[Openswan Users] IKE status

Tue Dec 5 16:34:44 EST 2006

On Tue, 5 Dec 2006, Mike Horn wrote:

> Is there an easy way to get the list of IPsec peers and their IKE status?
> Right now I'm using the "ipsec auto --status" command and grep'ing for
> ISAKMP, but that gets painful with large number of peers and rekeys.
>
> I was hoping for something along the lines of Cisco's "show crypto isakmp
> sa" command (output below).  Which shows all peers and their current ISAKMP
> state.  Is there a command in Openswan that provides similar output?

If you are using klips, there is "ipsec eroute"

[root at tla root]# ipsec eroute
2          0.0.0.0/0          -> 0.0.0.0/0          => %trap
48278      193.110.157.130/32 -> 0.0.0.0/0          => %trap
6460       193.110.157.130/32 -> 24.36.180.146/32   => %pass
110        193.110.157.130/32 -> 205.150.200.165/32 => tun0x1256 at 205.150.200.134
0          193.110.157.130/32 -> 205.150.200.254/32 => tun0x123e at 205.150.200.254
18015      193.110.157.130/32 -> 209.112.44.0/24    => %hold

This however, does not know about the connection names. We are planning to add
that in the future, but it requires pushing the name from userland to kernel.

Paul
-- 
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155