Cisco MDS-9124 Troubleshooting Guide - Page 455
Verifying IPsec Configuration Compatibility Using the CLI
View all Cisco MDS-9124 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 455 highlights
Chapter 22 Troubleshooting IPsec IPsec Issues Send documentation comments to [email protected] Verifying IPsec Configuration Compatibility Using the CLI To verify the compatibility of the IPsec configurations of MDS A and MDS C shown in Figure 22-1 using the CLI, follow these steps: Step 1 Use the show crypto map domain ipsec command and the show crypto transform-set domain ipsec command. The following command outputs display the fields discussed in Step 2 through Step 7. MDSA# show crypto map domain ipsec Crypto Map "cmap-01" 1 ipsec Peer = 10.10.100.232 IP ACL = acl1 permit ip 10.10.100.231 255.255.255.255 10.10.100.232 255.255.255.255 Transform-sets: tfs-02, Security Association Lifetime: 3000 gigabytes/120 seconds PFS (Y/N): Y PFS Group: group5 Interface using crypto map set cmap-01: GigabitEthernet7/1 MDSC# show crypto map domain ipsec Crypto Map "cmap-01" 1 ipsec Peer = 10.10.100.231 IP ACL = acl1 permit ip 10.10.100.232 255.255.255.255 10.10.100.231 255.255.255.255 Transform-sets: tfs-02, Security Association Lifetime: 3000 gigabytes/120 seconds PFS (Y/N): Y PFS Group: group5 Interface using crypto map set cmap-01: GigabitEthernet1/2 Step 2 Step 3 Step 4 Step 5 MDSA# show crypto transform-set domain ipsec Transform set:tfs-01 {esp-3des null} will negotiate {tunnel} Transform set:tfs-02 {esp-3des esp-md5-hmac} will negotiate {tunnel} Transform set:ipsec_default_transform_set {esp-aes 128 esp-sha1-hmac} will negotiate {tunnel} MDSC# show crypto transform-set domain ipsec Transform set:tfs-01 {esp-3des null} will negotiate {tunnel} Transform set:tfs-02 {esp-3des esp-md5-hmac} will negotiate {tunnel} Transform set:ipsec_default_transform_set {esp-aes 128 esp-sha1-hmac} will negotiate {tunnel} Ensure that the ACLs are compatible in the show crypto map domain ipsec command outputs for both switches. Ensure that the peer configuration is correct in the show crypto map domain ipsec command outputs for both switches. Ensure that the transform sets are compatible in the show crypto transform-set domain ipsec command outputs for both switches. Ensure that the PFS settings in the show crypto map domain ipsec command outputs are configured the same on both switches. OL-9285-05 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-7