Verify the configuration
An example of how to verify the site-to-site VPN with VFP configuration.
- Show IKE sessions.
VYATTA@CORPA:~$ SHOW VPN IKE SA
PEER ID / IP LOCAL ID / IP ------------ ------------- 128.0.0.13 128.0.0.11 STATE ENCRYPT HASH D-H GRP A-TIME L-TIME IKEV ----- ------------ ----- ------- ------ ------ ---- UP AES256 SHA1 5 0 3000 1
- Show established ESP connections (1).
vyatta@CORPA:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP ------------ ------------- 128.0.0.13 128.0.0.11 Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time ------ -- ----- ------------ ------- ---- -- ------ ------ 1 3 up 0.0/0.0 aes256 sha1 5 451 1500
- Show established ESP connections (2).
vyatta@CORPA:~$ show vpn ipsec sa detail peer 128.0.0.13
------------------------------------------------------------------ Peer IP: 128.0.0.13 Peer ID: 128.0.0.13 Local IP: 128.0.0.11 Local ID: 128.0.0.11 NAT Traversal: no NAT Source Port: n/a NAT Dest Port: n/a Tunnel 1: State: up Id: 5 Inbound SPI: cee5e0bb Outbound SPI: ca01d0b1 Encryption: aes256 Hash: sha1 DH Group: 5 Local Net: 10.0.3.0/24 Local Protocol: all Local Port: all Remote Net: 10.0.1.0/24 Remote Protocol: all Remote Port: all Inbound Bytes: 252.0 Outbound Bytes: 252.0 Inbound Blocked: no Outbound Blocked: no Active Time (s): 318 Lifetime (s): 1500
- Show SNAT rules.
vyatta@CORPA:~$ show nat source
------------------------ NAT Rulesets Information -------------------------- SOURCE rule intf match translation ---- ---- ----- ----------- 10 vfp1 from 10.0.2.0/24 dynamic any -> 10.0.3.1-10.0.3.254
- Show seen SNAT translations.
vyatta@CORPA:~$ show nat source translations
Pre-NAT Post-NAT Prot Timeout 10.0.2.1:4323 10.0.3.1:4323 icmp 57
- Show NAT sessions.
vyatta@CORPA:~$ show session table
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED CONN ID Source Destination Protocol TIMEOUT Intf Parent 1 10.0.2.1:4323 10.0.1.1:4323 icmp [1] ES 15 vfp1 0
- Optional: View IPsec logs.
- Display the entire IPsec log.
show log vpn ipsec
- Display the tail end of the log.
mnonitor vpn ipsec
- Display the entire IPsec log.