IPsec Status Information

To view status information about active IPsec tunnels, use the show ipsec tunnel command. This command prints status output for all IPsec tunnels, and it also supports printing tunnel information individually by providing the tunnel ID. This command supports several additional parameters to increase or decrease the amount of information it displays.

The following forms of show ipsec tunnel are available:

show ipsec tunnel:

Display a short summary of all IPsec tunnels.

show ipsec tunnel n:

Display a short summary of a specific IPsec tunnel n.

show ipsec tunnel [n] brief:

Displays a summarized list of connected IPsec peers (tunnels and remote access users), which includes their endpoint address and virtual tunnel addresses if present.

This can be limited to a single tunnel by providing the ID number before the brief keyword.

show ipsec tunnel [n] verbose:

Display a verbose list of all IPsec tunnels, optionally limited to a single tunnel n. The output shows detailed information such as active encryption, hashing, DH groups, identifiers, and more.

show ipsec tunnel [n] ike [verbose]:

Display only IKE parameters of all tunnels. Optionally limited to a single tunnel n and/or expanded details with verbose.

show ipsec tunnel [n] child [verbose]:

Display only IPsec child Security Association parameters of all tunnels. Optionally limited to a single tunnel n and/or expanded details with verbose

IPsec Status Examples

Using the brief keyword prints a summarized view of all connected tunnels:

tnsr# show ipsec tunnel brief
  Client              Remote address           Virtual IPv4        Virtual IPv6
  ------              --------------           ------------        ------------
IPsec Tunnel: 1
  203.0.113.14        203.0.113.14
IPsec Tunnel: 2
  alice               10.255.10.57             10.2.220.100        2001:db8:f0:10:100
  bob                 10.255.10.8:4500         10.2.220.101        2001:db8:f0:10:101
  carol               10.255.10.7:4500         10.2.220.102        2001:db8:f0:10:102

To show the status of a single tunnel (0):

tnsr# show ipsec tunnel 0
IPsec Tunnel: 0
    IKE SA: ipip0    ID: 13    Version: IKEv2
        Local: 203.0.113.2[500]     Remote: 203.0.113.25[500]
        Status: ESTABLISHED    Up: 372s    Reauth: 25275s
        Child SA: child0    ID: 9
            Status: INSTALLED    Up: 372s    Rekey: 2583s    Expire: 3228s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets

Adding the verbose keyword also shows detailed information about the encryption parameters:

tnsr# show ipsec tunnel 0 verbose
IPsec Tunnel: 0
    IKE SA: ipip0    ID: 13    Version: IKEv2
        Local: 203.0.113.2[500]     Remote: 203.0.113.25[500]
        Status: ESTABLISHED    Up: 479s    Rekey: 24757s   Reauth: 25168s
        Local ID: 203.0.113.2    Remote ID: 203.0.113.25
        Cipher: AES_CBC 128    MAC: HMAC_SHA1_96
        PRF: PRF_HMAC_SHA1    DH: MODP_2048
        SPI Init: 1880997989256787091    Resp: 1437908875259838715
        Initiator: true
        Child SA: child0    ID: 9
            Status: INSTALLED    Up: 479s    Rekey: 2476s    Expire: 3121s
            Received: 0 bytes, 0 packets
            Transmitted: 0 bytes, 0 packets
            Cipher: AES_CBC 128    MAC: HMAC_SHA1_96    PFS: MODP_2048
            SPI in: 2318058408    out: 1979056986

Specifying the ike or child parameter filters the output, and these also support verbose output.

Note

The first Child SA entry uses DH information from the parent IKE SA, and not its own PFS setting. As such, Child SA entries in this situation will display %IKE at the end of their PFS value to indicate the source. The PFS value configured on the Child SA is used when a Child SA is rekeyed.

tnsr# show ipsec tunnel 0 ike
IPsec Tunnel: 0
    IKE SA: ipip0    ID: 13    Version: IKEv2
        Local: 203.0.113.2[500]     Remote: 203.0.113.25[500]
        Status: ESTABLISHED    Up: 372s    Reauth: 25275s
tnsr# show ipsec tunnel 0 ike verbose
IPsec Tunnel: 0
    IKE SA: ipip0    ID: 13    Version: IKEv2
        Local: 203.0.113.2[500]     Remote: 203.0.113.25[500]
        Status: ESTABLISHED    Up: 479s    Reauth: 25168s
        Local ID: 203.0.113.2    Remote ID: 203.0.113.25
        Cipher: AES_CBC 128    MAC: HMAC_SHA1_96
        PRF: PRF_HMAC_SHA1    DH: MODP_2048
        SPI Init: 1880997989256787091    Resp: 1437908875259838715
        Initiator: true