VPN... which policy is used?
Techies.
Just got asked a question and I can't find an answer.
We are about to migrate our last Pix pairs to ASA's, and the question of whether we need new certs came up.
On the Pixen, I have several policies available, using both pre-share keys and a cert. I cannot find a command that shows which policy got selected and is in use for LIVE vpn tunnels.
When I do a sh crypto ipsec sa or a sh crypto isakmp sa, I see beaucoup information, but not which policy is in use, and whether the key or the cert was selected.
Anyone help me out?
Just got asked a question and I can't find an answer.
We are about to migrate our last Pix pairs to ASA's, and the question of whether we need new certs came up.
On the Pixen, I have several policies available, using both pre-share keys and a cert. I cannot find a command that shows which policy got selected and is in use for LIVE vpn tunnels.
When I do a sh crypto ipsec sa or a sh crypto isakmp sa, I see beaucoup information, but not which policy is in use, and whether the key or the cert was selected.
Anyone help me out?
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
Been a while since I've touched a pix.
Do you have:
(question marks are context help markers)
show isakmp policy?
show vpn-session?
show crypto ca ? -
aaron0011
Member Posts: 330
I'd not sure if this command works on PIX or not but on ASA the command show vpn-sessionsdb will give you stats on each connected VPN tunnel and applied Group Policy is one of the listed parameters. -
mikearama
Member Posts: 749
None of the above commands show the policy in use. LOTS of info from the "sh isakmp policy" options... but all static config.
And no, in these pixes, sh vpn-sessiondb is not viable.
I posted the same in the cisco forums, and the response I got was that with the pix firewalls, you need to run a debug to see the negotiation. So I guess I gotta schedule a tunnel to break, and watch the rebuild. Ugh.
Thanks for the input guys.
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.