Listing ipsec SAs cipher keys from IOS?

Unanswered Question
Feb 28th, 2008
User Badges:

In IOS, is it possible to list the esp SA's encryption keys that were negotiated by isakmp for a ipsec tunnel? I've search the CLI options but it doesn't seem to be possible...

I'm trying to diagnose what is happening inside a ipsec tunnel with a sniffer such as wireshark.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ivillegas Wed, 03/05/2008 - 14:08
User Badges:
  • Silver, 250 points or more

You can use the command show crypto map <> to find the encryption key negotiated during the conversation.

Jean-Christophe... Thu, 03/06/2008 - 10:18
User Badges:

"show crypto map xxxxx" doesn't show the encryption key, at least not on this IOS (12.2(33)SRA6):


Crypto Map "XXXXX" 65590 ipsec-isakmp

Peer = x.x.x.x

Extended IP access list

access-list permit ip x.x.x.x host x.x.x.x

dynamic (created from dynamic map xxxxx/1)

Current peer: x.x.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

Security association idletime: 300 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={




This Discussion