IPSEC works in two phases
1) PHASE --1( ISAKMP)
2) PHASE--2( IPSEC)
--> First of all we need to discover the problem is in PHASE - 1 then PHASE -- 2 whenever we are troubleshooting IPSEC VPN.
Verifying PHASE-1
--> We can verify PHASE-1 by using show crypto isakmp sa command and check state in this command.
# show crypto isakmp sa
STATE = MM_NO_STATE ( means parameters like encryption algorithm or hashing or deffie helimen algorithms are not matching on both the sides)
--> Peer IP address in crypto map configuration is wrong.
--> Route is not there to reach the Peer IP Address.
--> In order to check parameters use the following command and compare parameters on both the sides they should match.
# Show crypto isakmp policy
--> If parameters are matching then check the password on both the sides matching or not by using the following command.
# show crypto isakmp key
--> STATE = MM_KEY_EXCHANGE ( means some access-list is configured which is blocking the ports required for IPSEC to work)
--> Pre-shared-Key and Digital Certificate is wrong.
---> If all the parameters are matching then you should see the state should be QM_IDLE If you are seeing this state means phase-1 is successful.
Verifying PHASE-2
---> In Phase 2, Both the devices need to have the same transform-set and peer IP address should be the public IP address of the other device.
---> To check whether the transform-set is matching or not by using the following command,( Here Check Inbound esp sas and Outbound esp sas).
# show crypto ipsec sa
--> Then check whether access-list is configured both the sides is correct or not
# show access-list
--->At last, you need to verify on which interface IPSEC is implemented. basically, IPSEC is implemented on the interface that is connected to ISP.
Troubleshooting commands:
clear crypto sa
debug crypto isakmp sa
debug crypto ipsec sa
1) PHASE --1( ISAKMP)
2) PHASE--2( IPSEC)
--> First of all we need to discover the problem is in PHASE - 1 then PHASE -- 2 whenever we are troubleshooting IPSEC VPN.
Verifying PHASE-1
--> We can verify PHASE-1 by using show crypto isakmp sa command and check state in this command.
# show crypto isakmp sa
STATE = MM_NO_STATE ( means parameters like encryption algorithm or hashing or deffie helimen algorithms are not matching on both the sides)
--> Peer IP address in crypto map configuration is wrong.
--> Route is not there to reach the Peer IP Address.
--> In order to check parameters use the following command and compare parameters on both the sides they should match.
# Show crypto isakmp policy
--> If parameters are matching then check the password on both the sides matching or not by using the following command.
# show crypto isakmp key
--> STATE = MM_KEY_EXCHANGE ( means some access-list is configured which is blocking the ports required for IPSEC to work)
--> Pre-shared-Key and Digital Certificate is wrong.
---> If all the parameters are matching then you should see the state should be QM_IDLE If you are seeing this state means phase-1 is successful.
Verifying PHASE-2
---> In Phase 2, Both the devices need to have the same transform-set and peer IP address should be the public IP address of the other device.
---> To check whether the transform-set is matching or not by using the following command,( Here Check Inbound esp sas and Outbound esp sas).
# show crypto ipsec sa
--> Then check whether access-list is configured both the sides is correct or not
# show access-list
--->At last, you need to verify on which interface IPSEC is implemented. basically, IPSEC is implemented on the interface that is connected to ISP.
Troubleshooting commands:
clear crypto sa
debug crypto isakmp sa
debug crypto ipsec sa
Really good information
ReplyDelete