Difference between revisions of "VPN setup and troubleshooting"

From Tech-Wiki
Jump to: navigation, search
(Created page with "Implementing VPN Tunnels ISAKMP Policy crypto isakmp policy 10 encryption aes 256 hash sha authentication pre-share group 2 lifetime 3600 ISAKMP Pre-Shared Key c...")
 
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
Implementing VPN Tunnels
+
[[Category:Cisco Systems]]
 +
'''Implementing VPN Tunnels'''
  
 
ISAKMP Policy
 
ISAKMP Policy
Line 27: Line 28:
 
   tunnel mode ipsec ipv4
 
   tunnel mode ipsec ipv4
 
   tunnel protection ipsec profile MyProfile
 
   tunnel protection ipsec profile MyProfile
 
  
 
VPN Troubleshooting
 
VPN Troubleshooting
 
  show crypto isakmp sa
 
  show crypto isakmp sa
 
  show crypto isakmp policy
 
  show crypto isakmp policy
show crypto ipsec sa
 
 
  show crypto ipsec transform-set
 
  show crypto ipsec transform-set
 +
show crypto ipsec sa
 +
show crypto ipsec sa peer 200.0.0.1
 +
show vpn-sessiondb l2l
 
  debug crypto {isakmp | ipsec}
 
  debug crypto {isakmp | ipsec}
 +
 +
Generating traffic to bring a VPN up
 +
packet-tracer input inside tcp 172.16.0.1 1250 172.25.11.10 80

Latest revision as of 14:29, 11 January 2017

Implementing VPN Tunnels

ISAKMP Policy

crypto isakmp policy 10
 encryption aes 256
 hash sha
 authentication pre-share
 group 2
 lifetime 3600

ISAKMP Pre-Shared Key

crypto isakmp key 1 MySecretKey address 10.0.0.2

IPsec Transform Set

crypto ipsec transform-set MyTS esp-aes 256 esp-sha-hmac
 mode tunnel

IPsec Profile

crypto ipsec profile MyProfile
set transform-set MyTS

Virtual Tunnel Interface

interface Tunnel0
 ip address 172.16.0.1 255.255.255.252
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile MyProfile

VPN Troubleshooting

show crypto isakmp sa
show crypto isakmp policy
show crypto ipsec transform-set
show crypto ipsec sa
show crypto ipsec sa peer 200.0.0.1
show vpn-sessiondb l2l 
debug crypto {isakmp | ipsec}

Generating traffic to bring a VPN up

packet-tracer input inside tcp 172.16.0.1 1250 172.25.11.10 80