Solved: identify connected VPN

toyinsekoni · ‎11-26-2005

Hello, is there any command that can show the number of VPN connections to the pix firewall, the ip addresses it has leased to these connections and the source ip. Like the "show ssh session" will do.

Thanks

D.

jackko · ‎11-26-2005

"sh crypto ipsec sa" will provide the required info. however, it provides many other statistics as well, which may not be required.

e.g.

pix# sh cry ips sa

interface: outside

Crypto map tag: csgvpn, local addr.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (/255.255.255.255/0/0)

current_peer: 220.233.111.107:4500

dynamic allocated peer ip:

PERMIT, flags={transport_parent,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: , remote crypto endpt.:

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 4262e8b6

inbound esp sas:

spi: 0x26a0e09f(648077471)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 6, crypto map: csgvpn

sa timing: remaining key lifetime (k/sec): (4607999/28720)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4262e8b6(1113778358)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 5, crypto map: csgvpn

sa timing: remaining key lifetime (k/sec): (4607999/28702)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

View solution in original post

jackko · ‎11-26-2005

"sh crypto ipsec sa" will provide the required info. however, it provides many other statistics as well, which may not be required.

e.g.

pix# sh cry ips sa

interface: outside

Crypto map tag: csgvpn, local addr.

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (/255.255.255.255/0/0)

current_peer: 220.233.111.107:4500

dynamic allocated peer ip:

PERMIT, flags={transport_parent,}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4

#pkts decaps: 4, #pkts decrypt: 4, #pkts verify 4

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: , remote crypto endpt.:

path mtu 1500, ipsec overhead 64, media mtu 1500

current outbound spi: 4262e8b6

inbound esp sas:

spi: 0x26a0e09f(648077471)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 6, crypto map: csgvpn

sa timing: remaining key lifetime (k/sec): (4607999/28720)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x4262e8b6(1113778358)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 5, crypto map: csgvpn

sa timing: remaining key lifetime (k/sec): (4607999/28702)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas: