Monday, October 31, 2022
HomeNetworkingTroubleshooting IPSEC Website to Website VPN

Troubleshooting IPSEC Website to Website VPN


Though IPSec is a really huge matter to cowl however the following couple of instructions and outputs are actually useful in preliminary troubleshooting.

Troubleshooting Instructions : IPSec web site to web site VPN

(A)present crypto isakmp sa

By this command we will take a look at the current standing of the IPSec peering. The state must be “QM_IDLE”. Some other state suggests a difficulty (i.e. challenge in crypto map; expired digital certificates; and so on)

Router#present crypto isakmp sa

Dst                  src                    state                             conn-id            slot      standing

172.16.x.x      172.16.x.x        QM_IDLE                  11                    0          ACTIVE

172.16.x.x     172.16.x.x         QM_IDLE                  12                    0          ACTIVE

 

(B)present crypto isakmp sa element

This command reveals the time (underneath lifetime parameter) by which the crypto session is established or steady. This clock runs in reverse method. For instance: – In under output, the time is 23:00:29, it means the crypto is established since 59 minutes 31 seconds. Someplace it’s configured in span of 8 hrs & someplace in 24 hrs span.

Router#present crypto isakmp sa element

Codes: C – IKE configuration mode, D – Useless Peer Detection

       Okay – Keepalives, N – NAT-traversal
       X – IKE Prolonged Authentication
       psk – Preshared key, rsig – RSA signature
       renc – RSA encryption

C-id  Native          Distant         I-VRF   Standing       Encr   Hash   Auth   DH   Lifetime  Cap.

11    172.16.x.x  172.16.x.x                 ACTIVE    3des   md5    rsig       2       23:00:29    D

Connection-id:Engine-id =  11:1(software program)

 

Associated – Website to Website VPN vs Distant Entry VPN

 

(C)Present crypto map

This command reveals some configured parameters like peer addresses, Entry-list which is able to provoke curiosity visitors to make IPSec tunnel up, Interfaces which use this crypto map

Observe:-All of the interfaces together with backup hyperlink (i.e. BRI in case of ISDN) must be included underneath Interfaces utilizing crypto map.

Router#present crypto map

Crypto Map: “TESTMAP” idb: Loopback1 native deal with: 172.16.x.x

Crypto Map “TESTMAP” 5 ipsec-isakmp

Description: ipsec tunnel to HO

Peer = 172.16.x.x

Peer = 172.16.x.y

Prolonged IP entry listing 118

access-list 118 deny ip any host 10.10.10.x

access-list 118 deny ip any host 10.10.10.x

access-list 118 allow ip host 10.1.0.x host 10.6.0.x

access-list 118 deny ip host 10.1.1.x host 10.6.0.x

access-list 118 allow ip 10.1.0.0 0.0.1.255 10.0.0.0 0.0.255.255

Present peer: 172.16.x.x

Safety affiliation lifetime: 4608000 kilobytes/3600 seconds

PFS (Y/N): N

Rework units={

XYZMAP,

}

QOS pre-classification

 

Interfaces utilizing crypto map TESTMAP:

Loopback0/1

Serial0/0

Serial0/1

BRI1/0

BRI1/0:1

BRI1/0:2

BRI1/0:1

BRI1/0:2

Digital-Access1

 

(D)Present crypto ca certificates

This command’s output confirms whether or not the digital certificates has been expired. It accommodates a begin & finish date-time.

Instantaneous treatment is to configure some preshared keys like “crypto isakmp key abcd45ef deal with 172.16.x.x (distant peer)

Router# present crypto ca certificates

Certificates

Standing: Accessible

Certificates Serial Quantity: 5DD5248C6C89369E95898431A40539E

Certificates Utilization: Basic Objective

Issuer:

cn=XYZ VPN IPSec Certificates Authority

ou=XYZ VPN

o=XYZ Firm Restricted

Topic:

Identify: Router.xyz.com

Serial Quantity: 1C6E42BE

serialNumber=1C6E42BE+hostname=Router.xyz.com

CRL Distribution Factors:

ldap://listing.safescrypt.com/CN = XYZ VPN IPSec Certificates Authority, O

U = XYZ VPN, O = XYZ Firm Restricted?certificaterevocationli

st;binary?base?objectclass=*

Validity Date:

begin date: 05:30:00 IST Jan 4 2010

finish   date: 05:29:59 IST Jan 5 2011

Related Trustpoints: XYZ.com

 


RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments