IPsec Status Information¶
To view status information about active IPsec tunnels, use the show ipsec
tunnel command. This command prints status output for all IPsec tunnels, and
it also supports printing tunnel information individually by providing the
tunnel ID. This command supports several additional parameters to increase or
decrease the amount of information it displays.
The following forms of show ipsec tunnel are available:
- show ipsec tunnel:
Display a short summary of all IPsec tunnels.
- show ipsec tunnel n:
Display a short summary of a specific IPsec tunnel
n.- show ipsec tunnel [n] brief:
Displays a summarized list of connected IPsec peers (tunnels and remote access users), which includes their endpoint address and virtual tunnel addresses if present.
This can be limited to a single tunnel by providing the ID number before the
briefkeyword.- show ipsec tunnel [n] verbose:
Display a verbose list of all IPsec tunnels, optionally limited to a single tunnel
n. The output shows detailed information such as active encryption, hashing, DH groups, identifiers, and more.- show ipsec tunnel [n] ike [verbose]:
Display only IKE parameters of all tunnels. Optionally limited to a single tunnel
nand/or expanded details withverbose.- show ipsec tunnel [n] child [verbose]:
Display only IPsec child Security Association parameters of all tunnels. Optionally limited to a single tunnel
nand/or expanded details withverbose
IPsec Status Examples¶
Using the brief keyword prints a summarized view of all connected tunnels:
tnsr# show ipsec tunnel brief
Client Remote address Virtual IPv4 Virtual IPv6
------ -------------- ------------ ------------
IPsec Tunnel: 1
203.0.113.14 203.0.113.14
IPsec Tunnel: 2
alice 10.255.10.57 10.2.220.100 2001:db8:f0:10:100
bob 10.255.10.8:4500 10.2.220.101 2001:db8:f0:10:101
carol 10.255.10.7:4500 10.2.220.102 2001:db8:f0:10:102
To show the status of a single tunnel (0):
tnsr# show ipsec tunnel 0
IPsec Tunnel: 0
IKE SA: ipip0 ID: 13 Version: IKEv2
Local: 203.0.113.2[500] Remote: 203.0.113.25[500]
Status: ESTABLISHED Up: 372s Reauth: 25275s
Child SA: child0 ID: 9
Status: INSTALLED Up: 372s Rekey: 2583s Expire: 3228s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Adding the verbose keyword also shows detailed information about the
encryption parameters:
tnsr# show ipsec tunnel 0 verbose
IPsec Tunnel: 0
IKE SA: ipip0 ID: 13 Version: IKEv2
Local: 203.0.113.2[500] Remote: 203.0.113.25[500]
Status: ESTABLISHED Up: 479s Rekey: 24757s Reauth: 25168s
Local ID: 203.0.113.2 Remote ID: 203.0.113.25
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96
PRF: PRF_HMAC_SHA1 DH: MODP_2048
SPI Init: 1880997989256787091 Resp: 1437908875259838715
Initiator: true
Child SA: child0 ID: 9
Status: INSTALLED Up: 479s Rekey: 2476s Expire: 3121s
Received: 0 bytes, 0 packets
Transmitted: 0 bytes, 0 packets
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PFS: MODP_2048
SPI in: 2318058408 out: 1979056986
Specifying the ike or child parameter filters the output, and these also
support verbose output.
Note
The first Child SA entry uses DH information from the parent IKE SA, and not
its own PFS setting. As such, Child SA entries in this situation will display
%IKE at the end of their PFS value to indicate the source. The PFS value
configured on the Child SA is used when a Child SA is rekeyed.
tnsr# show ipsec tunnel 0 ike
IPsec Tunnel: 0
IKE SA: ipip0 ID: 13 Version: IKEv2
Local: 203.0.113.2[500] Remote: 203.0.113.25[500]
Status: ESTABLISHED Up: 372s Reauth: 25275s
tnsr# show ipsec tunnel 0 ike verbose
IPsec Tunnel: 0
IKE SA: ipip0 ID: 13 Version: IKEv2
Local: 203.0.113.2[500] Remote: 203.0.113.25[500]
Status: ESTABLISHED Up: 479s Reauth: 25168s
Local ID: 203.0.113.2 Remote ID: 203.0.113.25
Cipher: AES_CBC 128 MAC: HMAC_SHA1_96
PRF: PRF_HMAC_SHA1 DH: MODP_2048
SPI Init: 1880997989256787091 Resp: 1437908875259838715
Initiator: true