Cisco IOS software contains a number of show,
clear, and debug commands useful for
testing and verifying IPSec and ISAKMP. Administrators can perform the
following actions to test and verify that they have correctly configured VPN
using Cisco IOS:
Display the configured IKE policies using the
show crypto isakmp policy command.
- Display the configured transform sets using the show crypto ipsec
transform set command.
- Display the current state of the IPSec SAs with the show crypto
ipsec sa command.
- View the configured crypto maps with the show crypto
map command.
- Debug IKE and IPSec traffic through the Cisco IOS with the debug
crypto ipseec and debug crypto isakmp
commands.
- Debug CA events through the Cisco IOS using the debug crypto
key-exchange and debug crypto pki commands.
Use debug commands with caution. Enabling debugging
can disrupt operation of the router because of the large amount of output.
Before starting a debug command, always consider the output
that this command will generate and the amount of time this may take. Also,
look at the CPU load using the show processes cpu command.
Verify that there is ample CPU time available before beginning the debugs.