10-20-2022 08:22 AM
What show command will show what phase 1 parameters have been negotiated for a specific vpn tunnel on Cisco ISR4431? 'show crypto isakmp sa' doesnt display any output. Also what's the debug to show phase1 negotiation.
Thanks
10-20-2022 08:24 AM - edited 10-20-2022 08:30 AM
all info you need
note:- dont forget ping from site to site to check the IPsec Phase 1 and Phase 2 state.
10-20-2022 08:27 AM
D@1984 are you using IKEv1 (isakmp) or IKEv2?
"show crypto ikev2 sa"
"show crypto isakmp sa" or "show crypto ikev1 sa"
There will only be an IKE SA (phase 1) if it's been established, so if using a policy based VPN (crypto map) you'd need to generate interesting traffic for the IKE SA to be initiated.
10-20-2022 08:53 AM
thanks, its version 2, so am I using 'show crypto ikev1 sa' for version 2?
when I run the command, I can see some of the existing tunnels, but cant see anything for the one that I'm trying to establish.
10-20-2022 08:55 AM
sorry I meant 'show crypto ikev2'
10-20-2022 08:56 AM
D@1984 if using IKEv2 then you'd use - "show crypto ikev2 sa".
If no IKEv2 SA, then generate some traffic to bring up the tunnel (if a policy based VPN), if that doesn't work, then you might have a problem to troubleshoot.
10-20-2022 09:02 AM - edited 10-20-2022 09:03 AM
10-20-2022 09:39 AM
setting the debug, I get below:
.Oct 20 16:32:23.228 UTC: IKEv2:% Getting preshared key from profile keyring keyring-ipsec-Con0
.Oct 20 16:32:23.229 : IKEv2:% Matched peer block '21.x.x.x'
.Oct 20 16:32:23.229 : IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 3, local address 10.10.1.1
.Oct 20 16:32:23.229 : IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'aaa-IKEv2-Policy'
I'm not sure what exactly I have to get from above, but it matches against the wrong policy.
10-20-2022 09:45 AM
First are you sure you config ipsec ikev2
Policy with fvrf=3??
06-24-2024 03:53 AM
Show crypto isakmp sa detail will show what protection profile was chosen from the list of proposals.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide