This is a sniplet from the Cisco SIMOS course, where we discuss the logical constructs behind a site-to-site IPSec VPN. I hope that this content helps you understand what's happening behind the scenes of your VPN's.
Views: 175781 Ryan Lindfield
Show crypto isakmp sa The following four modes are found in IKE main mode MM_NO_STATE* – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer) MM_SA_SETUP* – Both peers agree on ISAKMP SA parameters and will move along the process MM_KEY_EXCH* – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step) MM_KEY_AUTH* – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately. The following three modes are found in IKE aggressive mode AG_NO_STATE** – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer) AG_INIT_EXCH** – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet. AG_AUTH** – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately. The following mode is found in IKE Quick Mode, phase 2 QM_IDLE*** – The ISAKMP SA is idle and authenticated Here are a few more commands we can issue to get a quick glimpse of the status of any IPSec VPN’s. sh crypto ipsec sa – Now this output can really daunting at first just due to the amount of information that is displayed here but there are a few key things to watch out for. Such as the #pkts encaps/encrypt/decap/decrypt, these numbers tell us how many packets have actually traversed the IPSec tunnel and also verifies we are receiving traffic back from the remote end of the VPN tunnel. This will also tell us the local and remote SPI, transform-set, DH group, & the tunnel mode for IPSec SA. sh crypto session Up-Active – IPSec SA is up/active and transferring data. Up-IDLE – IPSsc SA is up, but there is not data going over the tunnel Up-No-IKE – This occurs when one end of the VPN tunnel terminates the IPSec VPN and the remote end attempts to keep using the original SPI, this can be avoided by issuing crypto isakmp invalid-spi-recovery Down-Negotiating – The tunnel is down but still negotiating parameters to complete the tunnel. Down – The VPN tunnel is down. So using the commands mentioned above you can easily verify whether or not an IPSec tunnel is active, down, or still negotiating. Next up we will look at debugging and troubleshooting IPSec VPNs * – Found in IKE phase I main mode ** – Found in IKE phase I aggressive mode *** – Found in IKE phase II quick mode DE NADA SIRVE MONTAR UNA SONDA SINO SE APLICA EL CORRECTIVO, QUEDARIA CON UP-NO-IKE Otro punto es que es multipoint pero al final son IP´s fijas en ambos extremos remoto y central.
Views: 477 Bruno Olvera Jasso