Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Verify the configuration

An example of how to verify the site-to-site VPN with VFP configuration.

Complete these steps to confirm that the configuration is working properly.
  1. Show IKE sessions.
    VYATTA@CORPA:~$ SHOW VPN IKE SA
    PEER ID / IP				LOCAL ID / IP
    ------------					-------------
    128.0.0.13					128.0.0.11
    
    	STATE	ENCRYPT		HASH	D-H GRP	A-TIME	L-TIME	IKEV
    	-----	------------	-----	-------	------	------	----
    	UP	AES256		SHA1	5	0	3000	1
  2. Show established ESP connections (1).
    vyatta@CORPA:~$ show vpn ipsec sa
    Peer ID / IP				Local ID / IP
    ------------					-------------
    128.0.0.13					128.0.0.11
    Tunnel	Id	State	Bytes Out/In	Encrypt	Hash	DH	A-Time	L-Time
    ------ 	--	-----	------------	-------	----	--	------	------
    1	3	up	0.0/0.0		aes256	sha1	5	451	1500
  3. Show established ESP connections (2).
    vyatta@CORPA:~$ show vpn ipsec sa detail peer 128.0.0.13
    ------------------------------------------------------------------
    Peer IP:		128.0.0.13
    Peer ID:		128.0.0.13
    Local IP:		128.0.0.11
    Local ID:		128.0.0.11
    NAT Traversal:		no
    NAT Source Port:	n/a
    NAT Dest Port:		n/a
    
    	Tunnel 1:
    		State:			up
    		Id:			5
    		Inbound SPI:		cee5e0bb
    		Outbound SPI:		ca01d0b1
    		Encryption:		aes256
    		Hash:			sha1
    		DH Group:		5
    
    		Local Net:		10.0.3.0/24
    		Local Protocol:		all
    		Local Port:		all
    
    		Remote Net:		10.0.1.0/24
    		Remote Protocol:	all
    		Remote Port:		all
    
    		Inbound Bytes:		252.0
    		Outbound Bytes:		252.0
    
    		Inbound Blocked:	no
    		Outbound Blocked:	no
    
    		Active Time (s):	318
    		Lifetime (s):		1500
  4. Show SNAT rules.
    vyatta@CORPA:~$ show nat source
    ------------------------
    NAT Rulesets Information
    --------------------------
    SOURCE
    rule	intf	match			translation
    ----	----	-----			-----------
    10	vfp1	from 10.0.2.0/24	dynamic any -> 10.0.3.1-10.0.3.254
  5. Show seen SNAT translations.
    vyatta@CORPA:~$ show nat source translations
    Pre-NAT		Post-NAT	Prot	Timeout
    10.0.2.1:4323	10.0.3.1:4323	icmp	57
  6. Show NAT sessions.
    vyatta@CORPA:~$ show session table
    TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED, FW - FIN WAIT, CW - CLOSE WAIT, CG - CLOSING, LA - LAST ACK, TW - TIME WAIT, CL - CLOSED
    
    CONN ID	Source		Destination	Protocol	TIMEOUT	Intf	Parent
    1	10.0.2.1:4323	10.0.1.1:4323	icmp [1] ES	15	vfp1	0
  7. Optional: View IPsec logs.
    • Display the entire IPsec log.
      show log vpn ipsec
    • Display the tail end of the log.
      mnonitor vpn ipsec