We have a Cisco 2801 that also acts as a VPN Server for Cisco VPN Client.
We would like to configure IP address logging so that each time a user connects using VPN we would like to log his IP Address.
So far there were only 3 of us. However as time passes by more and more employees are required to connect to the office using VPN and I don't want to use sh crypto isakmp sa
to verify the IP address for each new VPN connection.
For example: When someone form the group stuff
logs in I would like that and his IP address to be logged to the syslog.
In the example bellow a user with source IP address 92.XX.XX.157
has connected to the VPN server. The only thing I am reciving on that router is:
Feb 12 11:53:14: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access5, changed state to up
But there is no way to know who loged in untill i connect to the router and issue sh crypto isakmp sa
Router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
81.XX.XX.XX 92.XX.XX.157 QM_IDLE 1111 0 ACTIVE
Router#
Router#sh crypto session
Crypto session current status
Interface: Virtual-Access5
Profile: sdm-ike-profile-1
Group: stuff
Assigned address: 192.168.5.151
Session status: UP-ACTIVE
Peer: 92.XX.XX.157 port 38238
IKE SA: local 81.XX.XX.XX/4500 remote 92.XX.XX.157/38238 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.5.151
Active SAs: 2, origin: crypto map
How can we achieve this?
Best Answer
The
crypto logging session
command is about the best you're going to get. It was introduced in IOS 12.3(4)T. This will cause tunnel up/down events to be logged in the form:There's not much detail in that logging. If you're using the "EasyVPN" functionality then the
crypto logging ezvpn
will give you even more detail.You should definitely be logging at your AAA server in addition to logging at the router itself.