cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7667
Views
5
Helpful
8
Replies

How to find out which isakmp policy is in use?

arfett111
Level 1
Level 1

If you have a fully established (phase 1 and 2) VPN, is there a show command that lets you see which isakmp policy is being selected for that tunnel?

1 Accepted Solution

Accepted Solutions

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

View solution in original post

8 Replies 8

Yudong Wu
Level 7
Level 7

try "show crypto isa sa detail".

I've already tried this one and it shows you the values for encryption, hash, etc., but does not provide you with the number of the isakmp policy in use.

based "encrypted, hash ...", you can know which isakmp policy is matched. It just does not tell you exactly the number.

Thank you.  I am aware of this.  If the command I am looking for does not exist it is not the end of the world, but I am trying to reproduce an issue where a router may not be using the proper isakmp policy and simply matching the values does not help.

Generally, in a VPN negotiation all the ISAKMP policies and IPSec transform sets configured on the device are used.

So, there is no way a pariicular ISAKMP policy would be skipped unless it is some kind of bug.

Please start a discussion on the community about the issue are trying to recreate. May be we can wrap our heads around it and see what's going on.


Cheers,

Nash.

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

I actually realized the "debug crypto isakmp" process showed the router going through each individual policy until finding a matching one right after making my last post.  The problem I was looking into was seemingly bogus to me, I just needed a way to show it.  Thanks for the effort.

This command shows each IKE connection and what policy is being used without going into debug and reconnecting the tunnel.