05-01-2012 05:17 AM - edited 02-21-2020 06:02 PM
Hi firends,
I am sure this would be a piece of cake for those acquinted with VPNs. I was trying to bring up a VPN tunnel (ipsec) using Preshared key.
The good thing is that it seems to be working as I can ping the other end (router B) LAN's interface using the source as LAN interface of this router (router A).
Below is the config snap shot for VPN:
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key cisco address 30.0.0.1
!
!
crypto ipsec transform-set my-transform esp-3des esp-sha-hmac
!
crypto map branch-map 10 ipsec-isakmp
set peer 30.0.0.1
set transform-set my-transform
match address 101
interface FastEthernet0/1
description WAN
ip address 20.0.0.1 255.255.255.252
duplex auto
speed auto
crypto map branch-map
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255
The good thing is that i can ping the other end of the tunnel which is great. However, I wanted to know what was the appropriate "Sh" commands i coud use to confirm the same.
I used the following "show" commands, "show crypto isakmp sa" and "sh crypto ipsec sa" and below are their outputs:
Router A#sho crypto isakmp sa
dst src state conn-id slot
30.0.0.1 20.0.0.1 QM_IDLE 2 0
Router A#sho crypto ipsec sa
interface: FastEthernet0/1
Crypto map tag: branch-map, local addr. 20.0.0.1
protected vrf:
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)
current_peer: 30.0.0.1:500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1059, #pkts encrypt: 1059, #pkts digest 1059
#pkts decaps: 1059, #pkts decrypt: 1059, #pkts verify 1059
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1, #recv errors 0
local crypto endpt.: 20.0.0.1, remote crypto endpt.: 30.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: E8FF5480
inbound esp sas:
spi: 0xCD7BC975(3447441781)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2002, flow_id: 3, crypto map: branch-map
sa timing: remaining key lifetime (k/sec): (4553941/2400)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE8FF5480(3909047424)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2003, flow_id: 4, crypto map: branch-map
sa timing: remaining key lifetime (k/sec): (4553941/2398)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
My concern was the output of "sh crypto isakmp sa" was always showing as "QM_idle". and it remained the same even when I shut down the WAN interafce of the router.
Is there any other command that I am missing??
Thanks!
Regards,
Mohit
05-01-2012 06:08 AM
Hi Mohit.
the "QM_idle", will remain idle for until security association expires, after which it will go to "deleted state".
Here are few more commands, you can use to verify IPSec tunnel.
show crypto ipsec sa detail
show crypto ipsec sa
thanks
Rizwan Rafeek
05-01-2012 11:49 PM
Hello
Coming back to your initial question:
"My concern was the output of "sh crypto isakmp sa" was always showing as "QM_idle". and it remained the same even when I shut down the WAN interafce of the router.
Is there any other command that I am missing??"
If you shut down the WAN interface, the isakmp phase I and Phase II will remains until rekey is happening. At that stage, after retransmitting packets and then we will flush the phase I and the Phase II.
If you are looking at flushing the tunnel when the interface goes down then you have to enable keepalives
crypto isakmp keepalive 60 5
Cheers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide