-
Cisco IOS Security Configuration Guide, Release 12.4
- Authentication, Authorization, and Accounting (AAA)
-
Security Server Protocols
-
RADIUS
-
Configuring RADIUS
-
AAA Dead-Server Detection
-
ACL Default Direction
-
Attribute Screening for Access Requests
-
Enable Multilink PPP via RADIUS for Preauthentication User
-
Enhanced Test Command
-
Framed-Route in RADIUS Accounting
-
Offload Server Accounting Enhancement
-
Per VRF AAA
-
RFC-2867 RADIUS Tunnel Accounting
-
RADIUS Attribute Screening
-
RADIUS Centralized Filter Management
-
RADIUS Debug Enhancements
-
RADIUS Logical Line ID
-
RADIUS NAS-IP-Address Attribute Configurability
-
RADIUS Route Download
-
RADIUS Support of 56-Bit Acct Session-Id
-
RADIUS Tunnel Preference for Load Balancing and Fail-Over
-
RADIUS Server Reorder on Failure
-
Tunnel Authentication via RADIUS on Tunnel Terminator
-
- TACACS+
-
Configuring Kerberos
-
RADIUS
-
Traffic Filtering, Firewalls, and Virus Detection
-
Access Control Lists: Overview and Guidelines
-
Cisco IOS Firewall Overview
-
Configuring Lock-and-Key Security (Dynamic Access Lists)
-
Configuring IP Session Filtering (Reflexive Access Lists)
-
Configuring TCP Intercept (Preventing Denial-of-Service Attacks)
-
Context-Based Access Control
-
Configuring Context-based Access Control
-
Cisco IOS Firewall Performance Improvements
-
Email Inspection Engine
-
ESMTP Support for Cisco IOS Firewall
-
Firewall ACL Bypass
-
Firewall N2H2 Support
-
Firewall Stateful Inspection of ICMP
-
Firewall Support for SIP
-
Firewall Websense URL Filtering
-
Firewall Support of Skinny Client Control Protocol (SCCP)
-
Granular Protocol Inspection
-
HTTP Inspection Engine
-
Inspection of Router-Generated Traffic
-
Transparent Cisco IOS Firewall
-
Virtual Fragmentation Reassembly
-
-
Configuring Cisco IOS Intrusion Prevention System (IPS)
-
Network Admission Control
- Authentication Proxy
-
Configuring Port to Application Mapping
-
-
IPSec and IKE
- Internet Key Exchange for IPSec VPNs
-
Security for VPNs with IPSec
-
Configuring Security for VPNs with IPSec
-
Cisco Easy VPN Remote
-
Crypto Access Check on Clear-Text Packets
-
DF Bit Override Functionality with IPsec Tunnels
-
Distinguished Name Based Crypto Maps
-
Dynamic Multipoint VPN (DMVPN)
-
Easy VPN Remote RSA Signature Support
-
Easy VPN Server
-
Invalid Security Parameter Index Recovery
-
IP Security VPN Monitoring
-
IPsec and Quality of Service
-
IPSec Anti-Replay Window: Expanding and Disabling
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
IPSec Preferred Peer
-
IPsec Security Association Idle Timers
-
IPsec--SNMP Support
-
IPSec Virtual Tunnel Interface
-
IPsec VPN Accounting
-
IPsec VPN High Availability Enhancements
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
Pre-Fragmentation for IPsec VPNs
-
Real-Time Resolution for IPsec Tunnel Peer
-
Reverse Route Injection
-
SafeNet IPSec VPN Client Support
-
Stateful Failover for IPsec
-
VRF-Aware Ipsec
-
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
- Other Security Features
- Secure Infrastructure
-
Appendixes
-
RADIUS Attributes
-
RADIUS Attributes Overview and RADIUS IETF Attributes
-
RADIUS Vendor-Proprietary Attributes
-
Vendor-Specific Attributes (VSA) and RADIUS Disconnect-Cause Attribute Values
-
Connect-Info RADIUS Attribute 77
-
Encrypted Vendor Specific Attributes
-
Local AAA Server
-
Per-User QoS via AAA Policy Name
-
RADIUS Attribute 5 (NAS-Port) Format Specified on a Per-Server Group Level
-
RADIUS Attribute 8 (Framed-IP-Address) in Access Requests
-
RADIUS Attribute 82: Tunnel Assignment ID
-
RADIUS Attribute 104
-
RADIUS Progress Codes
-
RADIUS Timeout Set During Pre-Authentication
-
RADIUS Tunnel Attribute Extensions
-
V.92 Reporting Using RADIUS Attribute v.92-info
-
TACACS+ Attribute-Value Pairs
-
-
TACACS+ Attribute-Value Pairs
-
RADIUS Attributes
Table Of Contents
Prerequisites for IP Security VPN Monitoring
Restrictions for IP Security VPN Monitoring
Information About IPSec VPN Monitoring
Summary Listing of Crypto Session Status
Syslog Notification for Crypto Session Up or Down Status
IKE and IPSec Security Exchange Clear Command
How to Configure IP Security VPN Monitoring
Adding the Description of an IKE Peer
Configuration Examples for IP Security VPN Monitoring
show crypto session Command Output: Examples
IP Security VPN Monitoring
The IP Security VPN Monitoring feature provides VPN session monitoring enhancements that will allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. Session monitoring enhancements include the following:
•
Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file
•
•
•
12.3(4)T
This feature was introduced.
Cisco IOS XE Release 2.1
This feature was introduced on Cisco ASR 1000 Series Routers.
