free stats
Cisco MDS 9000 Manual
Hide thumbs Also See for MDS 9000:

Advertisement

S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Troubleshooting IPsec
This chapter describes how to troubleshoot IP security (IPsec) and Internet Key Exchange (IKE)
encryption in the Cisco MDS 9000 Family. It includes the following sections:
Overview
The IPsec protocol is a framework of open standards that provides data confidentiality, data integrity,
and data authentication between participating peers. It was developed by the Internet Engineering Task
Force (IETF). IPsec provides security services at the IP layer, including protecting one or more data
flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a
host. IPsec is supported for iSCSI and FCIP using IKE and Encapsulated Security Protocol (ESP) in
tunnel mode.
This section contains the following topics:

IPsec Compatibility

IPsec features are compatible with the following Cisco MDS 9000 Family hardware:
OL-9285-05
Overview, page 22-1
Initial Troubleshooting Checklist, page 22-4
IPsec Issues, page 22-5
IPsec Compatibility, page 22-1
Supported IPsec and IKE Algorithms for Microsoft Windows and Linux Platforms, page 22-2
IKE Allowed Transforms, page 22-3
IPsec Allowed Transforms, page 22-4
Cisco 14/2-port Multiprotocol Services (MPS-14/2) modules in Cisco MDS 9200 switches or Cisco
MDS 9500 directors
Cisco MDS 9216i Switch with the MPS-14/2 capability in the integrated supervisor module. Refer
to the Cisco MDS 9200 Series Hardware Installation Guide for more information on the Cisco MDS
9216i Switch.
The IPsec feature is not supported on the management interface.
C H A P T E R
Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x
22
22-1

Advertisement

Table of Contents
loading

Summary of Contents for Cisco MDS 9000

  • Page 1: Ipsec Compatibility

    Cisco MDS 9216i Switch with the MPS-14/2 capability in the integrated supervisor module. Refer • to the Cisco MDS 9200 Series Hardware Installation Guide for more information on the Cisco MDS 9216i Switch. The IPsec feature is not supported on the management interface.
  • Page 2 S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m IPsec and IKE are not supported by the Cisco Fabric Switch HP c-Class BladeSystem and the Cisco Note Fabric Switch for IBM BladeCenter.
  • Page 3: Ike Allowed Transforms

    SHA-1 (HMAC variant) SHA-1 MD5 (HMAC variant) Authentication method Preshared keys Preshared keys RSA signatures in digital certificates DH group identifier 768-bit DH 768-bit DH (1) 1024-bit DH 1536-bit DH Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-3 OL-9285-05...
  • Page 4: Ipsec Allowed Transforms

    Begin troubleshooting IPsec issues by checking the following issues: Checklist Check off Verify licensing requirements. See Cisco MDS 9000 Family Fabric Manager Configuration Guide. Verify that IKE has been configured for IPsec. Verify the digital certificates configuration if it is enabled for IPsec. See Chapter 24, “Troubleshooting Digital Certificates.”...
  • Page 5: Table Of Contents

    Verifying Security Policy Databases Compatibility, page 22-8 • Verifying Interface Status Using Fabric Manager, page 22-9 • Verifying Interface Status Using the CLI, page 22-9 • Verifying Security Associations, page 22-12 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-5 OL-9285-05...
  • Page 6: Figure

    Select the Interfaces tab and verify that the crypto map set is applied to the correct interface on both Step 3 switches. In Device Manager, choose IP > ACLs and verify that the ACLs used in the crypto map in Step 1 Step 4 compatible on both switches. Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-6 OL-9285-05...
  • Page 7: Verifying Ipsec Configuration Compatibility Using The Cli

    Ensure that the transform sets are compatible in the show crypto transform-set domain ipsec command Step 4 outputs for both switches. Ensure that the PFS settings in the show crypto map domain ipsec command outputs are configured Step 5 the same on both switches. Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-7 OL-9285-05...
  • Page 8: Verifying Security Policy Databases Compatibility

    Source port :*, Destination port :500 Protocol UDP Physical port:0/0, Vlan_id:0/0 Action cleartext Inbound Policy 2 : Source IP Address :10.10.100.232/255.255.255.255 Destination IP Address :10.10.100.231/255.255.255.255 Source port :*, Destination port :* Protocol * Physical port:0/1, Vlan_id:0/4095 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-8 OL-9285-05...
  • Page 9: Verifying Interface Status Using Fabric Manager

    FCIP tunnels are compatible. Verifying Interface Status Using the CLI To verify the status of the interfaces using the CLI, follow these steps: Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-9 OL-9285-05...
  • Page 10 Trunk vsans (initializing) Using Profile id 1 (interface GigabitEthernet7/1) Peer Information Peer Internet address is 10.10.100.232 and port is 3225 FCIP tunnel is protected by IPSec Write acceleration mode is off Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-10 OL-9285-05...
  • Page 11 Special Frame is disabled Maximum number of TCP connections is 2 Time Stamp is disabled QOS control code point is 0 QOS data code point is 0 B-port mode disabled TCP Connection Information Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-11 OL-9285-05...
  • Page 12: Verifying Security Associations

    MDSC# show crypto sad domain ipsec interface:GigabitEthernet1/2 Crypto map tag:cmap-01, local addr. 10.10.100.232 protected network: local ident (addr/mask):(10.10.100.232/255.255.255.255) remote ident (addr/mask):(10.10.100.231/255.255.255.255) current_peer:10.10.100.231 local crypto endpt.:10.10.100.232, remote crypto endpt.:10.10.100.231 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-12 OL-9285-05...
  • Page 13 Encrypt algorithm is DES/3DES Auth algorithm is MD5 Source ip address 10.10.100.231/255.255.255.255 Destination ip address 10.10.100.232/255.255.255.255 Physical port 1, mask:0x1 Misc select 0 mask:0x0 Vlan 0 mask:0xfff Protocol 0 mask:0x0 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-13 OL-9285-05...
  • Page 14 Hard limit expiry 1100652419 secs (since January 1, 1970), remaining 206 4 secs Soft limit expiry 1100652397 secs (since January 1, 1970), remaining 204 2 secs Outbound MAC table index:125 Sequence number:7123 Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-14 OL-9285-05...
  • Page 15: Clearing Security Associations

    The show crypto global domain ipsec command output displays statistics for all SAs. Command output follows: MDSA# show crypto global domain ipsec IPSec global statistics: Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-15 OL-9285-05...
  • Page 16 Example command output follows: MDSA# show crypto global domain ipsec interface gigabitethernet 7/1 IPSec interface statistics: IKE transaction stats:0 num Inbound SA stats:1 num, 512 max Outbound SA stats:1 num, 512 max Cisco MDS 9000 Family Troubleshooting Guide, Release 3.x 22-16 OL-9285-05...

Table of Contents