verifying IPSec on IOS / router

Answered Question
Jul 14th, 2008

is there a way to verify from Cisco router syslogs that an IPSec tunnel is being successfully established with another Cisco router / peer? I've been looking at the System Message manuals (SEC, Crypto events) and only see stuff that would indicate problems - would like to be able to check syslogs to validate that a tunnel came up without issue, or if a tunnel drops, etc. but not sure what these messages look like.

thanks

-randy

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 8 years 4 months ago

Randy, I understand now!

What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.

On the router thye would configure a secondary logging server.

e.i

say your syslog server is 20.20.20.20

router(config)#logging 20.20.20.20

router(config)#logging trap informational

the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.

additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.

Rgds

-Jorge

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
randytoni Mon, 07/14/2008 - 09:31

Hi Jorge - thanks for the quick reply - the situation here is that this is a managed router (I do not have access to the console). The only visibility I have is the syslog data that's generated by the router and sent to me. Does the router create a log entry when a tunnel is built, or when keys are exchanged, or for any other operational (normal) IPSec events?

thanks

-randy

Correct Answer
JORGE RODRIGUEZ Mon, 07/14/2008 - 10:24

Randy, I understand now!

What I would do in this case is couple of things, but this still needs some minor configuration on the router, it depends on the router managed provider but.. you should be able to ask the provider know that you want to get syslog traps from the router to your syslog server, and they should be able to provide this to you and they should provide that, after all, you are paying for services even though is a managed router by provider.

On the router thye would configure a secondary logging server.

e.i

say your syslog server is 20.20.20.20

router(config)#logging 20.20.20.20

router(config)#logging trap informational

the above informational is facility #6 out of the 7 levels of facility, 0 being emergencies 1 alerts 2 critical and so on..I believe with this facility# you will see tunnel info on the syslog.

additionally, on the access-lists pertaining to the L2L Ipsec tunnel add the keyword log at the end of each of its access-list, with the keywork log the router will send traps pertaining to the access-list to your syslog thus providing you that the connection is stablihed or not.

Rgds

-Jorge

michael.leblanc Mon, 07/14/2008 - 15:41

Personally, I don't think you want to log every IPSec related Access Control Entry match, as has been recommended to you.

You might want to consider the following command:

router(config)#crypto logging session

Sample syslog message:

13770: router-A: Jul 14 19:23:17.831 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is DOWN. Peer aaa.bbb.ccc.ddd:500 Id: router-B.domain.com

Actions

This Discussion