Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
VPN... which policy is used?
mikearama
Techies.
Just got asked a question and I can't find an answer.
We are about to migrate our last Pix pairs to ASA's, and the question of whether we need new certs came up.
On the Pixen, I have several policies available, using both pre-share keys and a cert. I cannot find a command that shows which policy got selected and is in use for LIVE vpn tunnels.
When I do a
sh crypto ipsec sa
or a
sh crypto isakmp sa
, I see beaucoup information, but not which policy is in use, and whether the key or the cert was selected.
Anyone help me out?
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
aaron0011
I'd not sure if this command works on PIX or not but on ASA the command
show vpn-sessionsdb
will give you stats on each connected VPN tunnel and applied Group Policy is one of the listed parameters.
mikearama
None of the above commands show the policy in use. LOTS of info from the "sh isakmp policy" options... but all static config.
And no, in these pixes, sh vpn-sessiondb is not viable.
I posted the same in the cisco forums, and the response I got was that with the pix firewalls, you need to run a debug to see the negotiation. So I guess I gotta schedule a tunnel to break, and watch the rebuild. Ugh.
Thanks for the input guys.
Mike
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
