IPsec protocol
Checks whether the IPsec protocol information is correct.
vpn ipsec show policy: checks the information available on kernel crypto policies.
Example:
admin@osdx$ vpn ipsec show policy
src 10.0.0.1/32 dst 10.0.0.2/32
dir out priority 367231
tmpl src 10.0.0.1 dst 10.0.0.2
proto esp spi 0xcde9784b reqid 1 mode tunnel
src 10.0.0.2/32 dst 10.0.0.1/32
dir fwd priority 367231
tmpl src 10.0.0.2 dst 10.0.0.1
proto esp reqid 1 mode tunnel
src 10.0.0.2/32 dst 10.0.0.1/32
dir in priority 367231
tmpl src 10.0.0.2 dst 10.0.0.1
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
vpn ipsec show sa: checks information related to IPsec SA.
Example:
admin@osdx$ vpn ipsec show sa
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, 0fd20672a782d852_i* 0aab0776adbd3fc1_r
local '10.0.0.1' @ 10.0.0.1[500]
remote '10.0.0.2' @ 10.0.0.2[500]
NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
established 1479s ago, rekeying in 25550s
peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
installed 1479s ago, rekeying in 1942s, expires in 2481s
in c7130959, 168 bytes, 2 packets, 1479s ago
out cde9784b, 168 bytes, 2 packets, 1479s ago
local 10.0.0.1/32
remote 10.0.0.2/32
vpn ipsec show sa local <value>: checks information related to IPsec SA in a selected local peer.
Example:
admin@osdx$ vpn ipsec show sa local 10.0.0.1
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, 0fd20672a782d852_i* 0aab0776adbd3fc1_r
local '10.0.0.1' @ 10.0.0.1[500]
remote '10.0.0.2' @ 10.0.0.2[500]
NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
established 1544s ago, rekeying in 25485s
peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
installed 1544s ago, rekeying in 1877s, expires in 2416s
in c7130959, 168 bytes, 2 packets, 1544s ago
out cde9784b, 168 bytes, 2 packets, 1544s ago
local 10.0.0.1/32
remote 10.0.0.2/32
vpn ipsec show sa remote <value>: checks information related to IPsec SA in a selected peer.
Example:
admin@osdx$ vpn ipsec show sa remote 10.0.0.2
vpn-peer-SITE1: #1, ESTABLISHED, IKEv2, 0fd20672a782d852_i* 0aab0776adbd3fc1_r
local '10.0.0.1' @ 10.0.0.1[500]
remote '10.0.0.2' @ 10.0.0.2[500]
NULL/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_3072
established 1581s ago, rekeying in 25448s
peer-SITE1-tunnel-1: #1, reqid 1, INSTALLED, TUNNEL, ESP:NULL/HMAC_SHA1_96
installed 1581s ago, rekeying in 1840s, expires in 2379s
in c7130959, 168 bytes, 2 packets, 1581s ago
out cde9784b, 168 bytes, 2 packets, 1581s ago
local 10.0.0.1/32
remote 10.0.0.2/32
vpn ipsec show state: checks the kernel cryptostate.
Example:
admin@osdx$ vpn ipsec show state
src 10.0.0.1 dst 10.0.0.2
proto esp spi 0xcde9784b reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0x6e924c645c189d0176cb1dba5a445d5078749249 96
enc ecb(cipher_null)
anti-replay context: seq 0x0, oseq 0x2, bitmap 0x00000000
src 10.0.0.2 dst 10.0.0.1
proto esp spi 0xc7130959 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x4721395ffe9e83a8f77de8eed16bdea194b4b8a0 96
enc ecb(cipher_null)
anti-replay context: seq 0x2, oseq 0x0, bitmap 0x00000003
vpn ipsec show ike status: checks the IKE process status.
Example:
admin@osdx$ vpn ipsec show ike status
IKE Process Running
PID: 4140