show crypto session

To display status information for active crypto sessions, use the show crypto session command in EXEC mode.

Syntax Description detail (Optional) Provides more detailed information about the session, such as the capability of the Internet Key Exchange (IKE) security association (SA), connection ID, remaining lifetime of the IKE SA, inbound or outbound encrypted or decrypted packet number of the IP Security (IPSec) flow, dropped packet number, and kilobyte-per-second lifetime of the IPSec SA.

fvrf vrf-name (Optional) Displays status information about the front door virtual routing and forwarding (FVRF) session. The fvrf-name argument is the name assigned to a FVRF.

group group name (Optional) Displays the usage for the group identity name that is currently active on the Virtual Private Network (VPN) device. The group name argument is the identity name for the group.

groups (Optional) Displays the usage for all the connected groups that are currently active on the Virtual Private Network (VPN) device.

interface interface name

(Optional) Displays the usage for the interface that is currently active on the Virtual Private Network (VPN) device. The interface name argument contains the following interfaces:

• service-gre—Specifies GRE Service interfaces.

• service-ipsec—Specifies IPSec Service interfaces.

ivrf ivrf-name (Optional) Displays status information about the inside VRF (IVRF) session. The ivrf-name argument is the name of the inside VRF. local IP address (Optional) Displays status information about crypto sessions of a local

crypto endpoint. The IP address argument is the IP address of the local crypto endpoint.

profile profile name (Optional) Displays Internet Security Association and Key Management Protocol (ISAKMP) profiles that are defined on a router. The profile name argument is the name of the ISAKMP profile.

remote IP address (Optional) Displays status information about crypto sessions of a remote session.The IP address argument is the IP address of the remote crypto endpoint.

port remote-port (Optional) Displays status information about crypto sessions of a remote crypto endpoint. The remote-port argument is from1 to 65535. The default value is 500.

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software show crypto session

Defaults

Command ModesIf the show crypto session command is entered without any keywords, all existing sessions are displayed. Port default values are 500.

EXEC

Command History

Usage Guidelines To use this command, you must be in a user group associated with a task group that includes the proper task IDs. If you suspect user group assignment is preventing you from using a command, contact your AAA administrator.

You can get a list of all the active ISAKMP sessions and of the IKE and IPSec SAs for each session by using the show crypto session command. The following list is included:

• Interface

• IKE SAs that are associated with the peer by whom the IPSec SAs are created

• IPSec SAs serving the flows of a session

Multiple IKE or IPSec SAs are established for the same peer (for the same session), in which case, IKE peer descriptions are repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.

Task ID

Examples The following example shows the list of fields from the show crypto session command:

RP/0/0/CPU0:router# show crypto session

Interface: service-ipsec1 Profile: prof1

ISAKMP policy: 10 Fvrf: default

Release Modification

Release 3.5.0 This command was introduced. Release 3.6.0 No modification. Release 3.7.0 No modification. Release 3.8.0 No modification. Release 3.9.0 No modification. Task ID Operations crypto read

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software

show crypto session

Peer: 21.21.21.21/500 Ike SAs: 1

IKE SA : conn-id 1 local 100.100.100.1/500 remote 21.21.21.21/500 QM_IDLE Interface: service-ipsec4 Username: cisco Profile: ezvpnIke Group: group-a Assigned address: 10.0.0.1 ISAKMP policy: 20 Fvrf: default Ivrf: default Peer: 192.168.10.2/500 Ike SAs: 1 IPsec SAs: 1

IKE SA : conn-id 2 local 135.135.135.1/500 remote 192.168.10.2/500 QM_IDLE IPSEC FLOW 510: permit ipv4 0.0.0.0/0.0.0.0 10.0.0.1/255.255.255.255 Active SAs 2

The following example shows the detailed information of the session:

RP/0/0/CPU0:router# show crypto session detail

Interface: service-gre1 Profile: isakmp-prof1 ISAKMP policy: 10 Fvrf: default Ivrf: default Peer: 40.40.40.2/500 Ike SAs: 1 IPsec SAs: 1

IKE SA : conn-id 1 local 50.50.50.2/500 remote 40.40.40.2/500 QM_IDLE

IPSEC FLOW 501: permit gre 50.50.50.2/255.255.255.255 40.40.40.2/255.255.255.255 Active SAs 2

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 99354592/2414 Outbound: #pkts dec'ed 655653 drop 0 life (KB/Sec) 99354592/2414 Interface: service-ipsec100 Profile: isakmp-prof1 ISAKMP policy: 10 Fvrf: default Ivrf: default Peer: 60.60.60.2/500 Ike SAs: 1 IPsec SAs: 1

IKE SA : conn-id 3 local 70.70.70.2/500 remote 60.60.60.2/500 QM_IDLE

IPSEC FLOW 503: permit ipv4 13.13.13.1/255.255.255.255 14.14.14.1/255.255.255.255 Active SAs 2

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 87560496/3204

Outbound: #pkts dec'ed 12738053 drop 0 life (KB/Sec) 87560496/3204

Table 23 describes the significant fields shown in the display.

