Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Listing ipsec SAs cipher keys from IOS?

In IOS, is it possible to list the esp SA's encryption keys that were negotiated by isakmp for a ipsec tunnel? I've search the CLI options but it doesn't seem to be possible...

I'm trying to diagnose what is happening inside a ipsec tunnel with a sniffer such as wireshark.

Thanks,

JC

2 REPLIES
Silver

Re: Listing ipsec SAs cipher keys from IOS?

You can use the command show crypto map <> to find the encryption key negotiated during the conversation.

Community Member

Re: Listing ipsec SAs cipher keys from IOS?

"show crypto map xxxxx" doesn't show the encryption key, at least not on this IOS (12.2(33)SRA6):

output:

Crypto Map "XXXXX" 65590 ipsec-isakmp

Peer = x.x.x.x

Extended IP access list

access-list permit ip x.x.x.x 0.0.0.255 host x.x.x.x

dynamic (created from dynamic map xxxxx/1)

Current peer: x.x.x.x

Security association lifetime: 4608000 kilobytes/3600 seconds

Security association idletime: 300 seconds

PFS (Y/N): Y

DH group: group2

Transform sets={

3DES-SHA,

}

124
Views
0
Helpful
2
Replies
CreatePlease to create content