I have a love/hate relationship with IPSec VPNs. Setting up new ones aren't usually a problem -- just match the configurations and I'm done! But when configurations match but a new tunnel fails to come up, or I have to troubleshoot an existing tunnel, or I just need to interrogate an existing tunnel to figure out which phase 1 or phase 2 configuration it's using, then suddenly VPNs become my least favorite technology. I find myself asking: "Is the VPN tunnel using ISAKMP policy 100, 101, or 102" "Is it using the transform set with AES 128 and SHA, or the one with AES 256 and SHA256?" These questions are harder to answer when the VPN device has many policies and transform sets, custom lifetimes, and so on. It's even more daunting on Cisco ASAs and ISRs where the configuration is sprawled all over the running-config and nested together.
I'm trying to figure out...
- What encryption algorithm an existing tunnel is using
- What ISAKMP policy is it using
- What hashing/integrity algorithm an existing tunnel using
- What DH group an existing tunnel is using
- What lifetime does an existing tunnel have configured, and whether the lifetime is based on time or bytes transmitted
- Whether the VPN is using PFS
- Whether the VPN is using IKEv1 or IKEv2
- Whether one VPN peer is rekeying out of sync with the other
I already know how to...
- Isolate the IP address of the VPN peer that I'm troubleshooting
- Get crypto map associated with that peer, which then helps me get the ACL associated with the peer
- Partially read the output of "show crypto isakmp," "show crypto ipsec sa," "show vpn-sessiondb," "debug crypto ..."
I know how to get this information from the running-config, but not the operational state of the tunnel (e.g. using "show" commands). I figured the answer to my question is hidden within the output of those "show crypto ..." commands...maybe I haven't hit "?" enough or I haven't read enough!
Thanks!
No comments:
Post a Comment