Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

show vpn ipsec sa

Outputs information about the state of IPsec Phase2.

Command and output example

user@system:~$ show vpn ipsec sa
Peer ID / IP                     Local ID / IP
------------                     -------------
10.20.2.2                        10.10.2.3

  Description: Customer_VPN

  Tunnel  Id          State  Bytes Out/In   Encrypt       Hash      DH  A-Time  L-Time
  ------  ----------  -----  -------------  ------------  --------  --  ------  ------
  1       2348        up     0.0/0.0        aes128gcm128  null      19  178     3600

What to look for

The Phase1 connection must be in the up state for Phase2 to work. Once the Phase2 connection is also in the up state then traffic can flow across the VPN.

For each configured tunnel in the Vyatta NOS CLI you will see an entry in the Tunnel column. The Id column of the output may show a large number, as you see in this example.

If any clients report a problem, then you could use this output to help locate a tunnel in the down state or one with a zero value for Bytes Out/In, and then associate it with the source/destination IP address of the problem client.

The A-Time column indicates how long the Phase2 negotiation has been active. Phase2 negotiates more often than Phase1. Phase2 will renegotiate periodically, so the number tends to vary a lot — don't be surprised if you see very low or very high values.

The L-Time column indicates the maximum amount of time that the tunnel can be active before Vyatta NOS must renegotiate it. The A-Time value should always be less than the L-Time value, otherwise there is a problem.