Table 23 show crypto session Field Descriptions

Field Description

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software show crypto session

Related Commands

IKE SA Information is provided about the IKE SA, such as

local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.

IPSEC FLOW A snapshot of information about the

IPSec-protected traffic flow, such as what the flow is; how many IPSec SAs there are; the origin of the SA; the number of encrypted or decrypted packets or dropped packets; and the IPSec SA remaining lifetime in kilobytes per second.

Table 23 show crypto session Field Descriptions (continued)

Field Description

Command Description

clear crypto session Deletes crypto sessions (IP Security [IPSec] and Internet Key Exchange [IKE] security associations [SAs]).

description (ISAKMP peer)

Adds the description of an Internet Key Exchange (IKE) peer. show crypto isakmp

peers

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software

split-dns

split-dns

To specify a domain name that must be tunneled or resolved to the private network, use the split-dns command in ISAKMP group configuration mode. To remove a domain name, use the no form of this command.

split-dns domain-name no split-dns domain-name

Syntax Description

Defaults All domain names are resolved through the public DNS server.

Command Modes ISAKMP group configuration

Command History

If you configure the split-dns command, the split-dns attribute is added to the policy group. The attribute includes the list of domain names that you configured. All other names are resolved through the public DNS server.

You must enable the crypto isakmp client configuration group command, which specifies group policy information that needs to be defined or changed, before enabling the split-dns command.

Note If you have to configure more than one domain name, you have to add a split-dns command line for each. domain-name Name of the Domain Name System (DNS) domain that must be tunneled or

resolved to the private network.

Release Modification

Release 3.4.0 This command was introduced. Release 3.5.0 No modification.

Release 3.6.0 No modification. Release 3.7.0 No modification. Release 3.8.0 No modification. Release 3.9.0 No modification.

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software split-dns

Examples The following example shows that the domain names green.com and acme.org are added to the policy group:

RP/0/0/CPU0:router# configure

RP/0/0/CPU0:router(config)# crypto isakmp client configuration group cisco

RP/0/0/CPU0:router(config-group)# key cisco

RP/0/0/CPU0:router(config-group)# dns 10.2.2.2 10.2.2.3 RP/0/0/CPU0:router(config-group)# wins 10.6.6.6

RP/0/0/CPU0:router(config-group)# domain cisco.com

RP/0/0/CPU0:router(config-group)# pool green RP/0/0/CPU0:router(config-group)# acl 199

RP/0/0/CPU0:router(config-group)# split-dns green.com RP/0/0/CPU0:router(config-group)# split-dns acme.org

Related Commands Command Description

acl Configures split tunneling. crypto isakmp client

configuration group

Specifies group policy information that needs to be defined or changed. dns Specifies the primary and secondary Domain Name Service (DNS)

addresses. domain

(isakmp-group)

Specifies the Domain Name Service (DNS) domain to which a group belongs.

pool (isakmp-group) Defines a local pool address.

wins Specifies the primary and secondary Windows Internet Naming Service (WINS) servers

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software

wins

wins

To specify the primary and secondary Windows Internet Naming Service (WINS) servers, use the wins command in ISAKMP group configuration mode. To remove this command from your configuration, use the no form of this command.

wins primary-server [secondary-server] no wins primary-server [secondary-server]

Syntax Description

Defaults No default behavior or values

Command Modes ISAKMP group configuration

Command History

You must enable the crypto isakmp client configuration group command, which specifies group policy information that has to be defined or changed, before enabling the wins command.

Task ID

Examples The following example shows how to define a primary and secondary WINS server for the group cisco: primary-server Name of the primary WINS server.

secondary-server (Optional) Name of the secondary WINS server.

Release Modification

Release 3.4.0 This command was introduced. Release 3.5.0 No modification. Release 3.6.0 No modification. Release 3.7.0 No modification. Release 3.8.0 No modification. Release 3.9.0 No modification. Task ID Operations

Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software wins

RP/0/0/CPU0:router(config-group)# pool dog

RP/0/0/CPU0:router(config-group)# acl 199

RP/0/0/CPU0:router(config-group)# wins 10.1.1.2 10.1.1.3

Related Commands Command Description

acl Configures split tunneling. crypto isakmp client

configuration group

Specifies group policy information that needs to be defined or changed. dns Specifies the primary and secondary Domain Name Service (DNS)

addresses.

In document Internet Key Exchange Security Protocol Commands on the Cisco IOS XR Software (Page 153-160)