Tip
This is the documentation for the 19.12 version. Looking for the documentation of the latest version? Have a look here.
IPsec Status Information¶
To view status information about active IPsec tunnels, use the show ipsec
tunnel command. This command prints status output for all IPsec tunnels, and
it also supports printing tunnel information individually by providing the
tunnel ID. This command supports several additional parameters to increase or
decrease the amount of information it displays.
The following forms of show ipsec tunnel are available:
- show ipsec tunnel:
Display a short summary of all IPsec tunnels.
- show ipsec tunnel n:
Display a short summary of a specific IPsec tunnel
n.- show ipsec tunnel [n] verbose:
Display a verbose list of all IPsec tunnels, optionally limited to a single tunnel
n. The output shows detailed information such as active encryption, hashing, DH groups, identifiers, and more.- show ipsec tunnel [n] ike [verbose]:
Display only IKE parameters of all tunnels. Optionally limited to a single tunnel
nand/or expanded details withverbose.- show ipsec tunnel [n] child [verbose]:
Display only IPsec child Security Association parameters of all tunnels. Optionally limited to a single tunnel
nand/or expanded details withverbose
IPsec Status Examples¶
Show the status of tunnel 0:
tnsr# show ipsec tunnel 0
IPsec Tunnel: 0
IKE SA: ipsec0 ID: 13 Version: IKEv2
Local: 203.0.113.2 Remote: 203.0.113.25
Status: ESTABLISHED Up: 372s Reauth: 25275s
Child SA: child0 ID: 7
Status: INSTALLED Up: 372s Rekey: 2523s Expire: 3228s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Child SA: child0 ID: 8
Status: INSTALLED Up: 372s Rekey: 2813s Expire: 3228s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Child SA: child0 ID: 9
Status: INSTALLED Up: 372s Rekey: 2583s Expire: 3228s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Adding the verbose keyword also shows detailed information about the
encryption parameters:
tnsr# show ipsec tunnel 0 verbose
IPsec Tunnel: 0
IKE SA: ipsec0 ID: 13 Version: IKEv2
Local: 203.0.113.2 Remote: 203.0.113.25
Status: ESTABLISHED Up: 479s Reauth: 25168s
Local ID: 203.0.113.2 Remote ID: 203.0.113.25
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96
PRF: PRF_HMAC_SHA1 DH: MODP_2048
SPI Init: 1880997989256787091 Resp: 1437908875259838715
Initiator: yes
Child SA: child0 ID: 7
Status: INSTALLED Up: 479s Rekey: 2416s Expire: 3121s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PFS: MODP_2048
SPI in: 3540263882 out: 974161796
Child SA: child0 ID: 8
Status: INSTALLED Up: 479s Rekey: 2706s Expire: 3121s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PFS: MODP_2048
SPI in: 2432966668 out: 1361993947
Child SA: child0 ID: 9
Status: INSTALLED Up: 479s Rekey: 2476s Expire: 3121s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PFS: MODP_2048
SPI in: 2318058408 out: 1979056986
Specifying the ike or child parameter filters the output, and these also
support verbose output.
Note
The first Child SA entry uses DH information from the parent IKE SA,
and not its own PFS setting. As such, Child SA entries in this situation will
display %IKE at the end of their PFS value to indicate the source. The
PFS value configured on the Child SA is used when a Child SA is rekeyed.
tnsr# show ipsec tunnel 0 ike
IPsec Tunnel: 0
IKE SA: ipsec0 ID: 13 Version: IKEv2
Local: 203.0.113.2 Remote: 203.0.113.25
Status: ESTABLISHED Up: 372s Reauth: 25275s
tnsr# show ipsec tunnel 0 ike verbose
IPsec Tunnel: 0
IKE SA: ipsec0 ID: 13 Version: IKEv2
Local: 203.0.113.2 Remote: 203.0.113.25
Status: ESTABLISHED Up: 479s Reauth: 25168s
Local ID: 203.0.113.2 Remote ID: 203.0.113.25
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96
PRF: PRF_HMAC_SHA1 DH: MODP_2048
SPI Init: 1880997989256787091 Resp: 1437908875259838715
Initiator: yes