Verify VPN connections on Cisco Routers using CLI and SDM

Introduction      Requirements      Connect to the Router using CLI      Check VPN connections using CLI           For Site-to-Site, EasyVPN, GRE over IPsec and Dynamic Multipoint VPNs           For SSL VPN      Connect to Router using SDM      Check VPN connections using SDM           For Site-to-Site VPN/ Easy VPN Remote           For Easy VPN server           For SSL VPN           For DMVPN hubs/spokes      Next Step      Troubleshoot the Procedure      Related Information

Download PDF   Verify VPN connections on Cisco Routers using CLI and SDM

Introduction

This document explains how to verify or check the VPN connections to or from your router. It applies to Cisco 1800, 2800 and 3800 Integrated Services Routers.

Back to Top

Requirements

To perform the steps described in this document, you need to have these items:

• You must have completed the Configure Your Router with Security Device Manager document.

• You must have completed the Set Up Internet Security on a Cisco Router document.

• You must have configured VPN on the router. To configure VPN navigate to Optional configurations in the Router support page.

• Router which runs an advance image of Cisco IOS Software Release 12.3 (6) T or later.

• Cisco Router and Security Device Manager (SDM) - version 2.3.1 or later.

• Completed Worksheets from the Site Survey:

  • Internet Worksheet

  • LAN Addressing Worksheet

    Note: This document uses examples from SDM version 2.4. Other versions of SDM displays a different output.

Back to Top

Connect to the Router using CLI

Follow these steps to connect to the router command line interface:

1. Connect a PC to the router with a console cable.

2. Create a HyperTerminal connection to your router. For more information, refer to Create a HyperTerminal Connection.

3. Log into the router with the login and password that you entered in fields B10 and B11 of the Router Worksheet.

4. Username:admin
   Password:

   Note: If you are not aware of your Router's password, refer to Reset the Password on the Router.

5. Type enable and press Enter to access the privileged mode. Type the enable password that you entered in field B12 of the Router Worksheet and press Enter.

6. Router>enable
   Password
   Router#

Back to Top

Check VPN connections using CLI

Follow these steps to check the VPN connections using CLI:

Note: Make sure you are in the enable mode for the show commands to work.

For Site-to-Site, EasyVPN, GRE over IPsec and Dynamic Multipoint VPNs

The VPN tunnel is established in two phases. Phase 1 is called ISAKMP phase and phase 2 is called IPsec phase. For each end point connected to the router using VPN, there must be a separate SA (security association) for it in both of the phases.

1. To check if phase 1 is completed successfully, issue the command show crypto isakmp sa and check the output. For a single host connected using VPN, the output is as follows:

   Router#show crypto isakmp sa
   dst             src             state          conn-id slot status
   172.17.63.229   192.168.200.230 QM_IDLE              1    0 ACTIVE
   

2. Check the destination and source IP addresses and the status (of tunnel) which must be ACTIVE.

3. To check if phase 2 is completed successfully, issue the command show crypto ipsec sa and check the output. For a single host connected using VPN the output is as follows:

   Router#show crypto ipsec sa
   
   interface: Ethernet0/0
       Crypto map tag: nolan, local addr 192.168.200.230
   
      !---- Output truncated ----
   local crypto endpt.: 192.168.200.230, remote crypto endpt.: 172.17.63.229
        path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
        current outbound spi: 0x2500F98F(620820879)
   
        inbound esp sas:
         spi: 0x4ADD4E35(1256017461)
           transform: esp-des esp-md5-hmac ,
           in use settings ={Tunnel, }
           conn id: 2004, flow_id: SW:4, crypto map: nolan
           sa timing: remaining key lifetime (k/sec): (4522594/3553)
           IV size: 8 bytes
           replay detection support: Y
           Status: ACTIVE
   
        inbound ah sas:
   
        inbound pcp sas:
   
        outbound esp sas:
         spi: 0x2500F98F(620820879)
           transform: esp-des esp-md5-hmac ,
           in use settings ={Tunnel, }
           conn id: 2003, flow_id: SW:3, crypto map: nolan
           sa timing: remaining key lifetime (k/sec): (4522594/3552)
           IV size: 8 bytes
           replay detection support: Y
           Status: ACTIVE
   
        outbound ah sas:
   
        outbound pcp sas:

   Check the IP addresses in local crypto endpt and remote crypto endpt. Also, check inbound esp/ah/pcp sas and outbound esp/ah/pcp sas entries and make sure that their Status is ACTIVE.

