cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1135
Views
0
Helpful
6
Replies

verifying IPSec on IOS / router

randytoni
Level 1
Level 1

is there a way to verify from Cisco router syslogs that an IPSec tunnel is being successfully established with another Cisco router / peer? I've been looking at the System Message manuals (SEC, Crypto events) and only see stuff that would indicate problems - would like to be able to check syslogs to validate that a tunnel came up without issue, or if a tunnel drops, etc. but not sure what these messages look like.

thanks

-randy

1 Accepted Solution

Accepted Solutions

Randy, I understand now!

What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.

On the router thye would configure a secondary logging server.

e.i

say your syslog server is 20.20.20.20

router(config)#logging 20.20.20.20

router(config)#logging trap informational

the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.

additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.

Rgds

-Jorge

Jorge Rodriguez

View solution in original post

6 Replies 6

JORGE RODRIGUEZ
Level 10
Level 10

Randy Try:

show crypto isakmp sa , the output should provide built tunnels between peers.

See this link for more crypto cli commands and output example information.

http://www.cisco.com/en/US/docs/ios/12_3/security/command/reference/sec_r1g.html#wp1074075

HTH

Jorge

Jorge Rodriguez

Hi Jorge - thanks for the quick reply - the situation here is that this is a managed router (I do not have access to the console). The only visibility I have is the syslog data that's generated by the router and sent to me. Does the router create a log entry when a tunnel is built, or when keys are exchanged, or for any other operational (normal) IPSec events?

thanks

-randy

Randy, I understand now!

What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.

On the router thye would configure a secondary logging server.

e.i

say your syslog server is 20.20.20.20

router(config)#logging 20.20.20.20

router(config)#logging trap informational

the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.

additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.

Rgds

-Jorge

Jorge Rodriguez

thanks Jorge - much appreciated....

-randy

Randy, you are welcome, thanks for rating.

Check these two links as well, good info.

Router Syslog events information

http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html

Access Control List Logging

http://www.cisco.com/web/about/security/intelligence/acl-logging.html

Rgds

Jorge

Jorge Rodriguez

michael.leblanc
Level 4
Level 4

Personally, I don't think you want to log every IPSec related Access Control Entry match, as has been recommended to you.

You might want to consider the following command:

router(config)#crypto logging session

Sample syslog message:

13770: router-A: Jul 14 19:23:17.831 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer aaa.bbb.ccc.ddd:500 Id: router-B.domain.com