Both IPsec and ISAKMP require the services of the ENCO module. Depending on the configuration of IPsec policies, IPsec may require the following
resources:
■ DES encryption
■ 3DES encryption
■ HMAC authentication
■ STAC compression ISAKMP may require:
■ DES encryption
■ 3DES encryption
■ the Diffie-Hellman key exchange algorithm
To display the resources that the ENCO module can provide, use the show enco command.
See Chapter 44, Compression and Encryption Services for more information about configuring ENCO resources.
If you need to contact your authorised distributor or reseller regarding an ISAKMP or IPsec problem, please include the output from the show debug ipsec command, as well as any output you have captured from ISAKMP or IPsec debugging. For further details about the show debug ipsec command, see Chapter 4, Configuring and Monitoring the System.
IPsec
If IPsec has not been enabled, it does not process IP packets. To display the status of IPsec, use the command:
show ipsec
IPsec events are logged in the switch log. If IPsec is not working correctly, check the switch log by using with the command:
show log
If the switch log does not indicate why IPsec is failing to operate correctly, check the IPsec counters by using the command:
show ipsec counter
Before traffic can be processed by an IPsec policy, IPsec SAs and an SA bundle must have been created for that policy. To check whether an SA bundle has been created for a particular policy, use the command:
show ipsec policy=policy_name
To display the contents of the SA database and counters for an entry in the database, use the command:
49-46 AlliedWare OS Software Reference
If an IPsec SA and bundle has not been created and key management is set to ISAKMP, then check the ISAKMP counters by using the command:
show isakmp counter
ISAKMP may not be able to negotiate an IPsec SA when IPsec configurations at each end of the link are incompatible.
If keymanagement is set to manual or isakmp, and counters suggest that ISAKMP was not able to negotiate an SA due to incompatible transforms, check the IPsec configuration at each end of the link by using the commands:
show ipsec saspecification show ipsec bundlespecification show ipsec policy
To enable or disable IPsec debugging, use the commands:
enable ipsec policy[=name] debug={all|filter|packet}
disable ipsec policy={all|name} debug={all|trace}
Debugging for filter explains why packets are not being matched to a particular policy. Debugging for trace shows where a packet has failed in the IPsec process. Debugging for packet displays the contents of a packet at different stages of the IPsec process.
ISAKMP
If ISAKMP is not enabled, it does not listen on port 500 for ISAKMP messages.
To display the status of ISAKMP, use the command:
show isakmp
ISAKMP events are logged in the switch log. If ISAKMP is not working correctly, check the switch log by using with the command:
show log
When the ISAKMP SA between two ISAKMP peers has been created, there are messages in the log indicating that a phase 1 ISAKMP exchange has started and completed successfully. The successful creation of an ISAKMP SA can be confirmed by viewing the SA in the ISAKMP SA database by using the command:
show isakmp sa
If the switch log indicates that an ISAKMP phase 1 exchange has started but not finished, then the exchange may be waiting for the remote peer to reply.
Until it times out and stops re-transmitting the last message, the exchange can still be displayed by using the command:
show isakmp exchange
If the switch log does not indicate why an ISAKMP negotiation has failed, check the ISAKMP counters by using the command:
show isakmp counter
If the ISAKMP SA has not been created successfully, then check the counters for main mode. If the ISAKMP SA has been successfully created but IPsec SAs are not being negotiated, then check the counters for quick mode. In both cases
IP Security (IPsec) 49-47
the general counters may explain why ISAKMP messages are not being processed.
To enable or disable ISAKMP debugging, use the commands:
enable isakmp debug={all|default|packet|pkt|pktraw|state|
trace|tracemore}
disable isakmp debug={all|default|packet|pkt|pktraw|state|
trace|tracemore}
The state and trace options help determine the part of the ISAKMP negotiation that is failing. If these modes fail to reveal the problem, your support centre may ask that you capture text by using the all option.
The most common reason for the failure of a phase 1 ISAKMP exchange is that the pre-shared key or RSA public keys have not been configured correctly.
Make sure that the pre-shared key is identical on each end of the link, and that the public key of each switch is loaded onto the other switch correctly.
The most common reason for the failure of a phase 2 ISAKMP exchange is that IPsec configurations at each end of the link are incompatible. Check that both of these are correct.
49-48 activate ipsec convertoldsa AlliedWare OS Software Reference