Summary: Structured approach to diagnosing point-to-point IPsec VPN failures on IOS-XE, covering IKE negotiation, IPsec SA establishment, traffic flow, and NAT traversal issues.
1. Underlay reachability → can the peers reach each other?
2. IKE Phase 1 → is the IKE SA establishing?
3. IPsec Phase 2 → are IPsec SAs negotiating?
4. Traffic / encryption → are packets being encrypted and passing?
5. Routing → are interesting traffic selectors matching?
6. NAT traversal → is NAT in the path causing issues?
Before touching crypto, confirm the peers can reach each other.
! Ping the remote peer from the local tunnel source interface
ping <remote-peer-ip> source <local-interface>
! Confirm no firewall is blocking IKE or ESP
! Required ports: UDP 500 (IKE), UDP 4500 (NAT-T), ESP (protocol 50)
show crypto isakmp sa ! IKEv1
show crypto ikev2 sa ! IKEv2
show crypto ikev2 sa detail ! IKEv2 with full negotiation detail
| State | Meaning |
|---|---|
MM_NO_STATE |
Main mode started, no response from peer |
MM_SA_SETUP |
Proposals exchanged — waiting for key exchange |
MM_KEY_EXCH |
Diffie-Hellman complete — authenticating |
MM_ACTIVE |
Phase 1 complete |
QM_IDLE |
Phase 1 up, Phase 2 negotiating |
| State | Meaning |
|---|---|
READY |
IKEv2 SA established |
DELETED |
SA torn down |
INIT-SA |
IKE_INIT exchange in progress |
! Check local IKE proposals
show crypto ikev2 proposal
show crypto isakmp policy ! IKEv1
! Check PSK configured for peer
show crypto isakmp key ! IKEv1
show running-config | include pre-shared-key
! Debug IKE negotiation (scoped to peer)
debug crypto ikev2 error
debug crypto isakmp error
show crypto ipsec sa peer <remote-peer-ip>
show crypto ipsec sa detail
Look for:
#pkts encaps and #pkts encrypt incrementing → traffic is being encrypted outbound#pkts decaps and #pkts decrypt incrementing → traffic is being received and decrypted#pkts errors or #pkts invalid → transform mismatch, anti-replay issues, or MTU problemspkts not decompressed — compression mismatch between peers! Check transform sets
show crypto ipsec transform-set
! Check PFS group matches on both peers
show running-config | include pfs
! Debug IPsec
debug crypto ipsec error
! Watch counters in real time — run traffic then check
show crypto ipsec sa peer <remote-peer-ip> | include pkts
! For SVTI-based VPNs, also check the virtual tunnel interface
show interface tunnel <id>
Traffic must match the crypto ACL on both peers — ACLs must be mirror images of each other.
show crypto map
show ip access-lists <crypto-acl-name>
! Verify interesting traffic hits the ACL
show crypto ipsec sa peer <remote-ip> | include access-list
Traffic must be routed into the tunnel interface. No crypto ACL required.
! Check route points to tunnel interface
show ip route <destination>
! Confirm tunnel interface is up/up
show interface tunnel <id>
If NAT is present between peers, IKE must use NAT-T (UDP 4500) and ESP will be encapsulated in UDP.
! Confirm NAT-T is detected
show crypto isakmp sa detail | include NAT
show crypto ikev2 sa detail | include NAT
! Enable NAT-T keepalives (IKEv1)
crypto isakmp nat keepalive 20
! IKEv2 handles NAT-T automatically
⚠️ NAT and Crypto Maps
If using a crypto map (policy-based VPN) and NAT is present, ensure the crypto ACL traffic is exempted from NAT with ano-natACL entry. Failure to do this causes the NAT translation to occur before encryption, breaking the IPsec SA.
! Verify NAT exemption exists for VPN traffic
show ip nat translations
show running-config | section ip nat
IPsec adds overhead — typically 50–70 bytes for IKEv2/AES/SHA. Oversized packets are dropped silently.
! Test with DF-bit set to identify MTU issues
ping <destination> size 1400 df-bit source <interface>
ping <destination> size 1300 df-bit source <interface>
! For SVTI — set MTU and MSS on the tunnel interface
interface tunnel <id>
ip mtu 1400
ip tcp adjust-mss 1360
show crypto isakmp sa ! IKEv1 Phase 1 SAs
show crypto ikev2 sa detail ! IKEv2 Phase 1 SAs
show crypto ipsec sa peer <ip> ! Phase 2 SAs and counters
show crypto ipsec sa detail ! All SAs with full detail
show crypto session remote <ip> ! Combined session view
show crypto map ! Crypto map config (policy-based)
show interface tunnel <id> ! SVTI tunnel state
show crypto engine connections active ! Active crypto engine sessions
debug crypto ikev2 error ! IKEv2 negotiation errors
debug crypto isakmp error ! IKEv1 negotiation errors
debug crypto ipsec error ! IPsec SA errors
undebug all ! Always clean up after