How to verify Cisco IPSEC tunnel ISAKMP phase

Once you are done configuring the IPSEC VPN tunnel, we will need to verify the connectivity between sites. So, will discuss these commands in bit detail.

Show crypto isakmp sa

Above command will tell us the status of our ISAKMP negotiations, here are some of the common ISAKMP SA statuses

The following four modes are found in IKE main mode

  • MM_NO_STATE – ISAKMP SA process has started but has not continued to form (typically due to a connectivity issue with the peer)
  • MM_SA_SETUP – Both peers agree on ISAKMP SA parameters and will move along the process
  • MM_KEY_EXCH – Both peers exchange their DH keys and are generating their secret keys. (This state could also mean there is a mis-matched authentication type or PSK, if it does not proceed to the next step)
  • MM_KEY_AUTH – ISAKMP SA’s have been authenticated in main mode and will proceed to QM_IDLE immediately

The following three modes are found in IKE aggressive mode

  • AG_NO_STATE – ISAKMP SA process has started but has not continued to form (typically do to a connectivity issue with the peer)
  • AG_INIT_EXCH – Peers have exchanged their first set of packets in aggressive mode, but have not authenticated yet
  • AG_AUTH – ISAKMP SA’s have been authenticated in aggressive mode and will proceed to QM_IDLE immediately

The following mode is found in IKE Quick Mode, phase 2

  • QM_IDLE – The ISAKMP SA is idle and authenticated

Author: Chathura Ariyadasa

A highly talented IT professional with extensive experience and capabilities in performing a variety of IT Security, Computer Networking and IT Help Desk duties and responsibilities in the IT Department.