Pages

Sunday 6 May 2012

Troubleshooting IPSec VPN


Troubleshooting IPSec VPN

IPSEC depends on successful policy negotiation. While IPSEC peers are negotiating IKE and IPSEC parameters, if the policies do not match the negotiations will result in failure. 

We can troubleshoot IKE & IPSEC by the following
show commands:
show crypto isakmp sa (PIX / ASA and IOS routers)
show crypto ipsec sa (PIX / ASA and IOS routers)

From the show commands we can determine if the SA’s are in the right state, and if ISAKMP went through fine and now the IPSec traffic is being Encrypted/Decrypted between the two IPSec endpoints.
Troubleshooting - Debug Commands:-
IPSEC depends on successful policy negotiation. While IPSEC peers are negotiating IKE and IPSEC parameters, if the policies do not match the negotiations will result in failure. 

We can troubleshoot IPSEC by the following commands:
debug crypto ipsec
debug crypto isakmp
From the debug error messages we can determine what part of the negotiation is failing and correct the appropriate parameter.

No comments:

Post a Comment