Though IPSec is a really huge matter to cowl however the following couple of instructions and outputs are actually useful in preliminary troubleshooting.
Troubleshooting Instructions : IPSec web site to web site VPN
(A) “present crypto isakmp sa”
By this command we will take a look at the current standing of the IPSec peering. The state must be “QM_IDLE”. Some other state suggests a difficulty (i.e. challenge in crypto map; expired digital certificates; and so on)
Router#present crypto isakmp sa
172.16.x.x 172.16.x.x QM_IDLE 11 0 ACTIVE
172.16.x.x 172.16.x.x QM_IDLE 12 0 ACTIVE
(B) “present crypto isakmp sa element”
This command reveals the time (underneath lifetime parameter) by which the crypto session is established or steady. This clock runs in reverse method. For instance: – In under output, the time is 23:00:29, it means the crypto is established since 59 minutes 31 seconds. Someplace it’s configured in span of 8 hrs & someplace in 24 hrs span.
Router#present crypto isakmp sa element
C-id Native Distant I-VRF Standing Encr Hash Auth DH Lifetime Cap.
11 172.16.x.x 172.16.x.x ACTIVE 3des md5 rsig 2 23:00:29 D
Connection-id:Engine-id = 11:1(software program)
Associated – Website to Website VPN vs Distant Entry VPN
(C) “Present crypto map”
This command reveals some configured parameters like peer addresses, Entry-list which is able to provoke curiosity visitors to make IPSec tunnel up, Interfaces which use this crypto map
Observe:-All of the interfaces together with backup hyperlink (i.e. BRI in case of ISDN) must be included underneath Interfaces utilizing crypto map.
Router#present crypto map
Crypto Map “TESTMAP” 5 ipsec-isakmp
Description: ipsec tunnel to HO
Peer = 172.16.x.x
Peer = 172.16.x.y
Prolonged IP entry listing 118
access-list 118 deny ip any host 10.10.10.x
access-list 118 deny ip any host 10.10.10.x
access-list 118 allow ip host 10.1.0.x host 10.6.0.x
access-list 118 deny ip host 10.1.1.x host 10.6.0.x
access-list 118 allow ip 10.1.0.0 0.0.1.255 10.0.0.0 0.0.255.255
Present peer: 172.16.x.x
Safety affiliation lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): N
Rework units={
XYZMAP,
}
QOS pre-classification
Interfaces utilizing crypto map TESTMAP:
Loopback0/1
Serial0/0
Serial0/1
BRI1/0
BRI1/0:1
BRI1/0:2
BRI1/0:1
BRI1/0:2
Digital-Access1
(D) “Present crypto ca certificates”
This command’s output confirms whether or not the digital certificates has been expired. It accommodates a begin & finish date-time.
Instantaneous treatment is to configure some preshared keys like “crypto isakmp key abcd45ef deal with 172.16.x.x (distant peer)
Router# present crypto ca certificates
Standing: Accessible
Certificates Serial Quantity: 5DD5248C6C89369E95898431A40539E
Certificates Utilization: Basic Objective
Issuer:
cn=XYZ VPN IPSec Certificates Authority
ou=XYZ VPN
o=XYZ Firm Restricted
Topic:
Identify: Router.xyz.com
Serial Quantity: 1C6E42BE
serialNumber=1C6E42BE+hostname=Router.xyz.com
CRL Distribution Factors:
ldap://listing.safescrypt.com/CN = XYZ VPN IPSec Certificates Authority, O
U = XYZ VPN, O = XYZ Firm Restricted?certificaterevocationli
st;binary?base?objectclass=*
Validity Date:
begin date: 05:30:00 IST Jan 4 2010
finish date: 05:29:59 IST Jan 5 2011
Related Trustpoints: XYZ.com