Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8348
Views
0
Helpful
2
Replies

how to cut VPN tunnel and connect again

martlee2
Cisco Employee
Cisco Employee

‎02-19-2015 11:37 AM

I heard in video course that there is a technique to cut VPN and connect again

how to do this?

 

if i want to capture the diffe hellman exchange and try my own decryption algorithm for the key, how to do ?

 

Labels:
0 Helpful
2 Replies 2

rizwanr74
Level 7
Level 7

‎02-20-2015 12:54 PM

To kill existing tunnel, you can use clear command.

phase one clear

clear crypto isakmp sa peer 1.1.1.1

phase two clear

clear crytop ipsec sa peer 1.1.1.1

 

To see, connection establishment.

 

debug crypto isakmp sa 7

debug crypto ipsec sa 7

 

Hope this helps.

Thanks

 

 

 

0 Helpful

Kamal Malhotra
Cisco Employee
Cisco Employee

‎02-21-2015 07:19 AM

Hi,

 

Can you be a little more elaborate about cutting the VPN tunnel? Are you referring to 'intercepting' the packets? Or, to disconnect an existing tunnel? Or, to simply check the debugs?

 

For 2,  the commands are different on router and ASA. On router:

 

clear crypto sa peer <a.b.c.d> (to clear phase 2 SA)

clear crypto isakmp <conn id> (to clear phase 1 SA)

 

On ASA :

 

clear crypto ipsec sa peer <a.b.c.d> (to clear phase 2 SA)

clear crypto isakmp sa (to clear phase 1 SA) ---> No option to clear the ISAKMP SA for a particular peer using this command.

 

For 3, you can use conditional debugs.  On ASA :

 

debug crypto condition peer <a.b.c.d>

debug crymp isakmp 128

debug crypto ipsec 128

 

On router :

debug crypto condition peer ipv4 <a.b.c.d>

debug crypto isakmp

debug crypto ipsec

 

Hope this helps.

 

0 Helpful
Customers Also Viewed These Support Documents