IPSec important Debugging and logging

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstylerowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99;

mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-paramargin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-paramargin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; fontfamily:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times
New Roman"; mso-bidi-theme-font:minor-bidi;}
I thought of sharing ipsec debugging and troubleshooting steps with everyone. Being in VPN
technology we explain this to many of our customers and thought of discussing it here on our
support forum as well.
What is IPSEC?
IPSec stands for IP Security and the standard definition of IPSEC is-A security protocol in the network layer will be developed to provide cryptographic security
services that will flexibly support combinations of authentication, integrity, access control,
and confidentiality (IETF)
It is a standard for privacy, integrity and authenticity.
IPSEC Protocol Architecture
IPSEC is a combination of three primary protocols ESP(protocol 50), AH(protocol 51) and
IKE(UDP 500)
Authentication: Authentication Header (AH) and Encapsulating Security Payload (ESP)
Integrity: Encapsulating Security Payload (ESP)
Confidentiality: Encapsulating Security Payload (ESP)
Bringing it all together: Internet key Exchange (IKE)
IPSEC is implemented in the following five stages:
Decision to use IPSEC between two end points across internet
Configuration of the two gateways between the end points to support IPSEC
Initiation of an IPSEC tunnel between the two gateways due to interesting traffic
Negotiation of IPSEC/IKE parameters between the two gateways
Passage of encrypted traffic
IPSec Troubleshooting Steps

Check for interesting traffic to initiate tunnel, check crypto ACLs for hit

If not, verify Routing (static or RRI)

Verify if IKE SA is up (QM_Idle) for that peer

If not, verify for matching Pre-shared keys

Verify that the IKE policies (encr, auth, DH) are matching

Verify for matching IKE Identities

counts

Verify if IPSec SAs are up (Inbound and Outbound SPIs)

If not, verify for matching IPSec transform sets

Verify for mirrored crypto ACLs on each side

Verify that the Crypto Map is applied on the right interface

Turn on IKE/IPSec debugs

IPSec Show Commands

To show IKE SA information:

show crypto isakmp sa <vrf> [detail]

show crypto isakmp peer <ip-addr>

To show IPSec SA information:

show crypto ipsec sa [ address | detail | interface | map | per | vrf ]

To show IKE and IPSec information together :

show crypto session [ fvrf | group | ivrf ] username | detail ]

show crypto engine connection active

Cisco IOS IPSec Debugging

These are the current IKE/IPSec debugs available; the highlighted ones are the
most useful typically

Make sure to use Crypto Conditional Debugs when trying to troubleshoot

production routers
debug crypto isakmp
debug crypto isakmp error
debug crypto isakmp ha
debug crypto ipsec
debug crypto ipsec error
debug crypto routing
debug crypto ha
debug crypto engine error
debug crypto engine packet
Crypto Conditional Debugging
We can use crypto conditional debugging when we are troubleshooting live networks and
specially where there are multiple tunnels running on the device.

The crypto conditional debug CLIsdebug crypto condition, debug crypto

condition unmatched, and show crypto debug-condition allow you to specify
conditions (filter values) in which to generate and display debug messages related only to
the specified conditions

The router will perform conditional debugging only after at least one of the global
crypto debug commandsdebug crypto isakmp, debug crypto ipsec, or debug crypto

enginehas been enabled; thi s requirement helps to ensure that the performance of the
router will not be impacted when conditional debugging is not being used

To enable crypto conditional debugging:

debug crypto condition <cond-type> <cond-value>

debug crypto { isakmp | ipsec | engine }

To view crypto condition debugs that have been enabled:

show crypto debug-condition [ all | peer | fvrf | ivrf | isakmp | username | connid
| spi ]

To disable crypto condition debugs:

debug crypto condition reset