show vpn ipsec sa
Outputs information about the state of IPsec Phase2.
Command and output example
user@system:~$ show vpn ipsec sa
Peer ID / IP Local ID / IP
------------ -------------
10.20.2.2 10.10.2.3
Description: Customer_VPN
Tunnel Id State Bytes Out/In Encrypt Hash DH A-Time L-Time
------ ---------- ----- ------------- ------------ -------- -- ------ ------
1 2348 up 0.0/0.0 aes128gcm128 null 19 178 3600What to look for
The Phase1 connection must be in the up state for Phase2 to work. Once the Phase2 connection is also in the up state then traffic can flow across the VPN.
For each configured tunnel in the Vyatta NOS CLI you will see an entry in the Tunnel column. The Id column of the output may show a large number, as you see in this example.
If any clients report a problem, then you could use this output to help locate a tunnel in the down state or one with a zero value for Bytes Out/In, and then associate it with the source/destination IP address of the problem client.
The A-Time column indicates how long the Phase2 negotiation has been active. Phase2 negotiates more often than Phase1. Phase2 will renegotiate periodically, so the number tends to vary a lot — don't be surprised if you see very low or very high values.
The L-Time column indicates the maximum amount of time that the tunnel can be active before Vyatta NOS must renegotiate it. The A-Time value should always be less than the L-Time value, otherwise there is a problem.