show crypto ipsec policy all detail
Confirm the source address and destination address, and that the IPSec
parameters match on the peers.
5.
To display the IKE SA state and counters, enter:
show crypto ike sa all
6. To display the IPSEC SA statistics, enter:
show crypto ipsec sa all
7. To display the statistics for connections that are occurring through the firewall, enter:
show firewall connections all
Verify that traffic is passing across the configured policies.
Troubleshooting Dynamic VPN ABOT over IP-IP tunnels
This section describes how to troubleshoot dynamic routing over IP-IP encapsulated
tunnels.
The following is a list of requirements for configuring Dynamic VPN ABOT over IP-IP:
•
The Secure Router requires the IP-IP tunnel to be created manually to enable routing
over VPN.
• Periodic DPD must be enabled on the peers.
• An IP address has to be assigned to the IPIP tunnel to make it a layer 3 interface.
• When configuring the tunnel, the tunnel source must be an interface name rather than an
IP address, as the IP address can change. (For example, tunnel source
ethernet0/1).
• Locally generated packets that go through the tunnel interface will carry the tunnel IP
address as source before IPIP encapsulation.
• RIP and OSPF protocols use the tunnel interface name as the next hop for the routes
learned over this VPN interface.
• The tunnel interface must always be configured as crypto untrusted.
In typical ABOT scenarios, the branch offices often use DHCP-acquired IP addresses from the
ISP. This requires enabling a DHCP client on the interface connecting to the public network.
The following is a sample configuration for the public Ethernet interface facing the internet.
(This configuration is similar to static VPN ABOT.)
interface ethernet 0/2
dhcp-client request-default-router
dhcp-client enable
Troubleshooting Dynamic VPN ABOT over IP-IP tunnels
Troubleshooting August 2013 219
To Next Page
Loading...
