IP Security Troubleshooting - Understanding and Using debug Commands

Introduction
This document provides an explanation of common debug commands that are used to troubleshoot IPsec issues on both the Cisco IOS® Software and PIX. It is assumed that an attempt to configure IPsec is completed. Refer to Common IPsec Error Messages and Common IPsec Issues for more details.

Prerequisites
Requirements
There are no specific requirements for this document.

Components Used
The information in this document is based on these software and hardware versions:

Cisco IOS Software

IPsec feature set.

56i - Indicates single Data Encryption Standard (DES) feature (on Cisco IOS Software Release 11.2 and later).

k2 - Indicates triple DES feature (on Cisco IOS Software Release 12.0 and later). Triple DES is available on the Cisco 2600 series and later.

PIX - V5.0 and later. It needs a single or triple DES license key in order to activate.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions
Refer to Cisco Technical Tips Conventions for more information on document conventions.

Cisco IOS Software Debugs
These sections explain the Cisco IOS Software debugs. Refer to Common IPsec Error Messages and Common IPsec Issues for more details.

show crypto isakmp sa
This command shows the Internet Security Association Management Protocol (ISAKMP) security associations (SAs) built between peers.

dst src state conn-id slot
12.1.1.2 12.1.1.1 QM_IDLE 1 0show crypto ipsec sa
This command shows IPsec SAs built between peers. The encrypted tunnel is built between 12.1.1.1 and 12.1.1.2 for traffic that goes between networks 20.1.1.0 and 10.1.1.0. You can see the two Encapsulating Security Payload (ESP) SAs built inbound and outbound. Authentication Header (AH) is not used since there are no AH SAs.

This output shows an example of the show crypto ipsec sa command.

interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0,
#pkts decompress failed: 0, #send errors 1, #recv errors 0
local crypto endpt.: 12.1.1.1, remote crypto endpt.: 12.1.1.2
path mtu 1500, media mtu 1500
current outbound spi: 3D3
inbound esp sas:
spi: 0x136A010F(325714191)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3442, flow_id: 1443, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3D3(979)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 3443, flow_id: 1444, crypto map: test
sa timing: remaining key lifetime (k/sec): (4608000/52)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas: show crypto engine connection active
This command shows each Phase 2 SA built and the amount of traffic sent. Since Phase 2 SAs are unidirectional, each SA shows traffic in only one direction (encryptions are outbound, decryptions are inbound).

debug crypto isakmp
This output shows an example of the debug crypto isakmp command.

processing SA payload. message ID = 0
Checking ISAKMP transform against priority 1 policy
encryption DES-CBC
hash SHA
default group 2
auth pre-share
life type in seconds
life duration (basic) of 240
atts are acceptable. Next payload is 0
processing KE payload. message ID = 0
processing NONCE payload. message ID = 0
processing ID payload. message ID = 0
SKEYID state generated
processing HASH payload. message ID = 0
SA has been authenticated
processing SA payload. message ID = 800032287 debug crypto ipsec
This command shows the source and destination of IPsec tunnel endpoints. Src_proxy and dest_proxy are the client subnets. Two "sa created" messages appear with one in each direction. (Four messages appear if you perform ESP and AH.)

This output shows an example of the debug crypto ipsec command.

Checking IPSec proposal 1transform 1, ESP_DES
attributes in transform:
encaps is 1
SA life type in seconds
SA life duration (basic) of 3600

文章整理：西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息，谢谢!