Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
903
Views
4
Helpful
7
Replies

ASDM: Howto export the list of connection profiles of S2S-tunnels?

Go to solution
swscco001
Level 1
Level 1

‎05-30-2023 05:29 AM

Hello everybody,

our customer has a ASA running 9.14(3)18 with hundreds of S2S-tunnels.

Is it possible to export this list that we see under:
Configuration > Site-to-Site VPN > Connection  Profiles
into any table format and if yes, you how can this be done?

Thanks a lot for every hint!


Bye
Rene

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sheraz.Salim
VIP
VIP
In response to swscco001

‎05-31-2023 12:39 AM

you mentioned "Background: There are hundreds of IKEv1 L2L tunnels on the ASA that needs to be converted to L2L
in the next months. We need a list (Excel or similar) of the connection profile overview (see attached)." you mean from IKEv1 to IKEv2? I guess this is what you will be doing.

I am afraid you cant export in this manner. there will be manual work required in this order or unless you automate it using programming language.

if you are in the migration process from ikev1 to ikev2 what you can do it to take the running-config and start filter it to isolate the ikev1 version.

For Example show crypto ikev1  sa detail will display all the active/up and running vpn-tunnel.

 

show crypto ikev1 sa detail
1   IKE Peer: 208.35.24.50
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 24764

 

 

now if you also have some vpn-tunnel those are not up and running. in that case you have to manually check the Firewall configuration. however what you can do is take the output and filter them on notpad++ as example.

 

 

 

 

please do not forget to rate.

View solution in original post

7 Replies 7

Go to solution
Sheraz.Salim
VIP
VIP

‎05-30-2023 02:18 PM - edited ‎05-30-2023 02:20 PM

what is the reason for doing this? And why you want to do it.

to answer your question No you can do it. Unless otherwise the best option for you is to download the running-configuration of the firewall.

 

as your customer has 100 of VPN-Tunnels in that case it make sense for you to have the running-configuration or start-up configuration.

 

if you want to do this for your record to better understand or keep the copy of these site-to-site tunnel in that case you can issue this command from the CLI.

"show vpn-sessiondb detail l2l"

(or)

"show crypto ipsec sa details

(or)

"show crypto isakmp sa detail

 

if you do not have access to CLI and only have access to ASDM in that case follow these steps.

ASDM--->Tools---->Command Line Interface--->Multiple Line

show vpn-sessiondb detail l2l

command.PNG

please do not forget to rate.
0 Helpful

Go to solution
swscco001
Level 1
Level 1
In response to Sheraz.Salim

‎05-31-2023 12:10 AM

Hi Sheraz,

thanks for the fast reply but I need a list of all configured L2L tunnels not only of the active one:

Background: There are hundreds of IKEv1 L2L tunnels on the ASA that needs to be converted to L2L
in the next months. We need a list (Excel or similar) of the connection profile overview (see attached).

Is there a possibility to export this as a table and if yes how can I do this?

Thanks a lot!



Bye
R.

Preview file
355 KB

Go to solution
Sheraz.Salim
VIP
VIP
In response to swscco001

‎05-31-2023 12:39 AM

you mentioned "Background: There are hundreds of IKEv1 L2L tunnels on the ASA that needs to be converted to L2L
in the next months. We need a list (Excel or similar) of the connection profile overview (see attached)." you mean from IKEv1 to IKEv2? I guess this is what you will be doing.

I am afraid you cant export in this manner. there will be manual work required in this order or unless you automate it using programming language.

if you are in the migration process from ikev1 to ikev2 what you can do it to take the running-config and start filter it to isolate the ikev1 version.

For Example show crypto ikev1  sa detail will display all the active/up and running vpn-tunnel.

 

show crypto ikev1 sa detail
1   IKE Peer: 208.35.24.50
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes             Hash    : SHA
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 24764

 

 

now if you also have some vpn-tunnel those are not up and running. in that case you have to manually check the Firewall configuration. however what you can do is take the output and filter them on notpad++ as example.

 

 

 

 

please do not forget to rate.

Go to solution
MHM Cisco World
VIP
VIP

‎05-31-2023 02:10 AM

I prefer show vpn-dbsession l2l detail, and then manually migrate from IKEv1 to IKEv2 
and the table you share it for connection profile not for VPN, i.e. it can there are many connection profile for same VPN.

also cisco have tool to migrate (NOTE:- PLEASE READ IT CAREFULLY BEFORE APPLY IT)

Swift Migration of IKEv1 to IKEv2 L2L Tunnel Configuration on ASA 8.4 Code - Cisco

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to MHM Cisco World

‎05-31-2023 10:45 AM

The the linked document is helpful regarding basic settings it is a bit dated as it was written in 2013. When migrating these days I always make sure to use the opportunity to set current recommended parameters for encryption (AES-256) key exchange (DH Group 16) and hashing (SHA-512).

Also, you can retrieve your pre-shared keys in plain text from the cli using the commands as follows (save all output to text file and look in the tunnel-group config stanzas for the keys):

terminal pager 0
more system:running-config
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎05-31-2023 11:42 AM

thanks a lot @Marvin Rhoads 
I fully get your point 
have a nice day 
MHM

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to Marvin Rhoads

‎05-31-2023 12:53 PM

Just to add, DH group values 1, 2, 5, and 24 are considered deprecated. It is recommended to follow best practices and use DH group values 19, 20, and 21 ( NSA Suite B cryptography specification, use IKEv2 and select one of the elliptic curve Diffie-Hellman (ECDH) options: 19, 20, or 21.).

please do not forget to rate.
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card