IPsec Status Information

To view status information about active IPsec tunnels, use the show ipsec tunnel command. This command prints status output for all IPsec tunnels, and it also supports printing tunnel information individually by providing the tunnel ID. This command supports several additional parameters to increase or decrease the amount of information it displays.

The following forms of show ipsec tunnel are available:

show ipsec tunnel

Display a short summary of all IPsec tunnels.

show ipsec tunnel n

Display a short summary of a specific IPsec tunnel n.

show ipsec tunnel [n] verbose

Display a verbose list of all IPsec tunnels, optionally limited to a single tunnel n. The output shows detailed information such as active encryption, hashing, DH groups, identifiers, and more.

show ipsec tunnel [n] ike [verbose]

Display only IKE parameters of all tunnels. Optionally limited to a single tunnel n and/or expanded details with verbose.

show ipsec tunnel [n] child [verbose]

Display only IPsec child Security Association parameters of all tunnels. Optionally limited to a single tunnel n and/or expanded details with verbose

IPsec Status Examples

Show the status of tunnel 0:

tnsr# show ipsec tunnel 0
IPsec Tunnel: 0
    IKE SA: ipsec0    ID: 13    Version: IKEv1
        Local: 203.0.113.2        Remote: 203.0.113.25
        Status: ESTABLISHED    Up: 372s    Reauth: 25275s
        Child SA: child0    ID: 7
            Status: INSTALLED    Up: 372s    Rekey: 2523s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
        Child SA: child0    ID: 8
            Status: INSTALLED    Up: 372s    Rekey: 2813s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
        Child SA: child0    ID: 9
            Status: INSTALLED    Up: 372s    Rekey: 2583s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets

Adding the verbose keyword also shows detailed information about the encryption parameters:

tnsr# show ipsec tunnel 0 verbose
IPsec Tunnel: 0
    IKE SA: ipsec0    ID: 13    Version: IKEv1
        Local: 203.0.113.2        Remote: 203.0.113.25
        Status: ESTABLISHED    Up: 479s    Reauth: 25168s
        Local ID: 203.0.113.2    Remote ID: 203.0.113.25
        Cipher: AES_CBC 128    MAC: HMAC_SHA1_96
        PRF: PRF_HMAC_SHA1    DH: MODP_2048
        SPI Init: 1880997989256787091    Resp: 1437908875259838715
        Initiator: yes
        Child SA: child0    ID: 7
            Status: INSTALLED    Up: 479s    Rekey: 2416s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 3540263882    out: 974161796
        Child SA: child0    ID: 8
            Status: INSTALLED    Up: 479s    Rekey: 2706s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 2432966668    out: 1361993947
        Child SA: child0    ID: 9
            Status: INSTALLED    Up: 479s    Rekey: 2476s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 2318058408    out: 1979056986

Specifying the ike or child parameter filters the output, and these also support verbose output.

tnsr# show ipsec tunnel 0 ike
IPsec Tunnel: 0
    IKE SA: ipsec0    ID: 13    Version: IKEv1
        Local: 203.0.113.2        Remote: 203.0.113.25
        Status: ESTABLISHED    Up: 372s    Reauth: 25275s
tnsr# show ipsec tunnel 0 ike verbose
IPsec Tunnel: 0
    IKE SA: ipsec0    ID: 13    Version: IKEv1
        Local: 203.0.113.2        Remote: 203.0.113.25
        Status: ESTABLISHED    Up: 479s    Reauth: 25168s
        Local ID: 203.0.113.2    Remote ID: 203.0.113.25
        Cipher: AES_CBC 128    MAC: HMAC_SHA1_96
        PRF: PRF_HMAC_SHA1    DH: MODP_2048
        SPI Init: 1880997989256787091    Resp: 1437908875259838715
        Initiator: yes