Home > Articles > Certification > Cisco Certification

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Task 4: Test and Verify the Overall IPSec Configuration

The final step in configuring IPSec for preshared keys is to verify that all the IKE and IPSec values were configured correctly and to test it to ensure that it works properly. The PIX Firewall contains a number of show, clear, and debug commands that are useful for testing and verifying IKE and IPSec, which are summarized in this section.

Test and Verify IKE Configuration

You can use the commands summarized in Table 17-4 to observe IKE configuration and operation.

Table 17-4 Commands Used to Observe IKE

Command

Description

show isakmp

Displays configured IKE policies in a format similar to a write terminal command

show isakmp policy

Displays default and any configured IKE policies


Test and Verify IPSec Configuration

You can test and verify IPSec configuration on the PIX Firewall with the commands listed in Table 17-5.

Table 17-5 Commands Used to Observe IKE

Command

Description

show access-list

Lists the access-list command statements in the configuration. Used to verify that crypto access lists select interesting traffic. Displays the number of packets that match the access list.

show crypto map

Displays crypto access lists assigned to a crypto map. Displays configured crypto map parameters.

show crypto ipsec transform-set

Displays configured IPSec transform sets.

show crypto ipsec security-association lifetime

Displays correct global IPSec SA lifetime values.


Monitor and Manage IKE and IPSec Communications

You can observe IKE and IPSec setup and monitor and manage IKE and IPSec communications between the PIX Firewall and IPSec peers with the commands listed in Table 17-6.

Table 17-6 Commands Used to Observe IKE

Command

Description

show isakmp sa

Displays the current status of IKE security associations.

show crypto ipsec sa

Displays the current status of IPSec security associations. Useful for ensuring that traffic is being encrypted.

clear crypto isakmp sa

Clears IKE security associations.

clear crypto ipsec sa

Clears IPSec security associations.

debug crypto isakmp

Displays IKE communications between the PIX Firewall and IPSec peers.

debug crypto ipsec

Displays IPSec communications between the PIX Firewall and IPSec peers.


The show isakmp sa command is useful for viewing all current IKE SAs at a peer, as shown in Example 17-18.

Example 17-18 The show isakmp sa Command, Used to View All Current IKE SAs at a Peer

Pix1# show isakmp sa
  dst      src     state    conn-id  slot
192.168.1.2  192.168.2.2   QM_IDLE      93   0

The clear isakmp command clears active IKE connections, as shown in Example 17-19.

Example 17-19 The clear isakmp Command, Used to Clear Active IKE Connections

Pix1# show crypto isakmp sa
  dst      src     state    conn-id  slot
192.168.1.2  192.168.2.2   QM_IDLE      93   0
Pix1# clear crypto isakmp 93
2w4d: ISADB: reaper checking SA,
Pix1# show crypto isakmp sa
  dst      src     state    conn-id  slot
  • + Share This
  • 🔖 Save To Your Account