Re: IPsec question

From: John Elias (jelias_@xxxxxxxxxxx)
Date: Sat Jun 02 2001 - 16:17:51 GMT-3

• Next message: Brian: "Re: OT: IOS performance between versions"
• Previous message: Matthew.Sypherd@xxxxxxx: "Re: IPsec question"
• Maybe in reply to: David Anderson: "IPsec question"
• Next in thread: Andrew Lennon: "RE: IPsec question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Dave,

Do a "show crypto engine connection active", I beleive this is the command.
Notice the output on the left before you ping, then ping and see if the
output incrimmented by five.

John

>From: David Anderson <dma@cisco.com>
>Reply-To: David Anderson <dma@cisco.com>
>To: ccielab@groupstudy.com
>Subject: IPsec question
>Date: Sat, 02 Jun 2001 10:59:58 -0700
>
>Hi all,
>I have a question about IPsec debug output. I have the following debugs
>running on both the sending and receiving routers:
>debug crypto ipsec
>debug crypto isakmp
>debug ip packet
>
>When I ping from the source to the destination defined in my access-list, I
>get no debug output. It looks like it is working, but I am just curios
>as to why I do not receive any debug output. When I use the following show
>commands, this is what I get:....it is the same on the receiving
>router. Any ideas?
>Thanks,
>David
>
>router1#sh crypto isakmp sa
> dst src state conn-id slot
>1.1.1.1 6.6.6.6 QM_IDLE 2 0
>6.6.6.6 1.1.1.1 QM_IDLE 1 0
>
>
>router1#sh crypto map
>Crypto Map: "secret" idb: Loopback1 local address: 1.1.1.1
>
>Crypto Map "secret" 10 ipsec-isakmp
> Peer = 6.6.6.6
> Extended IP access list 101
> access-list 101 permit ip host 1.1.1.1 host 6.6.6.6
> Current peer: 6.6.6.6
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={ TMA, }
> Interfaces using crypto map secret:
> Serial1
> Tunnel0
>
>
>router1#sh crypto ipsec sa ?
> address IPSEC SA table in (dest) address order
> detail show counter detail
> identity IPSEC SADB identity tree
> interface Show info for specific interface
> map IPSEC SA table for a specific crypto map
> | Output modifiers
> <cr>
>
>router1#sh crypto ipsec sa
>
>interface: Tunnel0
> Crypto map tag: secret, local addr. 1.1.1.1
>
> local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
> remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
> current_peer: 6.6.6.6
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 526, #pkts encrypt: 526, #pkts digest 0
> #pkts decaps: 526, #pkts decrypt: 526, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
>failed: 0
> #send errors 2, #recv errors 0
>
> local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
> path mtu 1514, media mtu 1514
> current outbound spi: 63023E0
>
> inbound esp sas:
> spi: 0x99A23FC(161096700)
> transform: esp-des ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
> sa timing: remaining key lifetime (k/sec): (4607982/1903)
> IV size: 8 bytes
> replay detection support: N
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> spi: 0x63023E0(103818208)
> transform: esp-des ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
> sa timing: remaining key lifetime (k/sec): (4607978/1894)
> IV size: 8 bytes
> replay detection support: N
>
> outbound ah sas:
>
> outbound pcp sas:
>
>
>
>interface: Serial1
> Crypto map tag: secret, local addr. 1.1.1.1
>
> local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
> remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
> current_peer: 6.6.6.6
> PERMIT, flags={origin_is_acl,}
> #pkts encaps: 527, #pkts encrypt: 527, #pkts digest 0
> #pkts decaps: 527, #pkts decrypt: 527, #pkts verify 0
> #pkts compressed: 0, #pkts decompressed: 0
> #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
>failed: 0
> #send errors 2, #recv errors 0
>
> local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
> path mtu 1514, media mtu 1514
> current outbound spi: 63023E0
>
> inbound esp sas:
> spi: 0x99A23FC(161096700)
> transform: esp-des ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
> sa timing: remaining key lifetime (k/sec): (4607981/1894)
> IV size: 8 bytes
> replay detection support: N
>
> inbound ah sas:
>
> inbound pcp sas:
>
> outbound esp sas:
> spi: 0x63023E0(103818208)
> transform: esp-des ,
> in use settings ={Tunnel, }
> slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
> sa timing: remaining key lifetime (k/sec): (4607978/1885)
> IV size: 8 bytes
> replay detection support: N
>
> outbound ah sas:
>
> outbound pcp sas:
>David Anderson
>Network Design Engineer
>Enterprise Solutions Architecture & Design
>(408) 853-5515
>dma@cisco.com
> | |
> ..:|||||||:...:|||||||:..
>C I S C O S Y S T E M S
>**Please read:http://www.groupstudy.com/list/posting.html

• Next message: Brian: "Re: OT: IOS performance between versions"
• Previous message: Matthew.Sypherd@xxxxxxx: "Re: IPsec question"
• Maybe in reply to: David Anderson: "IPsec question"
• Next in thread: Andrew Lennon: "RE: IPsec question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:17 GMT-3