Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3219
Views
0
Helpful
8
Replies

Phase 1 IPSec Tunnel - Show Command

D@1984
Level 1
Level 1

‎10-20-2022 08:22 AM

What show command will show what phase 1 parameters have been negotiated for a specific vpn tunnel on Cisco ISR4431? 'show crypto isakmp sa' doesnt display any output. Also what's the debug to show  phase1 negotiation.

Thanks

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎10-20-2022 08:24 AM - edited ‎10-20-2022 08:30 AM

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/113594-trouble-ios-ike-00.html

all info you need 

note:- dont forget ping from site to site to check the IPsec Phase 1 and Phase 2 state.

0 Helpful

Rob Ingram
VIP
VIP

‎10-20-2022 08:27 AM

D@1984 are you using IKEv1 (isakmp) or IKEv2?

"show crypto ikev2 sa"
"show crypto isakmp sa" or "show crypto ikev1 sa"

There will only be an IKE SA (phase 1) if it's been established, so if using a policy based VPN (crypto map) you'd need to generate interesting traffic for the IKE SA to be initiated.

0 Helpful

D@1984
Level 1
Level 1
In response to Rob Ingram

‎10-20-2022 08:53 AM

thanks, its version 2, so am I using 'show crypto ikev1 sa' for version 2?

when I run the command, I can see some of the existing tunnels, but cant see anything for the one that I'm trying to establish.

0 Helpful

D@1984
Level 1
Level 1
In response to D@1984

‎10-20-2022 08:55 AM

sorry I meant 'show crypto ikev2'

0 Helpful

Rob Ingram
VIP
VIP
In response to D@1984

‎10-20-2022 08:56 AM

D@1984 if using IKEv2 then you'd use - "show crypto ikev2 sa".

If no IKEv2 SA, then generate some traffic to bring up the tunnel (if a policy based VPN), if that doesn't work, then you might have a problem to troubleshoot.

0 Helpful

D@1984
Level 1
Level 1

‎10-20-2022 09:39 AM

setting the debug, I get below:

.Oct 20 16:32:23.228 UTC: IKEv2:% Getting preshared key from profile keyring keyring-ipsec-Con0
.Oct 20 16:32:23.229 : IKEv2:% Matched peer block '21.x.x.x'
.Oct 20 16:32:23.229 : IKEv2:(SESSION ID = 0,SA ID = 0):Searching Policy with fvrf 3, local address 10.10.1.1
.Oct 20 16:32:23.229 : IKEv2:(SESSION ID = 0,SA ID = 0):Found Policy 'aaa-IKEv2-Policy'

I'm not sure what exactly I have to get from above, but it matches against the wrong policy.

0 Helpful

MHM Cisco World
VIP
VIP
In response to D@1984

‎10-20-2022 09:45 AM

First are you sure you config ipsec ikev2 

Policy with fvrf=3??

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents