Sh crypto isakmp sa

Posted byArden Perez

sh crypto iskamp sa on VPN ASA

I am analyzing approximately VPN nowadays.

sh crypto isakmp sa

   Active SA: eight    Rekey SA: zero (A tunnel will record 1 Active and 1 Rekey SA for the duration of rekey)Total IKE SA: eight

1   IKE Peer: 198.x    Type    : user            Role    : responder    Rekey   : no              State   : AM_ACTIVE2   IKE Peer: 197.x    Type    : consumer            Role    : responder    Rekey   : no              State   : AM_ACTIVE3   IKE Peer: 163.x    Type    : consumer            Role    : responder    Rekey   : no              State   : AM_ACTIVE4   IKE Peer: fifty one.x    Type    : user            Role    : responder    Rekey   : no              State   : AM_ACTIVE5   IKE Peer: seventy one.x    Type    : person            Role    : responder    Rekey   : no              State   : AM_ACTIVE6   IKE Peer: 207.x    Type    : user            Role    : responder    Rekey   : no              State   : AM_ACTIVE7   IKE Peer: seventy one.x    Type    : person            Role    : responder    Rekey   : no              State   : AM_ACTIVE8   IKE Peer: 68.x    Type    : person            Role    : responder    Rekey   : no              State   : AM_ACTIVE

Need to recognize what does this 8 friends imply right here does this imply that it has IPSEC tunnels to 8 of these gadgets?

Solved! Go to Solution.

To my information this is exactly what it way. That there’s eight VPN connections to your ASA.

This output is the choices country of the Phase 1. There will simplest be one ISAKMP SA per VPN connection at the same time as there may be multiple IPsec SAs in line with VPN connection.

Above data tells us the choices IP cope with from which user is connecting and additionally tells us that the ASA has been the choices responder to this connection. It different words the alternative stop of the VPN has opened/shaped/initiated the choices connection. It also shows that Aggressive Mode is used (AM) which in all likelihood approach that each of the above connections are VPN Client connections in place of L2L VPN connections.

View answer in unique submit

There are different instructions to get more facts about the choices connections.

You may want to as an example use

Find the only there that refers to the Remote Access Clients. It might check with Remote Access at once or mention IKEv1 RA as the following options (no longer in that specific layout even though). It relies upon on the choices ASA software program model.

The following command could provide you with a precis of which kind of connections there are alternatives on the ASA

Have a strive with the alternative commands with the way I confirmed above. I imply inserting the query mark “?” after the choices “display vpn-sessiondb” command so you can see the options.

With regards to the choices IP cope with, the choices IP cope with is the general public IP address from which the connection turned into shaped. Most of the time this is NAT IP deal with certainly at the choices far off cease wherein the consumer is connecting from. For instance if a VPN person was connecting from his/her domestic this public IP deal with would be his/her Internet router/modems public IP deal with.

If you had a L2L VPN connection then this public IP deal with visible might be that of the far off VPN device. This naturally also can be a NAT IP cope with if the choices VPN device is in the back of a NAT tool and now not without delay connected to Internet.

The Phase 1 is continually formed/negotiated. When its negotiated the choices VPN peers will use this Phase 1 connection to barter the choices Phase 2 securely and decide what visitors needs to be covered by means of the VPN.

The above is naturally a completely easy clarification of the choices VPN. There is probably lots extra records in case you are using a few cloth to look at the VPN.

View solution in authentic post

The beginning of the choices output could seem to indicate that this device has most effective been used for Client VPN. Atleast from the time whilst it was last booted as we will simplest see IPsec Remote Access Cumulative Counter accelerated.

The same section suggests that currenctly Active periods are all IPsec Remote Access connections.

With regards to the give up of the output I am not a hundred% sure.

It would seem to me that one of the VPN Clients related is using UDP as its at the back of a NAT device (IPsecOverNatT) and rest of the 7 VPN Clients are the usage of TCP to connect.

Would possibly ought to see some “show run crypto” and “show run group-policy” configurations on the tool to verify.

View solution in original publish

This command enables the usage of TCP for the VPN Client connections. The preceding 7 VPN Client connections are connecting with TCP.

crypto isakmp ipsec-over-tcp port 10000

It defines the TCP port to be TCP/10000 despite the fact that I consider it can be some thing else too. This is the default price. I could believe that your VPN Client customers might additionally have configuration below their VPN Client profiles configurations (the only they use to hook up with this tool) that selects them to apply TCP. Normally the choices default putting on a newly created profile is to my expertise UDP.

