How to check the status of the ipsec VPN tunnel?

Mohit Chauhan · ‎05-01-2012

Hi firends,

I am sure this would be a piece of cake for those acquinted with VPNs. I was trying to bring up a VPN tunnel (ipsec) using Preshared key.

The good thing is that it seems to be working as I can ping the other end (router B) LAN's interface using the source as LAN interface of this router (router A).

Below is the config snap shot for VPN:

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

crypto isakmp key cisco address 30.0.0.1

!

crypto ipsec transform-set my-transform esp-3des esp-sha-hmac

!

crypto map branch-map 10 ipsec-isakmp

set peer 30.0.0.1

set transform-set my-transform

match address 101

interface FastEthernet0/1

description WAN

ip address 20.0.0.1 255.255.255.252

duplex auto

speed auto

crypto map branch-map

access-list 101 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

The good thing is that i can ping the other end of the tunnel which is great. However, I wanted to know what was the appropriate "Sh" commands i coud use to confirm the same.

I used the following "show" commands, "show crypto isakmp sa" and "sh crypto ipsec sa" and below are their outputs:

Router A#sho crypto isakmp sa

dst src state conn-id slot

30.0.0.1 20.0.0.1 QM_IDLE 2 0

Router A#sho crypto ipsec sa

interface: FastEthernet0/1

Crypto map tag: branch-map, local addr. 20.0.0.1

protected vrf:

local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (172.16.0.0/255.255.255.0/0/0)

current_peer: 30.0.0.1:500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 1059, #pkts encrypt: 1059, #pkts digest 1059

#pkts decaps: 1059, #pkts decrypt: 1059, #pkts verify 1059

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 1, #recv errors 0

local crypto endpt.: 20.0.0.1, remote crypto endpt.: 30.0.0.1

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1

current outbound spi: E8FF5480

inbound esp sas:

spi: 0xCD7BC975(3447441781)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2002, flow_id: 3, crypto map: branch-map

sa timing: remaining key lifetime (k/sec): (4553941/2400)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xE8FF5480(3909047424)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

slot: 0, conn id: 2003, flow_id: 4, crypto map: branch-map

sa timing: remaining key lifetime (k/sec): (4553941/2398)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

My concern was the output of "sh crypto isakmp sa" was always showing as "QM_idle". and it remained the same even when I shut down the WAN interafce of the router.

Is there any other command that I am missing??

Thanks!

Regards,

Mohit

rizwanr74 · ‎05-01-2012

Hi Mohit.

the "QM_idle", will remain idle for until security association expires, after which it will go to "deleted state".

Here are few more commands, you can use to verify IPSec tunnel.

show crypto ipsec sa detail
show crypto ipsec sa

thanks

Rizwan Rafeek

olpeleri · ‎05-01-2012

Hello

Coming back to your initial question:

"My concern was the output of "sh crypto isakmp sa" was always showing as "QM_idle". and it remained the same even when I shut down the WAN interafce of the router.

Is there any other command that I am missing??"

If you shut down the WAN interface, the isakmp phase I and Phase II will remains until rekey is happening. At that stage, after retransmitting packets and then we will flush the phase I and the Phase II.

If you are looking at flushing the tunnel when the interface goes down then you have to enable keepalives

crypto isakmp keepalive 60 5

Cheers