Re: IPsec question

From: Matthew.Sypherd@xxxxxxx
Date: Sat Jun 02 2001 - 15:54:36 GMT-3

   
David,

     Since you have sa's built (as per your sh crypto isakmp sa), isakmp is
trying to use them instead of fetching the new isakmp configurations on
either side. Clearing the sa's should help you at least see new debugs.
     I like to run "clear crypto sa" and watch the debugs when debugging
crypto ipsec & isakmp. A lot of stuff happens, but that way you can trace
the debug output and watch for isakmp negotiations to complete and ipsec
negotiations to start. If you never get any ipsec output, then check the
isakmp settings/log output (verify you are debugging for ipsec!!!) - ipsec
won't work without it.

     RTP in 13 days and counting....

     Matthew C. Sypherd
     matthew@sypherd.com
     CCNP+Security CCDP MCSE CCSE

David Anderson <dma@cisco.com>@groupstudy.com
06/02/2001 12:59 PM

Please respond to David Anderson <dma@cisco.com>

Sent by: nobody@groupstudy.com

To: ccielab@groupstudy.com
cc:

Subject: IPsec question

Hi all,
I have a question about IPsec debug output. I have the following debugs
running on both the sending and receiving routers:
debug crypto ipsec
debug crypto isakmp
debug ip packet

When I ping from the source to the destination defined in my access-list, I
get no debug output. It looks like it is working, but I am just curios
as to why I do not receive any debug output. When I use the following show
commands, this is what I get:....it is the same on the receiving
router. Any ideas?
Thanks,
David

router1#sh crypto isakmp sa
     dst src state conn-id slot
1.1.1.1 6.6.6.6 QM_IDLE 2 0
6.6.6.6 1.1.1.1 QM_IDLE 1 0

router1#sh crypto map
Crypto Map: "secret" idb: Loopback1 local address: 1.1.1.1

Crypto Map "secret" 10 ipsec-isakmp
         Peer = 6.6.6.6
         Extended IP access list 101
             access-list 101 permit ip host 1.1.1.1 host 6.6.6.6
         Current peer: 6.6.6.6
         Security association lifetime: 4608000 kilobytes/3600 seconds
         PFS (Y/N): N
         Transform sets={ TMA, }
         Interfaces using crypto map secret:
                 Serial1
                 Tunnel0

router1#sh crypto ipsec sa ?
   address IPSEC SA table in (dest) address order
   detail show counter detail
   identity IPSEC SADB identity tree
   interface Show info for specific interface
   map IPSEC SA table for a specific crypto map
   | Output modifiers
   <cr>

router1#sh crypto ipsec sa

interface: Tunnel0
     Crypto map tag: secret, local addr. 1.1.1.1

    local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
    current_peer: 6.6.6.6
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 526, #pkts encrypt: 526, #pkts digest 0
     #pkts decaps: 526, #pkts decrypt: 526, #pkts verify 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
     #send errors 2, #recv errors 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
      path mtu 1514, media mtu 1514
      current outbound spi: 63023E0

      inbound esp sas:
       spi: 0x99A23FC(161096700)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607982/1903)
         IV size: 8 bytes
         replay detection support: N

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:
       spi: 0x63023E0(103818208)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607978/1894)
         IV size: 8 bytes
         replay detection support: N

      outbound ah sas:

      outbound pcp sas:

interface: Serial1
     Crypto map tag: secret, local addr. 1.1.1.1

    local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
    current_peer: 6.6.6.6
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 527, #pkts encrypt: 527, #pkts digest 0
     #pkts decaps: 527, #pkts decrypt: 527, #pkts verify 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
     #send errors 2, #recv errors 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
      path mtu 1514, media mtu 1514
      current outbound spi: 63023E0

      inbound esp sas:
       spi: 0x99A23FC(161096700)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607981/1894)
         IV size: 8 bytes
         replay detection support: N

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:
       spi: 0x63023E0(103818208)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607978/1885)
         IV size: 8 bytes
         replay detection support: N

      outbound ah sas:

      outbound pcp sas:
David Anderson
Network Design Engineer
Enterprise Solutions Architecture & Design
(408) 853-5515
dma@cisco.com
       | |
  ..:|||||||:...:|||||||:..
C I S C O S Y S T E M S
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:17 GMT-3