ā03-05-2013 10:56 AM
Techies.
Just got asked a question and I can't find an answer.
We are about to migrate our last Pix pairs to ASA's, and the question of whether we need new certs came up.
On the Pixen, I have several policies available, using both pre-share keys and a cert. I cannot find a command that shows which policy got selected and is in use for LIVE vpn tunnels.
When I do a
sh crypto ipsec sa
or a
sh crypto isakmp sa
, I see beaucoup information, but not which policy is in use, and whether the pre-shared key or the cert is in use for a particular (or all) current tunnels.
Anyone help me out?
Solved! Go to Solution.
ā03-06-2013 11:36 AM
Hello Mike,
I mean based on this command I can tell you you are running pre-shared keys
isakmp key ******** address 198.169.204.254 netmask 255.255.255.255
But if you want the details of the crypto isakmp phase 1 then you will have to run a debug of check the other side,
I mean is not a big deal, you can always gather it with no problem at all ( Runninng the debugs)
ā03-05-2013 08:16 PM
Hello,
What version are you running on the PIX,
You can share the entire show run output and we will tell you or send the information on a private message
It;s all up to you
Regards
ā03-06-2013 06:53 AM
I appreciate the reply. This pair of Pixen are:
Cisco PIX Firewall Version 6.1(4)
Cisco PIX Device Manager Version 1.1(2)
Hardware: PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
And the sh run... cleaned up a bit (if I deleted anything that you'd like to see, let me know):
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 extranet security10
nameif ethernet3 intf3 security15
nameif ethernet4 publicdmz security50
nameif ethernet5 stateful-failover security25
enable password P563PoV8njSqomuF encrypted
!
acl's deleted
!
ip address outside 10.254.196.207 255.255.255.224
ip address inside 10.254.12.133 255.255.255.224
ip address extranet 10.9.10.74 255.255.255.192
ip address intf3 10.254.21.49 255.255.255.252
ip address publicdmz 10.254.196.135 255.255.255.240
ip address stateful-failover 10.254.21.13 255.255.255.252
!
natting deleted
!
access-group acl_outside in interface outside
access-group acl_publicdmz in interface publicdmz
route outside 0.0.0.0 0.0.0.0 10.254.196.197 1
route inside 10.0.0.0 255.0.0.0 10.254.12.131 1
route outside 10.234.7.11 255.255.255.255 10.254.196.197 1
route publicdmz 10.254.5.0 255.255.255.0 10.254.196.130 1
route publicdmz 10.254.197.0 255.255.255.0 10.254.196.140 1
route publicdmz 10.254.208.0 255.255.255.0 10.254.196.140 1
route inside 172.16.0.0 255.240.0.0 10.254.12.131 1
!
aaa and snmp config deleted
!
crypto ipsec transform-set vpn-trane esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-twister esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-footlocker esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-luscar esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-yak esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-agricoreunited esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-burlingtonhydro esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-gap esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-gxs esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-Quebac esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-tsys esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-WU esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-888test esp-3des esp-sha-hmac
crypto ipsec transform-set vpn-woodbridge2 esp-3des esp-md5-hmac
crypto ipsec transform-set vpn-woodbridge esp-3des esp-sha-hmac
!
crypto map ipsec 10 ipsec-isakmp
crypto map ipsec 10 match address vpn-wyeth
crypto map ipsec 10 set peer 155.94.62.30
crypto map ipsec 10 set transform-set vpn-woodbridge
crypto map ipsec 20 ipsec-isakmp
crypto map ipsec 20 match address vpn-trane
crypto map ipsec 20 set peer 64.219.107.141
crypto map ipsec 20 set transform-set vpn-trane
crypto map ipsec 30 ipsec-isakmp
crypto map ipsec 30 match address vpn-diebold1
crypto map ipsec 30 set peer 208.228.181.219
crypto map ipsec 30 set transform-set vpn-woodbridge
crypto map ipsec 40 ipsec-isakmp
crypto map ipsec 40 match address vpn-jones
crypto map ipsec 40 set peer 12.149.8.101
crypto map ipsec 40 set transform-set vpn-woodbridge
crypto map ipsec 50 ipsec-isakmp
crypto map ipsec 50 match address vpn-truck
crypto map ipsec 50 set peer 167.6.236.3
crypto map ipsec 50 set transform-set vpn-woodbridge
crypto map ipsec 60 ipsec-isakmp
crypto map ipsec 60 match address vpn-footlocker
crypto map ipsec 60 set peer 174.47.187.25
crypto map ipsec 60 set transform-set vpn-footlocker
crypto map ipsec 70 ipsec-isakmp
