show vpn ike sa
Outputs information about the state of IPsec Phase1 negotiation.
Command and output example
user@system:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
10.20.2.2 10.10.2.3
Description: Customer_VPN
State Encrypt Hash D-H Grp A-Time L-Time IKEv
----- ------------ -------- ------- ------ ------ ----
up aes256 sha2_256 14 240 3600 2In this example output:
- The Phase1 connection state is
up - The IP address that is in use within Vyatta NOS for the VPN connection is
10.20.2.2 - The remote VPN IP address is
10.10.2.3
What to look for
In order for IPsec Phase2 negotiations to work, the Phase1 state must be up.
The A-Time column indicates for how long the Phase1 connection state has been up (in seconds). IPsec will renegotiate the connection periodically, so the number tends to vary a lot — don't be surprised if you see very low or very high values.
The L-Time column indicates the maximum amount of time that the Phase1 connection can be alive before Vyatta NOS must renegotiate it. The A-Time value should always be less than the L-Time value, otherwise there is a problem.
The IKEv column shows what version of IKE is in use — IKEv2 in this example.