Troubleshoot IOS IKEv2 Debugs for Site-to-Site VPN with PSKs
Available Languages
Download Options
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Introduction
This document describes Internet Key Exchange version 2 (IKEv2) debugs on Cisco IOS® when an unshared key (PSK) is used.
Prerequisites
Requirements
Cisco recommends that you have knowledge of the packet exchange for IKEv2. For more information, refer to IKEv2 Packet Exchange and Protocol Level Debugging.
Components Used
The information in this document is based on these software and hardware versions:
- Internet Key Exchange Version 2 (IKEv2)
- Cisco IOS 15.1(1)T or later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.
Background Information
This document provides information on how to translate certain debug lines in a configuration.
Core Issue
The packet exchange in IKEv2 is radically different from packet exchange in IKEv1. In IKEv1 there was a clearly demarcated phase1 exchange that consisted of six (6) packets with a phase 2 exchange afterward that consisted of three (3) packets; the IKEv2 exchange is variable. For more information on the differences and an explanation of the packet exchange, again, refer to IKEv2 Packet Exchange and Protocol Level Debugging.
Router Configuration
This section lists the configurations used in this document.
Router 1
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.101 255.255.255.0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.0.0.2
tunnel protection ipsec profile phse2-prof
!
interface Ethernet0/0
ip address 10.0.0.1 255.255.255.0
crypto ikev2 proposal PHASE1-prop
encryption 3des aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 policy site-pol
proposal PHASE1-prop
!
crypto ikev2 keyring KEYRNG
peer peer1
address 10.0.0.2 255.255.255.0
hostname host1
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile IKEV2-SETUP
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRNG
lifetime 120
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
crypto ipsec profile phse2-prof
set transform-set TS
set ikev2-profile IKEV2-SETUP
!
ip route 0.0.0.0 0.0.0.0 10.0.0.2
ip route 192.168.2.1 255.255.255.255 Tunnel0
Router 2
crypto ikev2 proposal PHASE1-prop
encryption 3des aes-cbc-128
integrity sha1
group 2
!
crypto ikev2 keyring KEYRNG
peer peer2
address 10.0.0.1 255.255.255.0
hostname host2
pre-shared-key local cisco
pre-shared-key remote cisco
!
crypto ikev2 profile IKEV2-SETUP
match identity remote address 0.0.0.0
authentication remote pre-share
authentication local pre-share
keyring local KEYRNG
lifetime 120
!
crypto ipsec transform-set TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile phse2-prof
set transform-set TS
set ikev2-profile IKEV2-SETUP
!
interface Loopback0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0
ip address 10.0.0.2 255.255.255.0
!
interface Tunnel0
ip address 172.16.0.102 255.255.255.0
tunnel source Ethernet0/0
tunnel mode ipsec ipv4
tunnel destination 10.0.0.1
tunnel protection ipsec profile phse2-prof
!
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip route 192.168.1.1 255.255.255.255 Tunnel0
Troubleshoot
Router Debugs
These debug commands are used in this document:
deb crypto ikev2 packet
deb crypto ikev2 internal
| Router 1 (Initiator) Message Description | Debugs | Router 2 (Responder) Message Description | |
|---|---|---|---|
| Router 1 receives a packet that matches the crypto acl for peer ASA 10.0.0.2. Initiates SA creation |
*Nov 11 20:28:34.003: IKEv2:Got a packet from dispatcher |
||
|
First pair of messages is the IKE_SA_INIT exchange. These messages negotiate cryptographic algorithms, exchange nonces, and do a Diffie-Hellman exchange. Relevant Configuration: crypto ikev2 proposal PHASE1-prop encryption 3des aes-cbc-128 integrity sha1 group 2crypto ikev2 keyring KEYRNG peer peer1 address 10.0.0.2 255.255.255.0 hostname host1 pre-shared-key local cisco pre-shared-key remote cisco |
*Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: IDLE Event: EV_INIT_SA *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_IKE_POLICY *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event:EV_SET_POLICY *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):Setting configured policies *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_CHK_AUTH4PKI *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event:EV_GEN_DH_KEY *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_NO_EVENT *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_OK_RECD_DH_PUBKEY_RESP *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):Action: Action_Null *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_GET_CONFIG_MODE *Nov 11 19:30:34.811: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch *Nov 11 19:30:34.811: IKEv2:No config data to send to toolkit: *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=0000000000000000 (I) MsgID = 00000000 CurState: I_BLD_INIT Event: EV_BLD_MSG *Nov 11 19:30:34.811: IKEv2:Construct Vendor Specific Payload: DELETE-REASON *Nov 11 19:30:34.811: IKEv2:Construct Vendor Specific Payload: (CUSTOM) *Nov 11 19:30:34.811: IKEv2:Construct Notify Payload: NAT_DETECTION_SOURCE_IP *Nov 11 19:30:34.811: IKEv2:Construct Notify Payload: NAT_DETECTION_DESTINATION_IP |
||
| Initiator building IKE_INIT_SA packet. It contains: ISAKMP Header (SPI/version/flags), SAi1 (cryptographic algorithm that IKE initiator supports), KEi (DH public Key value of the initiator), and N (Initiator Nonce). | *Nov 11 19:30:34.811: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 344 Payload contents: SA Next payload: KE, reserved: 0x0, length: 56 last proposal: 0x0, reserved: 0x0, length: 52 Proposal: 1, Protocol id: IKE, SPI size: 0, #trans: 5 last transform: 0x3, reserved: 0x0: length: 8 type: 1, reserved: 0x0, id: 3DES last transform: 0x3, reserved: 0x0: length: 12 type: 1, reserved: 0x0, id: AES-CBC last transform: 0x3, reserved: 0x0: length: 8 type: 2, reserved: 0x0, id: SHA1 last transform: 0x3, reserved: 0x0: length: 8 type: 3, reserved: 0x0, id: SHA96 last transform: 0x0, reserved: 0x0: length: 8 type: 4, reserved: 0x0, id: DH_GROUP_1024_MODP/Group 2 KE Next payload: N, reserved: 0x0, length: 136 DH group: 2, Reserved: 0x0 N Next payload: VID, reserved: 0x0, length: 24 VID Next payload: VID, reserved: 0x0, length: 23 VID Next payload: NOTIFY, reserved: 0x0, length: 21 NOTIFY(NAT_DETECTION_SOURCE_IP) Next payload: NOTIFY, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_SOURCE_IP NOTIFY(NAT_DETECTION_DESTINATION_IP) Next payload: NONE, reserved: 0x0, length: 28 Security protocol id: IKE, spi size: 0, type: NAT_DETECTION_DESTINATION_IP |
||
|
*Nov 11 19:30:34.814: IKEv2:Got a packet from dispatcher |
Responder receives IKE_INIT_SA. | ||
|
*Nov 11 19:30:34.814: IKEv2:Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: INITIATOR Message id: 0, length: 344 |
Responder initiates SA creation for that peer. | ||
|
*Nov 11 19:30:34.814: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: IDLE Event:EV_RECV_INIT |
Responder verifies and processes the IKE_INIT message: (1) Chooses crypto suite from those offered by the initiator, (2) computes its own DH secret key, and (3) it computes a skeyid value, from which all keys can be derived for this IKE_SA. All but the headers of all the messages that come after are encrypted and authenticated. The keys used for the encryption and integrity protection are derived from SKEYID and are known as: SK_e (encryption), SK_a (authentication), SK_d is derived and used for derivation of further keying material for CHILD_SAs, and a separate SK_e and SK_a is computed for each direction. Relevant Configuration: crypto ikev2 proposal PHASE1-prop encryption 3des aes-cbc-128 integrity sha1 group 2 crypto ikev2 keyring KEYRNG peer peer2 address 10.0.0.1 255.255.255.0 hostname host2 pre-shared-key local cisco pre-shared-key remote cisco |
||
|
*Nov 11 19:30:34.822: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 449 |
Router 2 builds the responder message for IKE_SA_INIT exchange, which is received by ASA1. This packet contains: ISAKMP Header(SPI/ version/flags), SAr1(cryptographic algorithm that IKE responder chooses), KEr(DH public Key value of the responder), and Responder Nonce. | ||
|
*Nov 11 19:30:34.822: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: INIT_DONE Event: EV_DONE |
Router2 sends out the responder message to Router 1. | ||
