You want to check the status of a VPN.

There are several useful commands for displaying IPSec parameters.

The command show crypto isakmp sa shows all of the ISAKMP security associations.

Router1#show crypto isakmp sa

And you can look at the IPSec security associations with this command:

Router1#show crypto ipsec sa

Even if you aren’t using a key management protocol such as ISAKMP, you can see information on all of the active IPSec connections with the following command:

Router1#show crypto engine connections active

And this closely related command will tell you about packet drops within the encryption engine:

Router1#show crypto engine connections dropped-packet 

The show crypto map command gives information about all of the IPSec crypto maps that you have configured on your router, whether or not they are in use:

Router1#show crypto map

And you can specify a particular crypto map with the tag keyword:

Router1#show crypto map tag TUNNELMAP

For information about dynamic crypto maps, you can use the following command:

Router1#show crypto dynamic-map 

The show crypto isakmp sa command lets you see information about the current state of any ISAKMP key exchanges that the router is involved in:

Router1#show crypto isakmp sa
dst             src             state           conn-id    slot
172.22.1.4      172.22.1.3      QM_IDLE               1       0

Router1#

Table 12-3 shows all of the possible ISAKMP SA states.