I appreciate the reply.  This pair of Pixen are:

Cisco PIX Firewall Version 6.1(4)

Cisco PIX Device Manager Version 1.1(2)

Hardware:   PIX-515E, 64 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0x300, 16MB

And the sh run... cleaned up a bit (if I deleted anything that you'd like to see, let me know):

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 extranet security10

nameif ethernet3 intf3 security15

nameif ethernet4 publicdmz security50

nameif ethernet5 stateful-failover security25

enable password P563PoV8njSqomuF encrypted

!

acl's deleted

!

ip address outside 10.254.196.207 255.255.255.224

ip address inside 10.254.12.133 255.255.255.224

ip address extranet 10.9.10.74 255.255.255.192

ip address intf3 10.254.21.49 255.255.255.252

ip address publicdmz 10.254.196.135 255.255.255.240

ip address stateful-failover 10.254.21.13 255.255.255.252

!

natting deleted

!

access-group acl_outside in interface outside

access-group acl_publicdmz in interface publicdmz

route outside 0.0.0.0 0.0.0.0 10.254.196.197 1

route inside 10.0.0.0 255.0.0.0 10.254.12.131 1

route outside 10.234.7.11 255.255.255.255 10.254.196.197 1

route publicdmz 10.254.5.0 255.255.255.0 10.254.196.130 1

route publicdmz 10.254.197.0 255.255.255.0 10.254.196.140 1

route publicdmz 10.254.208.0 255.255.255.0 10.254.196.140 1

route inside 172.16.0.0 255.240.0.0 10.254.12.131 1

!

aaa and snmp config deleted

!

crypto ipsec transform-set vpn-trane esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-twister esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-footlocker esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-luscar esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-yak esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-agricoreunited esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-burlingtonhydro esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-gap esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-gxs esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-Quebac esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-tsys esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-WU esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-888test esp-3des esp-sha-hmac

crypto ipsec transform-set vpn-woodbridge2 esp-3des esp-md5-hmac

crypto ipsec transform-set vpn-woodbridge esp-3des esp-sha-hmac

!