You additionally seem to have those settings for UDP

To be sincere, I even have no longer touched this putting formerly so I am not positive what the choices cause here is. To my know-how the choices VPN Client and ASA dont want any nondefault configurations to enable for the choices connection to use UDP. Maybe this units the choices values regarding the UDP port to nondefault values. I cannot virtually say except I tested this sooner or later.

View answer in unique post

To my understanding that is precisely what it method. That there’s eight VPN connections for your ASA.

This output is the choices kingdom of the Phase 1. There will simplest be one ISAKMP SA consistent with VPN connection at the same time as there can be more than one IPsec SAs consistent with VPN connection.

Above information tells us the choices IP address from which user is connecting and additionally tells us that the ASA has been the choices responder to this connection. It different phrases the other cease of the choices VPN has opened/fashioned/initiated the choices connection. It also suggests that Aggressive Mode is used (AM) which probable approach that each of the above connections are VPN Client connections rather than L2L VPN connections.

View solution in original post

So want to verify these all 8 connections are Remote Access VPN connections where clients are connecting to the

Also IP address display are of the Client PC right?

Do the choices Remote Access VPN usually live in Phase 1 only?

There are different commands to get more data approximately the choices connections.

You may want to as an instance use

Find the one there that refers to the Remote Access Clients. It might confer with Remote Access directly or point out IKEv1 RA as the next options (now not in that precise layout even though). It depends on the choices ASA software program version.

The following command would provide you with a precis of which type of connections there are alternatives on the choices ASA

Have a attempt with the alternative commands with the manner I showed above. I suggest placing the question mark “?” after the choices “show vpn-sessiondb” command so you can see the options.

With regards to the IP deal with, the IP cope with is the public IP cope with from which the connection was formed. Most of the choices time this is NAT IP address certainly at the remote quit where the choices person is connecting from. For example if a VPN user changed into connecting from his/her home this public IP deal with might be his/her Internet router/modems public IP cope with.

If you had a L2L VPN connection then this public IP deal with seen could be that of the far flung VPN tool. This clearly can also be a NAT IP address if the choices VPN tool is in the back of a NAT tool and not without delay related to Internet.

The Phase 1 is constantly fashioned/negotiated. When its negotiated the VPN peers will use this Phase 1 connection to barter the Phase 2 securely and decide what traffic wishes to be protected by using the choices VPN.

The above is clearly a totally easy clarification of the VPN. There might be plenty greater facts if you are the use of a few cloth to take a look at the choices VPN.

View solution in unique post

I ran the command

Sessions:                           Active : Cumulative : Peak Concurrent : Inactive  SSL VPN               :       zero :          zero :               zero    Clientless handiest     :       0 :          zero :               zero    With client         :       0 :          zero :               zero :        zero  Email Proxy           :       zero :          zero :               0  IPsec LAN-to-LAN      :       zero :          zero :               0  IPsec Remote Access   :       8 :       3850 :              30  VPN Load Balancing    :       zero :          0 :               zero  Totals                :       8 :       3850

License Information:  IPsec   :    750    Configured :    750    Active :      eight    Load :   1%  SSL VPN :      2    Configured :      2    Active :      zero    Load :   0%                            Active : Cumulative : Peak Concurrent  IPsec               :          eight :       4797 :              30  SSL VPN             :          0 :          0 :               0    AnyConnect Mobile :          zero :          zero :               zero    Linksys Phone     :          0 :          zero :               zero  Totals              :          8 :       4797

Tunnels:                      Active : Cumulative : Peak Concurrent IKE           :         8 :       3850 :              30  IPsec         :          zero :          4 :               1  IPsecOverNatT :          1 :        606 :               7  IPsecOverTCP  :          7 :       3240 :              24  Totals        :         16 :       7700

Active NAC Sessions:  No NAC classes to display

Active VLAN Mapping Sessions:  No VLAN Mapping sessions to show

Under Tunnels it suggests IKE eight and IPSECOver NAT 1 and IPsecOver TCP 7.

Does this additionally check with Remote Access VPN connection coming from user PC?

Are all of the above 3 terms currently discuss with Remote Access VPN?

The starting of the output could appear to suggest that this tool has best been used for Client VPN. Atleast from the time when it became remaining booted as we can only see IPsec Remote Access Cumulative Counter accelerated.

The equal section suggests that currenctly Active periods are all IPsec Remote Access connections.

With regards to the choices stop of the output I am not 100% sure.

