Openswan - Check IKE Version

I have a CentOS server running Openswan for IPSec VPN connectivity.

I need to confirm whether I have IKEv1 or IKEv2 in use - how can I identify this ?
ccfcfcAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GeNeRaL971Commented:
Hi ccfcfc

Try to do this with IKEv1 and IKEv2

This is a exemple for the IKEv2 try to to the same think to IKEv1

If one of them work you know if its IKEv1 or IKEv2 :-)


Enter the show crypto ikev2 sa command on the router:

R1#show crypto ikev2 sa
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                Remote              fvrf/ivrf    Status
1         172.16.1.1/500       172.16.1.2/500      none/none    READY  
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA,
         Auth verify: RSA
      Life/Active Time: 86400/53 sec
 IPv6 Crypto IKEv2  SA
Enter the show crypto ikev2 sacommand on the ASA:

ciscoasa/vpn(config)# show crypto ikev2 sa

IKEv2 SAs:

Session-id:138, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                Remote              Status       Role
45926289  172.16.1.2/500       172.16.1.1/500      READY        INITIATOR
      Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:14, Auth sign: RSA,
         Auth verify: RSA
      Life/Active Time: 86400/4 sec
Child sa: local selector  192.168.0.0/0 - 192.168.0.255/65535
          remote selector 172.16.2.0/0 - 172.16.2.255/65535
          ESP spi in/out: 0xa84caabb/0xf18dce57

The web site where I found this comand :http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html#anc22
0
ccfcfcAuthor Commented:
Sorry - this isn't a Cisco device.

This is a CentOS Linux server with Openswan running on it.  I don't have a "show crypto" command.
0
GeNeRaL971Commented:
sorry fot the time but I don't found exactly how to indentify the IKE

But this all the différence enter the IKEv1 and the IKEv2(maybe  you will found your IKE with all dat caractéristique :

IKEv2 differs from IKEv1 in the following ways:

•IKEv2 fixes the Photuris style cookie mechanism.

•IKEv2 has fewer round trips in a negotiation than IKEv1, two round trips versus five for IKEv1 for a basic exchange.

•Transform options are OR'ed, which means that you can specify multiple options in a single proposal rather than creating separate unique proposals for each allowed combination.

•Built-in dead peer detection (DPD).

•Built-in configuration payload and user authentication mode.

•Built-in NAT traversal (NAT-T). IKEv2 uses ports 500 and 4500 for NAT-T.

•Improved re-keying and collision handling.

•A single security association (SA) can protect multiple subnets, which improves scalability.

•Asymmetric authentication in site-to-site VPNs, where each side of a tunnel can have different preshared keys, different certificates, or one side a key and the other side a certificate.

•For remote access IPsec VPNs, you can configure double authentication for IKEv2 connections in the same way that you configure them for remote access SSL VPNs. IKEv1 does not support double authentication.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.