Feature History for IP Security VPN Monitoring
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
•
•
•
•
Prerequisites for IP Security VPN Monitoring
•
•
Restrictions for IP Security VPN Monitoring
•
Information About IPSec VPN Monitoring
To troubleshoot the IPSec VPN and monitor the end-user interface, you should understand the following concepts:
•
•
•
Background: Crypto Sessions
A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session consists of one IKE security association (for control traffic) and at least two IPSec security associations (for data traffic—one per each direction). There may be duplicated IKE security associations (SAs) and IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or because of simultaneous setup requests from both sides.
Per-IKE Peer Description
The Per-IKE Peer Description function allows you to enter a description of your choosing for an IKE peer. (Before Cisco IOS Release 12.3(4)T, you could use only the IP address or fully qualified domain name [FQDN] to identify the peer; there was no way to configure a description string.) The unique peer description, which can include up to 80 characters, can be used whenever you are referencing that particular IKE peer. To add the peer description, use the description command.
Note
The primary application of this description field is for monitoring purposes (for example, when using show commands or for logging [syslog messages]). The description field is purely informational (for example, it cannot act as a substitute for the peer address or FQDN when defining crypto maps).
Summary Listing of Crypto Session Status
You can get a list of all the active VPN sessions by entering the show crypto session command. The listing will include the following:
•
•
•
•
Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.
You can also use the show crypto session detail variant of this command to obtain more detailed information about the sessions.
Syslog Notification for Crypto Session Up or Down Status
The Syslog Notification for Crypto Session Up or Down Status function provides syslog notification every time the crypto session comes up or goes down.
The following is a sample syslog notification showing that a crypto session is up:
%CRYPTO-5-SESSION_STATUS: Crypto session is UP. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2The following is a sample syslog notification showing that a crypto session is down:
%CRYPTO-5-SESSION_STATUS: Crypto session is DOWN. Peer 10.6.6.1:500 fvrf=name10 ivrf=name20 Description: SJC24-2-VPN-Gateway Id: 10.5.5.2IKE and IPSec Security Exchange Clear Command
In previous IOS versions, there was no single command to clear both IKE and IPSec connections (that is, SAs). Instead, you had to use the clear crypto isakmp command to clear IKE and the clear crypto ipsec command to clear IPSec. The new clear crypto session command allows you to clear both IKE and IPSec with a single command. To clear a specific crypto session or a subset of all the sessions (for example, a single tunnel to one remote site), you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, a front door VPN routing and forwarding (FVRF) name, or an inside VRF (IVRF) name. Typically, the remote IP address will be used to specify a single tunnel to be deleted.
If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be cleared. If you do not provide a parameter when you use the clear crypto session command, all IPSec SAs and IKE SAs that are in the router will be deleted.
How to Configure IP Security VPN Monitoring
See the following sections for configuration tasks for this feature. Each task in the list is identified as either required or optional.
•
•
•
Adding the Description of an IKE Peer
To add the description of an IKE peer to an IPSec VPN session, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Verifying Peer Descriptions
To verify peer descriptions, use the show crypto isakmp peer command.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Examples
The following output example verifies that the description "connection from site A" has been added for IKE peer 10.2.2.9:
Router# show crypto isakmp peerPeer: 10.2.2.9 Port: 500Description: connection from site Aflags: PEER_POLICYWhen the peer at address 10.2.2.9 connects and the session comes up, the syslog status will be shown as follows:
%CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP. Peer 10.2.2.9:500 Description: connection from site A Id: ezvpnClearing a Crypto Session
To clear a crypto session, use the clear crypto session command from the router command line. No configuration statements are required in the configuration file to use this command.
SUMMARY STEPS
1.
2.
DETAILED STEPS
Configuration Examples for IP Security VPN Monitoring
This section provides the following configuration example:
•
show crypto session Command Output: Examples
The following is sample output for the show crypto session output without the detail keyword:
Router# show crypto sessionCrypto session current statusInterface: FastEthernet0/1Session status: UP-ACTIVEPeer: 172.0.0.2/500IKE SA: local 172.0.0.1/500 remote 172.0.0.2/500 ActiveIPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.30.30.0/255.255.255.0Active SAs: 2, origin: crypto mapThe following is sample output using the show crypto session command and the detail keyword:
Router# show crypto session detailInterface: Tunnel0Session status: UP-ACTIVEPeer: 10.1.1.3 port 500 fvrf: (none) ivrf: (none)Desc: this is my peer at 10.1.1.3:500 GreenPhase1_id: 10.1.1.3IKE SA: local 10.1.1.4/500 remote 10.1.1.3/500 ActiveCapabilities:(none) connid:3 lifetime:22:03:24IPSEC FLOW: permit 47 host 10.1.1.4 host 10.1.1.3Active SAs: 0, origin: crypto mapInbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0IPSEC FLOW: permit ip host 10.1.1.4 host 10.1.1.3Active SAs: 4, origin: crypto mapInbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 4605665/2949Outbound: #pkts enc'ed 4 drop 1 life (KB/Sec) 4605665/2949Additional References
The following sections provide references related to IP Security VPN Monitoring.
Related Documents
IP security, encryption, and IKE
"IP Security and Encryption" section of the Cisco IOS Security Configuration Guide
Security commands
Cisco IOS Security Command Reference, Release 12.3 T
Standards
MIBs
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features
•
•
•
•
For information about these commands, see the Cisco IOS Security Command Reference at
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html.
For information about all Cisco IOS commands, see the Command Lookup Tool at
http://tools.cisco.com/Support/CLILookup or the Master Command List.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
