RE: IPsec question

From: Andrew Lennon (andrew.lennon@xxxxxxxxxxxxx)
Date: Sat Jun 02 2001 - 16:44:01 GMT-3

• Next message: David Anderson: "Re: IPsec question"
• Previous message: Brian: "Re: OT: IOS performance between versions"
• Maybe in reply to: David Anderson: "IPsec question"
• Next in thread: David Anderson: "Re: IPsec question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
David,

Are you doing an extending ping???

Andy

-----Original Message-----
From: David Anderson [mailto:dma@cisco.com]
Sent: 02 June 2001 19:00
To: ccielab@groupstudy.com
Subject: IPsec question

Hi all,
I have a question about IPsec debug output. I have the following debugs
running on both the sending and receiving routers:
debug crypto ipsec
debug crypto isakmp
debug ip packet

When I ping from the source to the destination defined in my access-list, I
get no debug output. It looks like it is working, but I am just curios
as to why I do not receive any debug output. When I use the following show
commands, this is what I get:....it is the same on the receiving
router. Any ideas?
Thanks,
David

router1#sh crypto isakmp sa
     dst src state conn-id slot
1.1.1.1 6.6.6.6 QM_IDLE 2 0
6.6.6.6 1.1.1.1 QM_IDLE 1 0

router1#sh crypto map
Crypto Map: "secret" idb: Loopback1 local address: 1.1.1.1

Crypto Map "secret" 10 ipsec-isakmp
         Peer = 6.6.6.6
         Extended IP access list 101
             access-list 101 permit ip host 1.1.1.1 host 6.6.6.6
         Current peer: 6.6.6.6
         Security association lifetime: 4608000 kilobytes/3600 seconds
         PFS (Y/N): N
         Transform sets={ TMA, }
         Interfaces using crypto map secret:
                 Serial1
                 Tunnel0

router1#sh crypto ipsec sa ?
   address IPSEC SA table in (dest) address order
   detail show counter detail
   identity IPSEC SADB identity tree
   interface Show info for specific interface
   map IPSEC SA table for a specific crypto map
   | Output modifiers
   <cr>

router1#sh crypto ipsec sa

interface: Tunnel0
     Crypto map tag: secret, local addr. 1.1.1.1

    local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
    current_peer: 6.6.6.6
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 526, #pkts encrypt: 526, #pkts digest 0
     #pkts decaps: 526, #pkts decrypt: 526, #pkts verify 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
     #send errors 2, #recv errors 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
      path mtu 1514, media mtu 1514
      current outbound spi: 63023E0

      inbound esp sas:
       spi: 0x99A23FC(161096700)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607982/1903)
         IV size: 8 bytes
         replay detection support: N

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:
       spi: 0x63023E0(103818208)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607978/1894)
         IV size: 8 bytes
         replay detection support: N

      outbound ah sas:

      outbound pcp sas:

interface: Serial1
     Crypto map tag: secret, local addr. 1.1.1.1

    local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (6.6.6.6/255.255.255.255/0/0)
    current_peer: 6.6.6.6
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 527, #pkts encrypt: 527, #pkts digest 0
     #pkts decaps: 527, #pkts decrypt: 527, #pkts verify 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress
failed: 0
     #send errors 2, #recv errors 0

      local crypto endpt.: 1.1.1.1, remote crypto endpt.: 6.6.6.6
      path mtu 1514, media mtu 1514
      current outbound spi: 63023E0

      inbound esp sas:
       spi: 0x99A23FC(161096700)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2004, flow_id: 5, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607981/1894)
         IV size: 8 bytes
         replay detection support: N

      inbound ah sas:

      inbound pcp sas:

      outbound esp sas:
       spi: 0x63023E0(103818208)
         transform: esp-des ,
         in use settings ={Tunnel, }
         slot: 0, conn id: 2005, flow_id: 6, crypto map: secret
         sa timing: remaining key lifetime (k/sec): (4607978/1885)
         IV size: 8 bytes
         replay detection support: N

      outbound ah sas:

      outbound pcp sas:
David Anderson
Network Design Engineer
Enterprise Solutions Architecture & Design
(408) 853-5515
dma@cisco.com
       | |
  ..:|||||||:...:|||||||:..
C I S C O S Y S T E M S
**Please read:http://www.groupstudy.com/list/posting.html
**Please read:http://www.groupstudy.com/list/posting.html

• Next message: David Anderson: "Re: IPsec question"
• Previous message: Brian: "Re: OT: IOS performance between versions"
• Maybe in reply to: David Anderson: "IPsec question"
• Next in thread: David Anderson: "Re: IPsec question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:31:17 GMT-3