Check the IPsec site-to-site VPN tunnel status (Fedora/RHEL/Centos)
An example of how to check the IPsec RA VPN tunnel works, from the perspective of a peer device.
- List the currently active IKE_SAs and confirm that they are as you expect.
$ swanctl -l
devcloud1: #1, ESTABLISHED, IKEv2, 802f9c888e23e342_i* e2c75818cd0ffd4e_r local 'devcloud1.vpn.am' @ 172.16.0.4[4500] remote 'server.vpn.am' @ 169.61.111.164[4500] AES_GCM_16-128/PRF_HMAC_SHA2_256/ECP_256 established 564s ago, rekeying in 12749s, reauth in 11577s tunnel-1: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128 installed 564s ago, rekeying in 2920s, expires in 3396s in c75e729c (0x0000002a), 0 bytes, 0 packets out c2f7bd8a (0x0000002a), 0 bytes, 0 packets local 10.200.0.0/24 remote 0.0.0.0/0
- Check the connectivity across the tunnel to the another peer.
$ ping 10.90.9.2 -I 10.200.1.1 -c3
PING 10.90.9.2 (10.191.29.202) from 10.200.1.1 : 56(84) bytes of data. 64 bytes from 10.90.9.2: icmp_seq=1 ttl=63 time=2.07 ms 64 bytes from 10.90.9.2: icmp_seq=2 ttl=63 time=1.23 ms 64 bytes from 10.90.9.2: icmp_seq=3 ttl=63 time=1.17 ms --- 10.90.9.2 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 5ms rtt min/avg/max/mdev = 1.168/1.492/2.074/0.412 mss