Wednesday, 11 March 2020

14 SHOW COMMANDS FOR IPSEC VPN

  1. sh crypto isakmp policy
  2. sh crypto isakmp sa
  3. sh crypto isakmp peer
  4. sh crypto isakmp key
  5. sh crypto ipsec transform-set
  6. sh cry ipsec sa
  7. sh crypto map
  8. sh crypto map interface serial 0
  9. sh crypto engine brief
  10. sh crypto engine configuration
  11. sh crypto engine connections active
  12. sh crypto engine connections flow
  13. sh crypto engine connections dropped-packet
  14. sh crypto call admission statistics

IPSEC VPN SHOW COMMANDS

1) R1#sh crypto isakmp policy

Global IKE policy
Protection suite of priority 10
        encryption algorithm:   AES - Advanced Encryption Standard (128 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #5 (1536 bit)
        lifetime:               86400 seconds, no volume limit
Default protection suite
        encryption algorithm:   DES - Data Encryption Standard (56 bit keys).
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit



2) R1#sh crypto isakmp sa
dst                    src             state               conn-id slot    status
12.0.0.2        12.0.0.1        QM_IDLE              1    0    ACTIVE

3) R1#sh crypto isakmp peers
Peer: 12.0.0.2 Port: 500 Local: 12.0.0.1
 Phase1 id: 12.0.0.2

4) R1#sh crypto isakmp key
Keyring               Hostname/Address                   Preshared Key

default                    12.0.0.2                                     cisco@123

5) R1#sh crypto ipsec transform-set
Transform set TECHSTUFF: { esp-256-aes esp-sha-hmac  }
   will negotiate = { Tunnel,  },


6) R1#sh cry ipsec sa

interface: Serial0
    Crypto map tag: TECHMAP, local addr 12.0.0.1

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (20.0.0.0/255.255.255.0/0/0)
   current_peer 12.0.0.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 349, #pkts encrypt: 349, #pkts digest: 349
    #pkts decaps: 348, #pkts decrypt: 348, #pkts verify: 348
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 1, #recv errors 0

     local crypto endpt.: 12.0.0.1, remote crypto endpt.: 12.0.0.2
     path mtu 1500, ip mtu 1500, ip mtu idb Serial0
     current outbound spi: 0x3F257E81(1059421825)

     inbound esp sas:
      spi: 0x8CE1C3FE(2363606014)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2001, flow_id: SW:1, crypto map: TECHMAP
        sa timing: remaining key lifetime (k/sec): (4484301/3224)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x3F257E81(1059421825)
        transform: esp-256-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2002, flow_id: SW:2, crypto map: TECHMAP
        sa timing: remaining key lifetime (k/sec): (4484300/3221)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:


7) R1#sh crypto map
Crypto Map "TECHMAP" 10 ipsec-isakmp
        Peer = 12.0.0.2
        Extended IP access list 100
            access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
        Current peer: 12.0.0.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TECHSTUFF,
        }
        Interfaces using crypto map TECHMAP:
                Serial0

8) R1#sh crypto map interface serial 0 =======> most useful command
Crypto Map "TECHMAP" 10 ipsec-isakmp
        Peer = 12.0.0.2
        Extended IP access list 100
            access-list 100 permit ip 10.0.0.0 0.0.0.255 20.0.0.0 0.0.0.255
        Current peer: 12.0.0.2
        Security association lifetime: 4608000 kilobytes/3600 seconds
        PFS (Y/N): N
        Transform sets={
                TECHSTUFF,
        }
        Interfaces using crypto map TECHMAP:
                Serial0



9) R1#sh crypto engine brief

        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  FF1045C5
       crypto engine state:  installed
     crypto engine in slot:  N/A

10) R1#sh crypto engine configuration

        crypto engine name:  Cisco VPN Software Implementation
        crypto engine type:  software
             serial number:  FF1045C5
       crypto engine state:  installed
     crypto engine in slot:  N/A
                  platform:  Cisco Software Crypto Engine

   Crypto Adjacency Counts:
                Lock Count:  603
              Unlock Count:  603
        crypto lib version:  19.0.0

11) R1#sh crypto engine connections active

  ID Interface            IP-Address      State  Algorithm                             Encrypt  Decrypt
   1 Serial0                12.0.0.1             set    HMAC_SHA+AES_CBC          0        0
2001 Serial0              12.0.0.1            set    AES256+SHA                            0      675
2002 Serial0              12.0.0.1            set    AES256+SHA                          676        0

12) R1#sh crypto engine connections flow
Crypto engine: Software Crypto Engine
      flow_id   ah_conn_id  esp_conn_id     comp_spi
            1       <none>         2001       <none>
            2       <none>         2002       <none>

13) R1#sh crypto engine connections dropped-packet
No dropped packets.

14) R1#sh crypto call admission statistics
---------------------------------------------------------------------
               Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit:        0 Max IKE SAs:     0
Total IKE SA Count:           1 active:          1 negotiating:     0
Incoming IKE Requests:        0 accepted:        0 rejected:        0
Outgoing IKE Requests:        1 accepted:        1 rejected:        0


Rejected IKE Requests:        0 rsrc low:        0 SA limit:        0


No comments:

Post a Comment