crypto map ipsec 10 ipsec-isakmp

crypto map ipsec 10 match address vpn-wyeth

crypto map ipsec 10 set peer 155.94.62.30

crypto map ipsec 10 set transform-set vpn-woodbridge

crypto map ipsec 20 ipsec-isakmp

crypto map ipsec 20 match address vpn-trane

crypto map ipsec 20 set peer 64.219.107.141

crypto map ipsec 20 set transform-set vpn-trane

crypto map ipsec 30 ipsec-isakmp

crypto map ipsec 30 match address vpn-diebold1

crypto map ipsec 30 set peer 208.228.181.219

crypto map ipsec 30 set transform-set vpn-woodbridge

crypto map ipsec 40 ipsec-isakmp

crypto map ipsec 40 match address vpn-jones

crypto map ipsec 40 set peer 12.149.8.101

crypto map ipsec 40 set transform-set vpn-woodbridge

crypto map ipsec 50 ipsec-isakmp

crypto map ipsec 50 match address vpn-truck

crypto map ipsec 50 set peer 167.6.236.3

crypto map ipsec 50 set transform-set vpn-woodbridge

crypto map ipsec 60 ipsec-isakmp

crypto map ipsec 60 match address vpn-footlocker

crypto map ipsec 60 set peer 174.47.187.25

crypto map ipsec 60 set transform-set vpn-footlocker

crypto map ipsec 70 ipsec-isakmp

crypto map ipsec 70 match address vpn-diebold2

crypto map ipsec 70 set peer 208.228.181.217

crypto map ipsec 70 set transform-set vpn-woodbridge

crypto map ipsec 80 ipsec-isakmp

crypto map ipsec 80 match address vpn-viterra

crypto map ipsec 80 set peer 198.169.204.254

crypto map ipsec 80 set transform-set vpn-woodbridge

crypto map ipsec 90 ipsec-isakmp

crypto map ipsec 90 match address vpn-citi

crypto map ipsec 90 set peer 192.193.171.127

crypto map ipsec 90 set transform-set vpn-woodbridge

crypto map ipsec 100 ipsec-isakmp

crypto map ipsec 100 match address vpn-eds

crypto map ipsec 100 set peer 66.46.11.210

crypto map ipsec 100 set transform-set vpn-woodbridge

crypto map ipsec 110 ipsec-isakmp

crypto map ipsec 110 match address vpn-Quebac

crypto map ipsec 110 set peer 207.253.51.220

crypto map ipsec 110 set transform-set vpn-Quebac

crypto map ipsec 120 ipsec-isakmp

crypto map ipsec 120 match address vpn-gxs

crypto map ipsec 120 set peer 204.90.187.149

crypto map ipsec 120 set transform-set vpn-gxs

crypto map ipsec 130 ipsec-isakmp

crypto map ipsec 130 match address vpn-luscar1

crypto map ipsec 130 set peer 198.161.192.9

crypto map ipsec 130 set transform-set vpn-luscar

crypto map ipsec 140 ipsec-isakmp

crypto map ipsec 140 match address vpn-ford

crypto map ipsec 140 set peer 136.1.1.51

crypto map ipsec 140 set transform-set vpn-woodbridge2

crypto map ipsec 140 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ipsec 160 ipsec-isakmp

crypto map ipsec 160 match address vpn1-tsysemail

crypto map ipsec 160 set pfs group2

crypto map ipsec 160 set peer 63.106.6.4

crypto map ipsec 160 set transform-set vpn-tsys

crypto map ipsec 160 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ipsec 170 ipsec-isakmp

crypto map ipsec 170 match address vpn2-tsysemail

crypto map ipsec 170 set pfs group2

crypto map ipsec 170 set peer 63.106.6.204

crypto map ipsec 170 set transform-set vpn-tsys

crypto map ipsec 170 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ipsec 180 ipsec-isakmp

crypto map ipsec 180 match address vpn-adp

crypto map ipsec 180 set peer 170.146.91.104

crypto map ipsec 180 set transform-set vpn-woodbridge

crypto map ipsec 190 ipsec-isakmp

crypto map ipsec 190 match address vpn1-WU

crypto map ipsec 190 set peer 206.201.228.92

crypto map ipsec 190 set transform-set vpn-WU

crypto map ipsec 190 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ipsec 200 ipsec-isakmp

crypto map ipsec 200 match address vpn2-WU

crypto map ipsec 200 set peer 206.201.227.92

crypto map ipsec 200 set transform-set vpn-WU

crypto map ipsec 200 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map ipsec 210 ipsec-isakmp

