looking for does not exist it is not the end of the world, but I am trying to reproduce an issue where a router may not be using the proper isakmp policy and simply matching the values does not help.

Beginner

Re: How to find out which isakmp policy is in use?

Generally, in a VPN negotiation all the ISAKMP policies and IPSec transform sets configured on the device are used.

So, there is no way a pariicular ISAKMP policy would be skipped unless it is some kind of bug.

Please start a discussion on the community about the issue are trying to recreate. May be we can wrap our heads around it and see what's going on.


Cheers,

Nash.

Beginner

Re: How to find out which isakmp policy is in use?

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

View solution in original post

Beginner

Re: How to find out which isakmp policy is in use?

I actually realized the "debug crypto isakmp" process showed the router going through each individual policy until finding a matching one right after making my last post.  The problem I was looking into was seemingly bogus to me, I just needed a way to show it.  Thanks for the effort.

Beginner

Re: How to find out which isakmp policy is in use?

This command shows each IKE connection and what policy is being used without going into debug and reconnecting the tunnel.
CreatePlease to create content
Content for Community-Ad
FusionCharts will render here