Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How to find out which isakmp policy is in use?

If you have a fully established (phase 1 and 2) VPN, is there a show command that lets you see which isakmp policy is being selected for that tunnel?

  • VPN
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: How to find out which isakmp policy is in use?

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

7 REPLIES

Re: How to find out which isakmp policy is in use?

try "show crypto isa sa detail".

New Member

Re: How to find out which isakmp policy is in use?

I've already tried this one and it shows you the values for encryption, hash, etc., but does not provide you with the number of the isakmp policy in use.

Re: How to find out which isakmp policy is in use?

based "encrypted, hash ...", you can know which isakmp policy is matched. It just does not tell you exactly the number.

New Member

Re: How to find out which isakmp policy is in use?

Thank you.  I am aware of this.  If the command I am looking for does not exist it is not the end of the world, but I am trying to reproduce an issue where a router may not be using the proper isakmp policy and simply matching the values does not help.

Bronze

Re: How to find out which isakmp policy is in use?

Generally, in a VPN negotiation all the ISAKMP policies and IPSec transform sets configured on the device are used.

So, there is no way a pariicular ISAKMP policy would be skipped unless it is some kind of bug.

Please start a discussion on the community about the issue are trying to recreate. May be we can wrap our heads around it and see what's going on.


Cheers,

Nash.

New Member

Re: How to find out which isakmp policy is in use?

maybe you would like to try using "debug crypto isakmp" to see the phase 1 negotiation, if you have the chance to disconnect and re-establish the tunnel.

hope this helps

http://www.cisco.com/en/US/docs/ios/12_3t/debug/command/reference/dbg_c3gt.html#wp1114438

New Member

Re: How to find out which isakmp policy is in use?

I actually realized the "debug crypto isakmp" process showed the router going through each individual policy until finding a matching one right after making my last post.  The problem I was looking into was seemingly bogus to me, I just needed a way to show it.  Thanks for the effort.

2363
Views
0
Helpful
7
Replies
This widget could not be displayed.