crypto map ipsec 70 match address vpn-diebold2
crypto map ipsec 70 set peer 208.228.181.217
crypto map ipsec 70 set transform-set vpn-woodbridge
crypto map ipsec 80 ipsec-isakmp
crypto map ipsec 80 match address vpn-viterra
crypto map ipsec 80 set peer 198.169.204.254
crypto map ipsec 80 set transform-set vpn-woodbridge
crypto map ipsec 90 ipsec-isakmp
crypto map ipsec 90 match address vpn-citi
crypto map ipsec 90 set peer 192.193.171.127
crypto map ipsec 90 set transform-set vpn-woodbridge
crypto map ipsec 100 ipsec-isakmp
crypto map ipsec 100 match address vpn-eds
crypto map ipsec 100 set peer 66.46.11.210
crypto map ipsec 100 set transform-set vpn-woodbridge
crypto map ipsec 110 ipsec-isakmp
crypto map ipsec 110 match address vpn-Quebac
crypto map ipsec 110 set peer 207.253.51.220
crypto map ipsec 110 set transform-set vpn-Quebac
crypto map ipsec 120 ipsec-isakmp
crypto map ipsec 120 match address vpn-gxs
crypto map ipsec 120 set peer 204.90.187.149
crypto map ipsec 120 set transform-set vpn-gxs
crypto map ipsec 130 ipsec-isakmp
crypto map ipsec 130 match address vpn-luscar1
crypto map ipsec 130 set peer 198.161.192.9
crypto map ipsec 130 set transform-set vpn-luscar
crypto map ipsec 140 ipsec-isakmp
crypto map ipsec 140 match address vpn-ford
crypto map ipsec 140 set peer 136.1.1.51
crypto map ipsec 140 set transform-set vpn-woodbridge2
crypto map ipsec 140 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ipsec 160 ipsec-isakmp
crypto map ipsec 160 match address vpn1-tsysemail
crypto map ipsec 160 set pfs group2
crypto map ipsec 160 set peer 63.106.6.4
crypto map ipsec 160 set transform-set vpn-tsys
crypto map ipsec 160 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ipsec 170 ipsec-isakmp
crypto map ipsec 170 match address vpn2-tsysemail
crypto map ipsec 170 set pfs group2
crypto map ipsec 170 set peer 63.106.6.204
crypto map ipsec 170 set transform-set vpn-tsys
crypto map ipsec 170 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ipsec 180 ipsec-isakmp
crypto map ipsec 180 match address vpn-adp
crypto map ipsec 180 set peer 170.146.91.104
crypto map ipsec 180 set transform-set vpn-woodbridge
crypto map ipsec 190 ipsec-isakmp
crypto map ipsec 190 match address vpn1-WU
crypto map ipsec 190 set peer 206.201.228.92
crypto map ipsec 190 set transform-set vpn-WU
crypto map ipsec 190 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ipsec 200 ipsec-isakmp
crypto map ipsec 200 match address vpn2-WU
crypto map ipsec 200 set peer 206.201.227.92
crypto map ipsec 200 set transform-set vpn-WU
crypto map ipsec 200 set security-association lifetime seconds 3600 kilobytes 4608000
crypto map ipsec 210 ipsec-isakmp
crypto map ipsec 210 match address vpn-burlingtonhydro1
crypto map ipsec 210 set peer 216.185.74.134
crypto map ipsec 210 set transform-set vpn-burlingtonhydro
crypto map ipsec 220 ipsec-isakmp
crypto map ipsec 220 match address vpn-woodbridge2
crypto map ipsec 220 set peer 208.64.104.5
crypto map ipsec 220 set transform-set vpn-woodbridge
crypto map ipsec 230 ipsec-isakmp
crypto map ipsec 230 match address vpn-ims
crypto map ipsec 230 set peer 67.202.198.212
crypto map ipsec 230 set transform-set vpn-woodbridge
crypto map ipsec 999 ipsec-isakmp
crypto map ipsec 999 match address vpn-888test
crypto map ipsec 999 set peer 216.129.53.200
crypto map ipsec 999 set transform-set vpn-888test
crypto map ipsec interface outside
isakmp enable outside
isakmp key ******** address 216.83.5.249 netmask 255.255.255.255
isakmp key ******** address 209.82.96.9 netmask 255.255.255.255
isakmp key ******** address 204.58.233.208 netmask 255.255.255.255
isakmp key ******** address 204.90.187.149 netmask 255.255.255.255
isakmp key ******** address 198.161.192.9 netmask 255.255.255.255
isakmp key ******** address 136.1.1.103 netmask 255.255.255.255
isakmp key ******** address 63.250.109.190 netmask 255.255.255.255
isakmp key ******** address 63.106.6.4 netmask 255.255.255.255
isakmp key ******** address 63.106.6.204 netmask 255.255.255.255
isakmp key ******** address 155.94.62.30 netmask 255.255.255.255
isakmp key ******** address 208.228.181.219 netmask 255.255.255.255
isakmp key ******** address 167.6.236.3 netmask 255.255.255.255
isakmp key ******** address 66.46.11.210 netmask 255.255.255.255
isakmp key ******** address 12.149.8.101 netmask 255.255.255.255
isakmp key ******** address 206.201.228.92 netmask 255.255.255.255
isakmp key ******** address 206.201.227.92 netmask 255.255.255.255
isakmp key ******** address 170.146.91.104 netmask 255.255.255.255
isakmp key ******** address 216.185.74.130 netmask 255.255.255.255
isakmp key ******** address 64.219.107.141 netmask 255.255.255.255
isakmp key ******** address 216.185.74.134 netmask 255.255.255.255
isakmp key ******** address 192.193.171.127 netmask 255.255.255.255
isakmp key ******** address 207.253.51.220 netmask 255.255.255.255
isakmp key ******** address 198.169.204.254 netmask 255.255.255.255
isakmp key ******** address 216.129.53.200 netmask 255.255.255.255
isakmp key ******** address 67.202.198.212 netmask 255.255.255.255
isakmp key ******** address 136.1.1.51 netmask 255.255.255.255
isakmp key ******** address 207.250.27.38 netmask 255.255.255.255
isakmp key ******** address 174.47.187.25 netmask 255.255.255.255
isakmp keepalive 10
isakmp policy 5 authentication pre-share
isakmp policy 5 encryption 3des
isakmp policy 5 hash sha
isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 15 authentication rsa-sig
isakmp policy 15 encryption des
isakmp policy 15 hash sha
isakmp policy 15 group 1
isakmp policy 15 lifetime 86400
isakmp policy 20 authentication rsa-sig
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
isakmp policy 50 authentication rsa-sig
isakmp policy 50 encryption 3des
isakmp policy 50 hash sha
isakmp policy 50 group 2
isakmp policy 50 lifetime 43200
isakmp policy 60 authentication pre-share
isakmp policy 60 encryption 3des
isakmp policy 60 hash sha
isakmp policy 60 group 2
isakmp policy 60 lifetime 43200
isakmp policy 70 authentication pre-share
isakmp policy 70 encryption 3des
isakmp policy 70 hash md5
isakmp policy 70 group 2
isakmp policy 70 lifetime 86400
ca identity scotiaca 10.248.10.26:/cgi-bin
ca configure scotiaca ra 1 20 crloptional
!
telnet / ssh config deleted
!
FW100EVx#
I appreciate your help and any thoughts.
Mike
ā03-06-2013 08:31 AM
Hello Mike,
Here is how you should do it:
1) Any VPN up will appear on the show crypto ipsec sa
You will get from there the Remote Peer IP address.
2) Then based on that go to the crypto map that is using that peer
You will get the information from there
Regards
ā03-06-2013 10:14 AM
Following that process...
One of the UP tunnels is this one:
local ident (addr/mask/prot/port): (205.210.223.44/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (198.169.206.170/255.255.255.255/0/0)
current_peer: 198.169.204.254
Using the peer mentioned, I find this map:
crypto map ipsec 80 ipsec-isakmp
crypto map ipsec 80 match address vpn-viterra
crypto map ipsec 80 set peer 198.169.204.254
crypto map ipsec 80 set transform-set vpn-woodbridge
The transform-set matches:
crypto ipsec transform-set vpn-woodbridge esp-3des esp-sha-hmac
However, nowhere can I determine which authentication policy in in force. I don't know if the SA's agreed to use pre-shared keys or the cert.
Any further thoughts?
ā03-06-2013 10:30 AM
Hello Mike,
For that you will need to check both sites...
Then check the isakmp policies from the lowest to the highest number, as soon as there is a match that policy will be used.
You could also run a debug crypto isakmp and check the negotiation process
Is all up to you,
Remember to rate all of the helpful posts( if you do not know how to rate a post just let me know)
ā03-06-2013 10:40 AM
I was afraid of that.
So to clarify what I think you're saying... unless I have access to the config on the other end (which I don't), and unless I have a debug running while the tunnel is forming (and I can't break existing tunnels to have them recreate... I like working here! *L*)... there exists no command to show the policy in use?
That sucks.
ā03-06-2013 11:36 AM
Hello Mike,
I mean based on this command I can tell you you are running pre-shared keys
isakmp key ******** address 198.169.204.254 netmask 255.255.255.255
But if you want the details of the crypto isakmp phase 1 then you will have to run a debug of check the other side,
I mean is not a big deal, you can always gather it with no problem at all ( Runninng the debugs)
ā03-06-2013 12:16 PM
Ah, gotcha.
I understood that the presence of the isakmp key meant that if pre-shared key was the auth choice in the agreed upon policy, then it would be used. I still thought that even with the key being present, a certificate could be agreed upon first.
Okay then, I guess I'll talk to the admins on the other ends of the tunnels and cross-reference their policies, and see if we can schedule a teardown so I can run the debug.
Thanks for the help.
Mike
ā03-06-2013 12:26 PM
Hello,
I mean you have one configured but as you said on your policies you might be using a different authentication method.. For that you will need to check the policies or run the debugs as you already know
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide