What show command will show what phase 1 parameters have been negotiated for a specific vpn tunnel on an IOS router (Model 3945, running IOS 15.1)? The closest command I found through experimentation of show commands which will display this information is "show crypto engine connection active" but it doesn't display which crypto session id belongs to which remote crypto endpoint.
when you run "show crypto engine connections active" you will see an entry in the last with connection ID 1001, type is IKE, algorithm SHA-3DES, it shows the parameters that are negotiated for phase 1 tunnel with the peer 10.1.1.1.This Conn-id is also reflected when you run "Show crypto isakmp sa". whereas conn-id 1 and 2 represent phase 2 parameters negotiated . these id you can see under "show crypto ipsec sa" when you see outbound/inbound esp sas to verify.
Crypto Engine Connections
ID Interface Type Algorithm Encrypt Decrypt IP-Address 1 Fa0/0 IPsec 3DES+SHA 0 9 10.1.1.1 2 Fa0/0 IPsec 3DES+SHA 9 0 10.1.1.1 1001 Fa0/0 IKE SHA+3DES 0 0 10.1.1.1
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...