Re: Verifying IPSec

matthew.scala · ‎09-28-2004

I recently replaced 2 routers that were connected to each other via a T1 line, running IPSec. The setup is the same now & the link is running just fine, connectivity back & forth, etc. However, I can't figure out how to verify if IPSec is actually running, what packets are being processed, etc. I've tried just about every "show crypto" command I can think of.. & really can't see any information. Is this the type of scenario where you'll know it's working, if the link is up? I'd appreciate any & all responses. Thanks for your time.

- Matt

ehirsel · ‎09-28-2004

Are the routers the IPSec peers, meaning that each router is the IPSec termination point? If not, that is the end hosts themselves are processing IPSec traffic then one quick way to validate IPSec flowing is this:

On each router's T1 interface (I assume this a point-to-point connection) create an acl as follows:

ip access-list extended verify_ipsec permit udp any eq 500 any eq 500

ip access-list extended verify_ipsec permit esp any any

ip access-list extended verify_ipsec permit ah any any

ip access-list extended verify_ipsec permit ip any any

then apply the access-list on the T1 interface. Note that the acl permits all traffic, but you can do a show ip access-list periodically and you should see non-zero hit counts for 2 of the 1st 3 lines and maybe the 4th (unless all traffic is ipsec and the routers do not exchange route info between them). You may or may not see AH traffic depending upon whether the end hosts use AH.

If the routers are the IPSec peers then have you tried these commands?

show crypto map

show crypto isa sa

show crypto ipsec sa

Let me know if this helps.