It might appear to me that one of the VPN Clients linked is the usage of UDP as its at the back of a NAT device (IPsecOverNatT) and relaxation of the 7 VPN Clients are using TCP to connect.

Would possibly ought to see some “display run crypto” and “show run group-policy” configurations on the device to affirm.

View solution in unique publish

sh run cryptocrypto ipsec remodel-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmaccrypto ipsec rework-set ESP-DES-SHA esp-des esp-sha-hmaccrypto ipsec remodel-set ESP-3DES-SHA esp-3des esp-sha-hmaccrypto ipsec remodel-set ESP-DES-MD5 esp-des esp-md5-hmaccrypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmaccrypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmaccrypto ipsec remodel-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmaccrypto ipsec remodel-set ESP-AES-128-SHA esp-aes esp-sha-hmaccrypto ipsec remodel-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmaccrypto ipsec remodel-set ESP-AES-128-MD5 esp-aes esp-md5-hmaccrypto ipsec remodel-set strong esp-aes esp-sha-hmaccrypto ipsec remodel-set most powerful esp-aes-256 esp-sha-hmaccrypto ipsec protection-affiliation lifetime seconds 28800crypto ipsec safety-association lifetime kilobytes 4608000crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set rework-set most powerful strongcrypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set safety-affiliation lifetime kilobytes 4608000crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAPcrypto map outside_map interface outsidecrypto isakmp enable outsidecrypto isakmp coverage 1 authentication pre-percentage encryption aes-256 hash sha institution 2 lifetime 86400crypto isakmp coverage 5 authentication pre-percentage encryption 3des hash sha organization 2 lifetime 86400crypto isakmp policy 10 authentication pre-percentage encryption des hash sha institution 2 lifetime 86400crypto isakmp ipsec-over-tcp port 10000

sh run institution-policygroup-policy XGroupPolicy internalgroup-coverage XGroupPolicy attributes wins-server none dns-server price 192.168.50.1 dhcp-network-scope none vpn-get entry to-hours none vpn-simultaneous-logins three vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec password-garage disable ip-comp disable re-xauth allow group-lock none pfs disable ipsec-udp permit ipsec-udp-port ten thousand split-tunnel-coverage tunnelall split-tunnel-network-listing none default-domain fee corp.com break up-dns none intercept-dhcp disable steady-unit-authentication disable user-authentication disable user-authentication-idle-timeout 15 ip-smartphone-bypass disable soar-pass disable nem disable backup-servers keep-customer-config msie-proxy server none msie-proxy approach no-regulate msie-proxy besides-listing none msie-proxy local-bypass disable msie-proxy percent-url none vlan none nac-settings none address-pools price PoolCorp smartcard-removal-disconnect permit client-firewall none client-access-rule none webvpn  homepage none  svc dtls permit  svc mtu 1406  svc maintain-installer hooked up  svc keepalive none  svc rekey time none  svc rekey approach none  svc dpd-c programming language purchaser 30  svc dpd-c program languageperiod gateway 30  svc compression deflate  svc modules price vpngina  svc profiles none  svc ask none default webvpn  customization cost DfltCustomization  institution-coverage DfltGrpPolicy attributes wins-server fee 192.168.50.1 dns-server cost 192.168.50.1 vpn-tunnel-protocol IPSec svc ipsec-udp allow default-area value corp.com user-authentication-idle-timeout 15 cope with-pools fee PoolDefaultgroup-policy YGroupPolicy internalgroup-policy YGroupPolicy attributes wins-server value 192.168.50.1 dns-server price 192.168.50.1 dhcp-network-scope none vpn-tunnel-protocol IPSec default-area price corp.com deal with-pools price PoolDefault

Thanks for helping me out.

This command allows the usage of TCP for the choices VPN Client connections. The preceding 7 VPN Client connections are connecting with TCP.

crypto isakmp ipsec-over-tcp port ten thousand

It defines the choices TCP port to be TCP/ten thousand even though I imagine it could be some thing else too. This is the choices default value. I might consider that your VPN Client users would additionally have configuration underneath their VPN Client profiles configurations (the only they use to hook up with this tool) that selects them to use TCP. Normally the choices default putting on a newly created profile is to my knowledge UDP.

You additionally appear to have those settings for UDP

To be honest, I have not touched this placing formerly so I am no longer positive what the choices purpose right here is. To my understanding the VPN Client and ASA dont want any nondefault configurations to allow for the connection to apply UDP. Maybe this sets the choices values concerning the choices UDP port to nondefault values. I can’t actually say unless I examined this at some point.

View answer in unique publish