Cisco MDS-9124 Troubleshooting Guide - Page 454
Verifying IKE Configuration Compatibility
View all Cisco MDS-9124 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 454 highlights
IPsec Issues Chapter 22 Troubleshooting IPsec Send documentation comments to [email protected] • Security Associations Do Not Re-Key, page 22-15 • Clearing Security Associations, page 22-15 • Debugging the IPsec Process, page 22-15 • Debugging the IKE Process, page 22-15 • Obtaining Statistics from the IPsec Process, page 22-15 Verifying IKE Configuration Compatibility To verify the compatibility of the IKE configurations of MDS A and MDS C shown in Figure 22-1, follow these steps: Step 1 Step 2 Ensure that the preshared keys are identical on each switch. Use the show crypto ike domain ipsec key CLI command on both switches. Command outputs for the configuration shown in Figure 22-1 follow: MDSA# show crypto ike domain ipsec key key ctct address 10.10.100.232 MDSC# show crypto ike domain ipsec key key ctct address 10.10.100.231 Ensure that at least one matching policy that has the same encryption algorithm, hash algorithm, and Diffie-Hellman (DH) group is configured on each switch. Issue the show crypto ike domain ipsec policy command on both switches. Example command outputs for the configuration shown in Figure 22-1 follow: MDSA# show crypto ike domain ipsec policy Priority 1, auth pre-shared, lifetime 86300 secs, encryption 3des, hash md5, DH group 1 MDSC# show crypto ike domain ipsec policy Priority 1, auth pre-shared, lifetime 86300 secs, encryption 3des, hash md5, DH group 1 Verifying IPsec Configuration Compatibility Using Fabric Manager To verify the compatibility of the IPsec configurations of MDS A and MDS C shown in Figure 22-1 using Fabric manager, follow these steps: Step 1 Step 2 Step 3 Step 4 Choose Switches > Security > IPSEC and select the CryptoMap Set Entry tab. Verify that the Peer Address, IpFilter, Lifetime, and PFS fields match for MDS A and MDS C. Select the Transform Set tab and verify that the transform set on both switches match. Select the Interfaces tab and verify that the crypto map set is applied to the correct interface on both switches. In Device Manager, choose IP > ACLs and verify that the ACLs used in the crypto map in Step 1 are compatible on both switches. 22-6 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x OL-9285-05