Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Verify the configuration

An example of how to verify the site-to-site VPN with VFP configuration.

Complete these steps to confirm that the configuration is working properly.
  1. Show IKE sessions.
    VYATTA@CORPA:~$ SHOW VPN IKE SA
    PEER ID / IP				LOCAL ID / IP
    ------------					-------------
    128.0.0.13					128.0.0.11
    
    	STATE	ENCRYPT		HASH	D-H GRP	A-TIME	L-TIME	IKEV
    	-----	------------	-----	-------	------	------	----
    	UP	AES256		SHA1	5	0	3000	1
  2. Show established ESP connections (1).
    vyatta@CORPA:~$ show vpn ipsec sa
    Peer ID / IP				Local ID / IP
    ------------					-------------
    128.0.0.13					128.0.0.11
    Tunnel	Id	State	Bytes Out/In	Encrypt	Hash	DH	A-Time	L-Time
    ------ 	--	-----	------------	-------	----	--	------	------
    1	3	up	0.0/0.0		aes256	sha1	5	451	1500
  3. Show established ESP connections (2).
    vyatta@CORPA:~$ show vpn ipsec sa detail peer 128.0.0.13
    ------------------------------------------------------------------
    Peer IP:		128.0.0.13
    Peer ID:		128.0.0.13
    Local IP:		128.0.0.11
    Local ID:		128.0.0.11
    NAT Traversal:		no
    NAT Source Port:	n/a
    NAT Dest Port:		n/a
    
    	Tunnel 1:
    		State:			up
    		Id:			5
    		Inbound SPI:		cee5e0bb
    		Outbound SPI:		ca01d0b1
    		Encryption:		aes256
    		Hash:			sha1
    		DH Group:		5
    
    		Local Net:		10.0.3.0/24
    		Local Protocol:		all
    		Local Port:		all
    
    		Remote Net:		10.0.1.0/24
    		Remote Protocol:	all
    		Remote Port:		all
    
    		Inbound Bytes:		252.0
    		Outbound Bytes:		252.0
    
    		Inbound Blocked:	no
    		Outbound Blocked:	no
    
    		Active Time (s):	318
    		Lifetime (s):		1500
  4. Show SNAT rules.
    vyatta@CORPA:~$ show nat source
    ------------------------
    NAT Rulesets Information
    --------------------------
    SOURCE
    rule	intf	match			translation
    ----	----	-----			-----------
    10	vfp1	from 10.0.2.0/24	dynamic any -> 10.0.3.1-10.0.3.254
  5. Show seen SNAT translations.
    vyatta@CORPA:~$ show nat source translations
    Pre-NAT		Post-NAT	Prot	Timeout
    10.0.2.1:4323	10.0.3.1:4323	icmp	57
  6. Show NAT sessions.
    vyatta@CORPA:~$ show session table
    TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED
    
    CONN ID	Source		Destination	Protocol	TIMEOUT	Intf	Parent
    1	10.0.2.1:4323	10.0.1.1:4323	icmp [1] ES	15	vfp1	0
  7. Optional: View IPsec logs.
    • Display the entire IPsec log.
      show log vpn ipsec
    • Display the tail end of the log.
      mnonitor vpn ipsec