Tip

This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.

orphan:

IPsec Status Information

To view status information about active IPsec tunnels, use the show ipsec tunnel command. That command prints status output for all IPsec tunnels, but it also supports printing tunnel information individually by providing the tunnel ID:

tnsr# show ipsec tunnel 0
IPsec Tunnel: 0
    IKE SA: ipsec0    ID: 13    Version: IKEv1
        Local: 203.0.113.2        Remote: 203.0.113.25
        Status: ESTABLISHED    Up: 372s    Reauth: 25275s
        Child SA: child0    ID: 7
            Status: INSTALLED    Up: 372s    Rekey: 2523s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
        Child SA: child0    ID: 8
            Status: INSTALLED    Up: 372s    Rekey: 2813s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
        Child SA: child0    ID: 9
            Status: INSTALLED    Up: 372s    Rekey: 2583s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets

This command supports several additional parameters to increase or decrease the amount of information displayed.

Adding the verbose keyword also shows detailed information about the encryption parameters:

tnsr# show ipsec tunnel 0 verbose
IPsec Tunnel: 0
    IKE SA: ipsec0    ID: 13    Version: IKEv1
        Local: 203.0.113.2        Remote: 203.0.113.25
        Status: ESTABLISHED    Up: 479s    Reauth: 25168s
        Local ID: 203.0.113.2    Remote ID: 203.0.113.25
        Cipher: AES_CBC 128    MAC: HMAC_SHA1_96
        PRF: PRF_HMAC_SHA1    DH: MODP_2048
        SPI Init: 1880997989256787091    Resp: 1437908875259838715
        Initiator: yes
        Child SA: child0    ID: 7
            Status: INSTALLED    Up: 479s    Rekey: 2416s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 3540263882    out: 974161796
        Child SA: child0    ID: 8
            Status: INSTALLED    Up: 479s    Rekey: 2706s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 2432966668    out: 1361993947
        Child SA: child0    ID: 9
            Status: INSTALLED    Up: 479s    Rekey: 2476s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 2318058408    out: 1979056986

Specifying the ike or child parameter filters the output, and these also support verbose output.

Command Examples

show ipsec tunnel:

Display a short summary of all IPsec tunnels.

show ipsec tunnel n:

Display a short summary of a specific IPsec tunnel n.

show ipsec tunnel [n] verbose:

Display a verbose list of all IPsec tunnels, optionally limited to a single tunnel n. The output shows detailed information such as active encryption, hashing, DH groups, identifiers, and more.

show ipsec tunnel [n] ike [verbose]:

Display only IKE parameters of all tunnels. Optionally limited to a single tunnel n and/or expanded details with verbose.

show ipsec tunnel [n] child [verbose]:

Display only IPsec child Security Association parameters of all tunnels. Optionally limited to a single tunnel n and/or expanded details with verbose