crypto map ipsec 210 match address vpn-burlingtonhydro1

crypto map ipsec 210 set peer 216.185.74.134

crypto map ipsec 210 set transform-set vpn-burlingtonhydro

crypto map ipsec 220 ipsec-isakmp

crypto map ipsec 220 match address vpn-woodbridge2

crypto map ipsec 220 set peer 208.64.104.5

crypto map ipsec 220 set transform-set vpn-woodbridge

crypto map ipsec 230 ipsec-isakmp

crypto map ipsec 230 match address vpn-ims

crypto map ipsec 230 set peer 67.202.198.212

crypto map ipsec 230 set transform-set vpn-woodbridge

crypto map ipsec 999 ipsec-isakmp

crypto map ipsec 999 match address vpn-888test

crypto map ipsec 999 set peer 216.129.53.200

crypto map ipsec 999 set transform-set vpn-888test

crypto map ipsec interface outside

isakmp enable outside

isakmp key ******** address 216.83.5.249 netmask 255.255.255.255

isakmp key ******** address 209.82.96.9 netmask 255.255.255.255

isakmp key ******** address 204.58.233.208 netmask 255.255.255.255

isakmp key ******** address 204.90.187.149 netmask 255.255.255.255

isakmp key ******** address 198.161.192.9 netmask 255.255.255.255

isakmp key ******** address 136.1.1.103 netmask 255.255.255.255

isakmp key ******** address 63.250.109.190 netmask 255.255.255.255

isakmp key ******** address 63.106.6.4 netmask 255.255.255.255

isakmp key ******** address 63.106.6.204 netmask 255.255.255.255

isakmp key ******** address 155.94.62.30 netmask 255.255.255.255

isakmp key ******** address 208.228.181.219 netmask 255.255.255.255

isakmp key ******** address 167.6.236.3 netmask 255.255.255.255

isakmp key ******** address 66.46.11.210 netmask 255.255.255.255

isakmp key ******** address 12.149.8.101 netmask 255.255.255.255

isakmp key ******** address 206.201.228.92 netmask 255.255.255.255

isakmp key ******** address 206.201.227.92 netmask 255.255.255.255

isakmp key ******** address 170.146.91.104 netmask 255.255.255.255

isakmp key ******** address 216.185.74.130 netmask 255.255.255.255

isakmp key ******** address 64.219.107.141 netmask 255.255.255.255

isakmp key ******** address 216.185.74.134 netmask 255.255.255.255

isakmp key ******** address 192.193.171.127 netmask 255.255.255.255

isakmp key ******** address 207.253.51.220 netmask 255.255.255.255

isakmp key ******** address 198.169.204.254 netmask 255.255.255.255

isakmp key ******** address 216.129.53.200 netmask 255.255.255.255

isakmp key ******** address 67.202.198.212 netmask 255.255.255.255

isakmp key ******** address 136.1.1.51 netmask 255.255.255.255

isakmp key ******** address 207.250.27.38 netmask 255.255.255.255

isakmp key ******** address 174.47.187.25 netmask 255.255.255.255

isakmp keepalive 10

isakmp policy 5 authentication pre-share

isakmp policy 5 encryption 3des

isakmp policy 5 hash sha

isakmp policy 5 group 2

isakmp policy 5 lifetime 86400

isakmp policy 10 authentication rsa-sig

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp policy 15 authentication rsa-sig

isakmp policy 15 encryption des

isakmp policy 15 hash sha

isakmp policy 15 group 1

isakmp policy 15 lifetime 86400

isakmp policy 20 authentication rsa-sig

isakmp policy 20 encryption 3des

isakmp policy 20 hash sha

isakmp policy 20 group 1

isakmp policy 20 lifetime 86400

isakmp policy 50 authentication rsa-sig

isakmp policy 50 encryption 3des

isakmp policy 50 hash sha

isakmp policy 50 group 2

isakmp policy 50 lifetime 43200

isakmp policy 60 authentication pre-share

isakmp policy 60 encryption 3des

isakmp policy 60 hash sha

isakmp policy 60 group 2

isakmp policy 60 lifetime 43200

isakmp policy 70 authentication pre-share

isakmp policy 70 encryption 3des

isakmp policy 70 hash md5

isakmp policy 70 group 2

isakmp policy 70 lifetime 86400

ca identity scotiaca 10.248.10.26:/cgi-bin

ca configure scotiaca ra 1 20 crloptional

!

telnet / ssh config deleted

!

FW100EVx#

I appreciate your help and any thoughts.

Mike

Hello Mike,

Here is how you should do it:

1) Any VPN up will appear on the show crypto ipsec sa

     You will get from there the Remote Peer IP address.

2) Then based on that go to the crypto map that is using that peer

     You will get the information from there

Regards

Following that process...

One of the UP tunnels is this one:

local  ident (addr/mask/prot/port): (205.210.223.44/255.255.255.255/0/0)

   remote ident (addr/mask/prot/port): (198.169.206.170/255.255.255.255/0/0)

   current_peer: 198.169.204.254

Using the peer mentioned, I find this map:

crypto map ipsec 80 ipsec-isakmp

crypto map ipsec 80 match address vpn-viterra

crypto map ipsec 80 set peer 198.169.204.254

crypto map ipsec 80 set transform-set vpn-woodbridge

The transform-set matches:

crypto ipsec transform-set vpn-woodbridge esp-3des esp-sha-hmac

However, nowhere can I determine which authentication policy in in force.  I don't know if the SA's agreed to use pre-shared keys or the cert.

Any further thoughts?

Hello Mike,

For that you will need to check both sites...

Then check the isakmp policies from the lowest to the highest number, as soon as there is a match that policy will be used.

You could also run a debug crypto isakmp and check the negotiation process

Is all up to you,

Remember to rate all of the helpful posts( if you do not know how to rate a post just let me know)

I was afraid of that. 

So to clarify what I think you're saying... unless I have access to the config on the other end (which I don't), and unless I have a debug running while the tunnel is forming (and I can't break existing tunnels to have them recreate... I like working here! *L*)... there exists no command to show the policy in use?

That sucks.

Ah, gotcha.

I understood that the presence of the isakmp key meant that if pre-shared key was the auth choice in the agreed upon policy, then it would be used.  I still thought that even with the key being present, a certificate could be agreed upon first.

Okay then, I guess I'll talk to the admins on the other ends of the tunnels and cross-reference their policies, and see if we can schedule a teardown so I can run the debug.

Thanks for the help.

Mike

Hello,

I mean you have one configured but as you said on your policies you might be using a different authentication method.. For that you will need to check the policies or run the debugs as you already know

Regards