| Router 1 receives the IKE_SA_INIT response packet from Router 2. |
*Nov 11 19:30:34.823: IKEv2:Got a packet from dispatcher |
I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000000 CurState: INIT_DONE Event:EV_START_TMR |
Responder starts timer for Auth process. |
| Router1 verifies and processes the response: (1) The initiator DH secret key is computed, and (2) the initiator skeyid is also generated. |
*Nov 11 19:30:34.823: IKEv2:(SA ID = 1):Next payload: SA, version: 2.0 Exchange type: IKE_SA_INIT, flags: RESPONDER MSG-RESPONSE Message id: 0, length: 449 *Nov 11 19:30:34.824: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_WAIT_INIT Event: EV_RECV_INIT |
||
|
Initiator starts IKE_AUTH exchange and generates the authentication payload. The IKE_AUTH packet contains: ISAKMP Header (SPI/ version/flags), IDi (initiator identity), AUTH payload, SAi2 (initiates the SA-similar to the phase 2 transform set exchange in IKEv1), and TSi and TSr (Initiator and Responder Traffic selectors). They contain the source and destination address of the initiator and responder respectively for forwarding/receiving encrypted traffic. The address range specifies that all traffic to and from that range is tunneled. If the proposal is acceptable to the responder, it sends identical TS payloads back. The first CHILD_SA is created for the proxy_ID pair that matches the trigger packet. Relevant Configuration: crypto ipsec transform-set TS esp-3des esp-sha-hmac crypto ipsec profile phse2-prof set transform-set TS set ikev2-profile IKEV2-SETUP |
*Nov 11 19:30:34.831: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000000 CurState: I_BLD_AUTH Event:EV_GEN_AUTH *Nov 11 19:30:34.831: SA Next payload: TSi, reserved: 0x0, length: 40 NOTIFY(INITIAL_CONTACT) Next payload: NOTIFY, reserved: 0x0, length: 8 |
||
|
*Nov 11 19:30:34.832: IKEv2:Got a packet from dispatcher |
Router 2 receives and verifies the authentication data received from Router 1. Relevant Configuration: crypto ipsec ikev2 ipsec-proposal AES256 protocol esp encryption aes-256 protocol esp integrity sha-1 md5 |
||
|
*Nov 11 19:30:34.832: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000001 CurState: R_WAIT_AUTH Event: EV_RECV_AUTH |
Router 2 builds the response to IKE_AUTH packet that it received from Router 1. This response packet contains: ISAKMP Header(SPI/ version/flags), IDr(responder identity), AUTH payload, SAr2(initiates the SA-similar to the phase 2 transform set exchange in IKEv1), and TSi and TSr(Initiator and Responder Traffic selectors). They contain the source and destination address of the initiator and responder respectively for forwarding/receiving encrypted traffic. The address range specifies that all traffic to and from that range are tunnelled. These parameters are identical to the one that was received from ASA1. | ||
|
*Nov 11 19:30:34.833: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 252 |
Responder sends the response for IKE_AUTH. | ||
| Initiator receives response from Responder. |
*Nov 11 19:30:34.834: IKEv2:Got a packet from dispatcher |
*Nov 11 19:30:34.840: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000001 CurState: AUTH_DONE Event: EV_OK_RECD_LOAD_IPSEC |
Responder inserts an entry into the SAD. |
| Router 1 verifies and processes the authentication data in this packet. Router 1 then inserts this SA into its SAD. |
*Nov 11 19:30:34.834: IKEv2:(SA ID = 1):Next payload: ENCR, version: 2.0 Exchange type: IKE_AUTH, flags: RESPONDER MSG-RESPONSE Message id: 1, length: 252 |
||
| Tunnel is up on the Initiator and the status showsREADY. |
*Nov 11 19:30:34.841: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (I) MsgID = 00000001 CurState: READYEvent: EV_CHK_IKE_ONLY |
*Nov 11 19:30:34.840: IKEv2:(SA ID = 1):SM Trace-> SA: I_SPI=F074D8BBD5A59F0B R_SPI=F94020DD8CB4B9C4 (R) MsgID = 00000001 CurState: READY Event: EV_R_OK |
Tunnel is up on the Responder. The Responder tunnel usually comes up before the Initiator. |
CHILD_SA Debugs
This exchange consists of a single request/response pair and was referred to as a phase 2 exchange in IKEv1. It can be initiated by either end of the IKE_SA after the initial exchanges are completed.