4. For Dynamic Multipoint VPN, the show crypto ipsec sa output shows the inbound esp/ah/pcp sas and outbound esp/ah/pcp sas entries for tunnel interface. Hence, this output shows these entries more in addition to the output present in step 3.

   interface: Tunnel0
       Crypto map tag: Tunnel0-head-0, local addr 10.77.241.109
   
      !----- Output truncated ------
   
        local crypto endpt.: 10.77.241.109,
   remote crypto endpt.: 10.77.241.113
        path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
        current outbound spi: 0x5E842FF0(1585721328)
   
        inbound esp sas:
         spi: 0x807B405E(2155561054)
           transform: esp-3des esp-sha-hmac ,
           in use settings ={Transport, }
           conn id: 2015, flow_id: FPGA:15, crypto map: Tunnel0-head-0
           sa timing: remaining key lifetime (k/sec): (4513761/3056)
           IV size: 8 bytes
           replay detection support: Y
           Status: ACTIVE
   
        inbound ah sas:
   
        inbound pcp sas:
   
        outbound esp sas:
         spi: 0x5E842FF0(1585721328)
           transform: esp-3des esp-sha-hmac ,
           in use settings ={Transport, }
           conn id: 2016, flow_id: FPGA:16, crypto map: Tunnel0-head-0
           sa timing: remaining key lifetime (k/sec): (4513761/3056)
           IV size: 8 bytes
           replay detection support: Y
           Status: ACTIVE
   
        outbound ah sas:
   
        outbound pcp sas:

For SSL VPN

In case of SSL VPN you could not see any isakmp sa or ipsec sa because, SSL VPN does not use IPsec. To check SSL VPN connections, use commands show webvpn stats or show webvpn context {context_name}. Here is the sample output of show webvpn context {context_name} where the context name is “aa”:

Router#show webvpn context aa
Admin Status: up
Operation Status: up
Error and Event Logging: Disabled
CSD Status: Disabled
Certificate authentication type: All attributes (like CRL) are verified
AAA Authentication List: sdm_vpn_xauth_ml_2
AAA Authentication Domain not configured
Default Group Policy: policy_1
Associated WebVPN Gateway: gateway_1
Domain Name and Virtual Host not configured
Maximum Users Allowed: 1000 (default)
NAT Address not configured
VRF Name not configure

Note: Check the “Admin Status” and “Operation Status” and make sure that they are up.

Back to Top

Connect to Router using SDM

Open a web browser and type http:// router-IP-address in the Address field. Use the IP address that you entered in field L6A of the LAN Addressing Worksheet. Press Enter to launch SDM. For more information about how to launch SDM, refer to Configure your Router with Security Device Manager.

Back to Top

Check VPN connections using SDM

The SDM shows the VPN status and can also be used for troubleshooting of the VPN connections.

For Site-to-Site VPN/ Easy VPN Remote

The main SDM screen shows the number of tunnels.

For further information click Monitor.

The new screen shows the number of active IKE SAs.

Follow these steps to check the VPN connections using SDM for site-to-site VPN:

1. Click VPN Status > IPsec Tunnels. This screen shows the number of active IPsec tunnels and their status.

   

2. Click Test Tunnel on the right of the window to test or to troubleshoot an IPsec tunnel.

3. Click Start to get the tunnel status checked. This displays the result with some useful comment(if applicable).

   

   Click OK.

For Easy VPN server

The main SDM screen shows the number of tunnels.

For further information click Monitor.

The new screen shows the number of active IKE SAs.

Follow these steps to check the VPN connections using SDM for Easy VPN Server:

1. Click VPN Status > IPsec Tunnels. This screen shows the number of active IPsec tunnels.

   

2. Click Easy VPN Server which shows the number of clients connected to this Easy VPN server.

   

For SSL VPN

Follow these steps to check the VPN Connections for SSL VPN:

1. Form the main SDM screen, click Monitor.

   

2. Click VPN Status> SSL VPN (All Contexts) which shows the total number of connected users and peak number of users from the time SDM.

   

3. To check more details regarding the users connected, select Users from SSL VPN (All Contexts). This shows the users connected with their IP address and the Group name.

   

For DMVPN hubs/spokes

The number of active VPN clients is displayed on the SDM main page in the VPN section.

Note: The number of DMVPN clients would be shown only in the case of DMVPN hubs.

Click Monitor.

Click VPN Status > DMVPN Tunnels which shows the details about the active DMVPN tunnels with the IP address of the remote router.

Back to Top

Next Step

You have now modified your router configuration.

To make further changes to your router, refer to the Router Support Page.

To configure other devices in your network, refer to the Configuration Overview Page.

Back to Top

Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Back to Top

Related Information

• Router Support Page
• Site Survey
• Cable Descriptions
• Create a HyperTerminal Connection