- Docs »
- TNSR® software »
- IPsec
To view status information about active IPsec tunnels, use the show ipsectunnel command. This command prints status output for all IPsec tunnels, andit also supports printing tunnel information individually by providing thetunnel ID. This command supports several additional parameters to increase ordecrease the amount of information it displays.
The following forms of show ipsec tunnel are available:
- show ipsec tunnel
Display a short summary of all IPsec tunnels.
- show ipsec tunnel n
Display a short summary of a specific IPsec tunnel
n.- show ipsec tunnel [n] verbose
Display a verbose list of all IPsec tunnels, optionally limited to a singletunnel
n. The output shows detailed information such as active encryption,hashing, DH groups, identifiers, and more.- show ipsec tunnel [n] ike [verbose]
Display only IKE parameters of all tunnels. Optionally limited to a singletunnel
nand/or expanded details withverbose.- show ipsec tunnel [n] child [verbose]
Display only IPsec child Security Association parameters of all tunnels.Optionally limited to a single tunnel
nand/or expanded details withverbose
IPsec Status Examples¶
Show the status of tunnel 0:
tnsr# show ipsec tunnel 0IPsec Tunnel: 0 IKE SA: ipip0 ID: 13 Version: IKEv2 Local: 203.0.113.2[500] Remote: 203.0.113.25[500] Status: ESTABLISHED Up: 372s Reauth: 25275s Child SA: child0 ID: 9 Status: INSTALLED Up: 372s Rekey: 2583s Expire: 3228s Received: 0 bytes, 0 packets Transmitted: 0 bytes, 0 packets
Adding the verbose keyword also shows detailed information about theencryption parameters:
tnsr# show ipsec tunnel 0 verboseIPsec Tunnel: 0 IKE SA: ipip0 ID: 13 Version: IKEv2 Local: 203.0.113.2[500] Remote: 203.0.113.25[500] Status: ESTABLISHED Up: 479s Rekey: 24757s Reauth: 25168s Local ID: 203.0.113.2 Remote ID: 203.0.113.25 Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PRF: PRF_HMAC_SHA1 DH: MODP_2048 SPI Init: 1880997989256787091 Resp: 1437908875259838715 Initiator: true Child SA: child0 ID: 9 Status: INSTALLED Up: 479s Rekey: 2476s Expire: 3121s Received: 0 bytes, 0 packets Transmitted: 0 bytes, 0 packets Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PFS: MODP_2048 SPI in: 2318058408 out: 1979056986
Specifying the ike or child parameter filters the output, and these alsosupport verbose output.
Note
The first Child SA entry uses DH information from the parent IKE SA, and notit* own PFS setting. As such, Child SA entries in this situation will display%IKE at the end of their PFS value to indicate the source. The PFS valueconfigured on the Child SA is used when a Child SA is rekeyed.
tnsr# show ipsec tunnel 0 ikeIPsec Tunnel: 0 IKE SA: ipip0 ID: 13 Version: IKEv2 Local: 203.0.113.2[500] Remote: 203.0.113.25[500] Status: ESTABLISHED Up: 372s Reauth: 25275s
tnsr# show ipsec tunnel 0 ike verboseIPsec Tunnel: 0 IKE SA: ipip0 ID: 13 Version: IKEv2 Local: 203.0.113.2[500] Remote: 203.0.113.25[500] Status: ESTABLISHED Up: 479s Reauth: 25168s Local ID: 203.0.113.2 Remote ID: 203.0.113.25 Cipher: AES_CBC 128 MAC: HMAC_SHA1_96 PRF: PRF_HMAC_SHA1 DH: MODP_2048 SPI Init: 1880997989256787091 Resp: 1437908875259838715 Initiator: true