| Router 1 CHILD_SA Message Description | Debugs | Router 2 CHILD_SA Message Description |
|---|---|---|
Router 1 initiates the CHILD_SA exchange. This is the CREATE_CHILD_SA request. The CHILD_SA packet typically contains:
|
*Nov 11 19:31:35.873: IKEv2:Got a packet from dispatcher |
|
|
*Nov 11 19:31:35.869: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: INITIATOR Message id: 2, length: 460 *Nov 11 19:31:35.873: IKEv2:Construct Notify Payload: SET_WINDOW_SIZE |
This packet is received by Router 2. | |
|
*Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE Message id: 3, length: 300 |
Router 2 now builds the reply for the CHILD_SA exchange. This is the CREATE_CHILD_SA response. The CHILD_SA packet typically contains:
|
|
| Router 1 receives the response packet from Router 2 and completes activating the CHILD_SA. |
*Nov 11 19:31:35.882: IKEv2:(SA ID = 2):Next payload: ENCR, version: 2.0 Exchange type: CREATE_CHILD_SA, flags: RESPONDER MSG-RESPONSE Message id: 3, length: 300 |
Tunnel Verification
ISAKMP
Command
show crypto ikev2 sa detailed
Router 1 Output
Router1#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 10.0.0.1/500 10.0.0.2/500 none/none READY
Encr: AES-CBC, keysize: 128,
Hash: SHA96, DH Grp:2,
Auth sign: PSK, Auth verify: PSK
Life/Active Time: 120/10 sec
CE id: 1006, Session-id: 4
Status Description: Negotiation done
Local spi: E58F925107F8B73F Remote spi: AFD098F4147869DA
Local id: 10.0.0.1
Remote id: 10.0.0.2
Local req msg id: 2 Remote req msg id: 0
Local next msg id: 2 Remote next msg id: 0
Local req queued: 2 Remote req queued: 0
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : Yes
Router 2 Output
Router2#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.0.0.2/500 10.0.0.1/500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96,
DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 120/37 sec
CE id: 1006, Session-id: 4
Status Description: Negotiation done
Local spi: AFD098F4147869DA Remote spi: E58F925107F8B73F
Local id: 10.0.0.2
Remote id: 10.0.0.1
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 5
DPD configured for 0 seconds, retry 0
NAT-T is not detected
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPsec
Command
show crypto ipsec sa
Note: In this output, unlike in IKEv1, the PFS DH group value appears as "PFS (Y/N): N, DH group: none" during the first tunnel negotiation, but, after a rekey occurs, the right values appear. This is not a bug, even though the behavior is described in Cisco bug ID CSCug67056. (Only registered Cisco users can access internal Cisco tools or information.)
The difference between IKEv1 and IKEv2 is that, in the latter, the Child SAs are created as part of AUTH exchange itself. The DH Group configured under the crypto map would be used only during rekey. Hence, you would see 'PFS (Y/N): N, DH group: none' until the first rekey.
With IKEv1, you see a different behavior, because Child SA creation happens during Quick Mode, and the CREATE_CHILD_SA message has a provision to carry the Key Exchange payload that specifies the DH parameters to derive a new shared secret.
Router 1 Output
Router1#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0,
local addr 10.0.0.1
protected vrf: (none)
local ident (addr/mask/prot/port):
(0.0.0.0/0.0.0.0/256/0)
remote ident (addr/mask/prot/port):
(0.0.0.0/0.0.0.0/256/0)
current_peer 10.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 10, #pkts encrypt:
10, #pkts digest: 10
#pkts decaps: 10, #pkts decrypt:
10, #pkts verify: 10
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.1,
remote crypto endpt.: 10.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xF6083ADD(4127734493)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x6B74CB79(1802816377)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18, flow_id: SW:18,
sibling_flags 80000040,
crypto map: Tunnel0-head-0
sa timing: remaining key lifetime (k/sec):
(4276853/3592)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xF6083ADD(4127734493)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 17, flow_id: SW:17,
sibling_flags 80000040,
crypto map: Tunnel0-head-0
sa timing: remaining key
lifetime (k/sec): (4276853/3592)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
Router 2 Output
Router2#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 10.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
current_peer 10.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.0.2,
remote crypto endpt.: 10.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0x6B74CB79(1802816377)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0xF6083ADD(4127734493)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 17, flow_id: SW:17,
sibling_flags 80000040,
crypto map: Tunnel0-head-0
sa timing: remaining key lifetime
(k/sec): (4347479/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x6B74CB79(1802816377)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 18, flow_id: SW:18,
sibling_flags 80000040,
crypto map: Tunnel0-head-0
sa timing: remaining key
lifetime (k/sec): (4347479/3584)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
You can also check the output of the show crypto session command on both routers; this output shows the tunnel session status as UP-ACTIVE.
Router1#show crypto session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.0.2 port 500
IKEv2 SA: local 10.0.0.1/500 remote 10.0.0.2/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Router2#show cry session
Crypto session current status
Interface: Tunnel0
Session status: UP-ACTIVE
Peer: 10.0.0.1 port 500
IKEv2 SA: local 10.0.0.2/500 remote 10.0.0.1/500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Related Information
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
2.0 |
12-Apr-2023 |
Update formatting. Recertification. |
1.0 |
28-Jan-2013 |
Initial Release |
Contributed by Cisco Engineers
- Anu M ChackoCisco Technical Marketing Leader
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)