show crypto ipsec policy all detail
Verify the source and destination IP addresses.
6.
To display the IKE SA state and counters, enter:
show crypto ike sa all
7. To display the IPSEC SA statistics, enter:
show crypto ipsec sa all
8. To display the statistics for connections that are occurring through the firewall, enter:
show firewall connections all
Verify that traffic is passing across the configured policies.
The following are some additional commands that can be useful for debugging Dynamic VPN:
• debug crypto ike—enables IKE negotiation debug
• debug crypto ipsec—enables IPSec policy related debug
• debug crypto ca—enables PKI debug
• debug ip tunnel encap—enables debug for encapsulation related messages
• debug ip tunnel decap—enables debug for decapsulation related messages
• debug ip tunnel state—enables debug for interface state change messages
• debug dhcp-client—enables DHCP client debug messages (for VPN ABOT)
Secure Router to Avaya VPN router interoperability tips
In both static and dynamic tunnels, if the peer is an Avaya VPN router and a NAT exists
between the two peers, use the enable-natt-rfc3947
command under the IKE policy for
NAT traversal to work with Avaya VPN router. To confirm the configuration, use the show
crypto ike policy all detail command.
The following table describes default VPN attributes on the Secure Router and the Avaya VPN
router, and the action required for interoperability between these two routers.
Attributes SR2330/4134
(Default values)
Avaya VPN router
(Default values)
Action
IKE Phase1 Pre-3des-g2-sha1 Pre-des-g1-sha1 Modify the proposal
attributes in either of
the devices.
IKE Phase2 ESP-3des-sha-TU ESP-3des-MD5-TU Modify the proposal
attributes in either of
the devices.
Secure Router to Avaya VPN router interoperability tips
Troubleshooting August 2013 221
To Next Page
Loading...
