02-28-2008 12:19 PM - edited 02-21-2020 03:35 PM
In IOS, is it possible to list the esp SA's encryption keys that were negotiated by isakmp for a ipsec tunnel? I've search the CLI options but it doesn't seem to be possible...
I'm trying to diagnose what is happening inside a ipsec tunnel with a sniffer such as wireshark.
Thanks,
JC
03-05-2008 02:08 PM
You can use the command show crypto map <> to find the encryption key negotiated during the conversation.
03-06-2008 10:18 AM
"show crypto map xxxxx" doesn't show the encryption key, at least not on this IOS (12.2(33)SRA6):
output:
Crypto Map "XXXXX" 65590 ipsec-isakmp
Peer = x.x.x.x
Extended IP access list
access-list permit ip x.x.x.x 0.0.0.255 host x.x.x.x
dynamic (created from dynamic map xxxxx/1)
Current peer: x.x.x.x
Security association lifetime: 4608000 kilobytes/3600 seconds
Security association idletime: 300 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
3DES-SHA,
}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide