cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
524
Views
0
Helpful
2
Replies

Listing ipsec SAs cipher keys from IOS?

In IOS, is it possible to list the esp SA's encryption keys that were negotiated by isakmp for a ipsec tunnel? I've search the CLI options but it doesn't seem to be possible...

I'm trying to diagnose what is happening inside a ipsec tunnel with a sniffer such as wireshark.

Thanks,

JC

2 Replies 2

ivillegas
Level 6
Level 6

You can use the command show crypto map <> to find the encryption key negotiated during the conversation.

"show crypto map xxxxx" doesn't show the encryption key, at least not on this IOS (12.2(33)SRA6):

output:

Crypto Map "XXXXX" 65590 ipsec-isakmp

Peer = x.x.x.x

Extended IP access list

access-list permit ip x.x.x.x 0.0.0.255 host x.x.x.x

dynamic (created from dynamic map xxxxx/1)

Current peer: x.x.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

Security association idletime: 300 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={

3DES-SHA,

}

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: