show vpn ike sa
Outputs information about the state of IPsec Phase1 negotiation.
Command and output example
user@system:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.20.2.2 10.10.2.3
Description: Customer_VPN
State Encrypt Hash D-H Grp A-Time L-Time IKEv
----- ------------ -------- ------- ------ ------ ----
up aes256 sha2_256 14 240 3600 2
In this example output:
- The Phase1 connection state is
up
- The IP address that is in use within Vyatta NOS for the VPN connection is
10.20.2.2
- The remote VPN IP address is
10.10.2.3
What to look for
In order for IPsec Phase2 negotiations to work, the Phase1 state must be up
.
The A-Time
column indicates for how long the Phase1 connection state has been up
(in seconds). IPsec will renegotiate the connection periodically, so the number tends to vary a lot — don't be surprised if you see very low or very high values.
The L-Time
column indicates the maximum amount of time that the Phase1 connection can be alive before Vyatta NOS must renegotiate it. The A-Time
value should always be less than the L-Time
value, otherwise there is a problem.
The IKEv
column shows what version of IKE is in use — IKEv2 in this example.