Table of Contents
Advertisement
6. To display the IKE SA state and counters, enter:
7. To display the IPSEC SA statistics, enter:
8. To display the statistics for connections that are occurring through the firewall, enter:
The following are some additional commands that can be useful for debugging Dynamic VPN:
• debug crypto ike—enables IKE negotiation debug
• debug crypto ipsec—enables IPSec policy related debug
• debug crypto ca—enables PKI debug
• debug ip tunnel encap—enables debug for encapsulation related messages
• debug ip tunnel decap—enables debug for decapsulation related messages
• debug ip tunnel state—enables debug for interface state change messages
• debug dhcp-client—enables DHCP client debug messages (for VPN ABOT)
Secure Router to Avaya VPN router interoperability tips
In both static and dynamic tunnels, if the peer is an Avaya VPN router and a NAT exists
between the two peers, use the enable-natt-rfc3947 command under the IKE policy for
NAT traversal to work with Avaya VPN router. To confirm the configuration, use the show
crypto ike policy all detail command.
The following table describes default VPN attributes on the Secure Router and the Avaya VPN
router, and the action required for interoperability between these two routers.
Attributes
IKE Phase1
IKE Phase2
Troubleshooting
show crypto ipsec policy all detail
Verify the source and destination IP addresses.
show crypto ike sa all
show crypto ipsec sa all
show firewall connections all
Verify that traffic is passing across the configured policies.
SR2330/4134
(Default values)
Pre-3des-g2-sha1
ESP-3des-sha-TU
Secure Router to Avaya VPN router interoperability tips
Avaya VPN router
(Default values)
Pre-des-g1-sha1
Modify the proposal
attributes in either of
the devices.
ESP-3des-MD5-TU
Modify the proposal
attributes in either of
the devices.
Action
August 2013
221
Advertisement
Table of Contents
Troubleshooting
