Troubleshooting IPSec Site to Site VPN

Google ADs

Although IPSec is a very wide topic to cover but the following few commands and outputs are really helpful in initial troubleshooting.

TROUBLESHOOTING IPSEC

Troubleshooting Commands: IPSec site to site VPN

(A) “show crypto isakmp sa

By this command we can test the present status of the IPSec peering. The state should be “QM_IDLE”. Any other state suggests an issue (i.e. issue in crypto map; expired digital certificates; etc.)

Router#show crypto isakmp sa

Google ADs

Dst              
src           state         conn-id    slot        status
172.16.x.x   172.16.x.x     QM_IDLE     11    0    ACTIVE

172.16.x.x   172.16.x.x     QM_IDLE     12    0    ACTIVE

(B) “show crypto isakmp sa detail

This command shows the time (under lifetime parameter) by which the crypto session is established or stable. This clock runs in opposite manner. For example: – In below output, the time is 23:00:29, it means the crypto is established since 59 minutes 31 seconds. Somewhere it’s configured in span of 8 hrs & somewhere in 24 hrs span.

Router#show crypto isakmp sa detail

Codes: C – IKE configuration mode, D – Dead Peer Detection

       K – Keepalives, N – NAT-traversal

       X – IKE Extended Authentication

       psk – Preshared key, rsig – RSA signature

       renc – RSA encryption

C-id Local      Remote     I-VRF  Status Encr Hash Auth  DH  Lifetime  Cap.

11  172.16.x.x  172.16.x.x        ACTIVE 3des md5  rsig   2  23:00:29   D

Connection-id:Engine-id =  11:1(software)

Related – Site to Site VPN vs Remote Access VPN

(C) “Show crypto map

This command shows some configured parameters like peer addresses, Access-list which will initiate interest traffic to make IPSec tunnel up, Interfaces which use this crypto map

Note:-All the interfaces including backup link (i.e. BRI in case of ISDN) should be included under Interfaces using crypto map.

Router#show crypto map

Crypto Map: “TESTMAP” idb: Loopback1 local address: 172.16.x.x

Crypto Map “TESTMAP” 5 ipsec-isakmp

Description: ipsec tunnel to HO

Peer = 172.16.x.x

Peer = 172.16.x.y

Extended IP access list 118

access-list 118 deny ip any host 10.10.10.x

access-list 118 deny ip any host 10.10.10.x

access-list 118 permit ip host 10.1.0.x host 10.6.0.x

access-list 118 deny ip host 10.1.1.x host 10.6.0.x

access-list 118 permit ip 10.1.0.0 0.0.1.255 10.0.0.0 0.0.255.255

Current peer: 172.16.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Transform sets={

XYZMAP,

}

QOS pre-classification


Interfaces using crypto map TESTMAP:

Loopback0/1

Serial0/0

Serial0/1

BRI1/0

BRI1/0:1

BRI1/0:2

BRI1/0:1

BRI1/0:2

Virtual-Access1

(D) “Show crypto ca certificate

This command’s output confirms whether the digital certificate has been expired. It contains a start & end date-time.

Instant remedy is to configure some preshared keys like “crypto isakmp key abcd45ef address 172.16.x.x (remote peer)

Router# show crypto ca certificate

Certificate
Status: Available

Certificate Serial Number: 5DD5248C6C89369E95898431A40539E

Certificate Usage: General Purpose

Issuer:

cn=XYZ VPN IPSec Certificate Authority

ou=XYZ VPN

o=XYZ Company Limited

Subject:

Name: Router.xyz.com

Serial Number: 1C6E42BE

serialNumber=1C6E42BE+hostname=Router.xyz.com

CRL Distribution Points:

ldap://directory.safescrypt.com/CN = XYZ VPN IPSec Certificate Authority, O

U = XYZ VPN, O = XYZ Company Limited?certificaterevocationli

st;binary?base?objectclass=*

Validity Date:

start date: 05:30:00 IST Jan 4 2010

end   date: 05:29:59 IST Jan 5 2011

Associated Trustpoints: XYZ.com

ABOUT THE AUTHOR


Leave a Comment

Your email address will not be published. Required fields are marked *

Shopping Cart