how to list remote subnets connected over a site-to-site vpn

raviluchmun · ‎06-28-2015

Hi,

Why does the command show ip route does not list subnets that are reachable over an active vpn connection?

I know there exists commands like show crypto ipsec sa which could give you some details about active vpn sessions but you have to read through all the output.

Does any other commands actually exist which would list "vpn subnets" ?

This link for a different product shows a command which actually list all vpn subnets.

Thanks

Ravi

Marvin Rhoads · ‎06-28-2015

The IPsec SAs are formed as a result of the access-list that is referenced in the cryptomap for a given site-site VPN.

For that reason, I try to use access-lists with human readable names so I can easily have a look at the ACL to know which subnets (or, more accurately, local-remote subnet pairs) are covered in a given site-site VPN.

As you noted, the :show crypto ipsec sa" command is the most definitive, although it often gives you more information than you want. I sometimes use that and trim the output by piping it to an "include" statement.

how to list remote subnets connected over a site-to-site vpn

事象：FPR4100/9300-ASA: PLR 適用後、site-to-site VPN 接続ができなくなる

Secure Firewall – Tips – Site-to-Site VPN(Policy-Based)

ASA site to site VPN

［事例］Site-to-Site IPSec VPN の Crypto ACL の設定について

Secure Firewall – Tips – Site-to-Site VPN(Route-Based)