[Openswan Users] IKE status
Mike Horn
lists at caddisconsulting.com
Tue Dec 5 16:54:47 EST 2006
Thanks Paul,
I believe this command gives you the IPsec status (via the tun0x reference),
but what I really wanted was a separate listing for ISAKMP SA status for
each configured peer. For example, during the troubleshooting process this
would enable me to determine if IKE (phase 1) was up, but ESP (phase 2)
wasn't. Then I would know where to go and troubleshoot, phase 2 parameters
in this case.
-mike
-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: Tuesday, December 05, 2006 2:35 PM
To: Mike Horn
Cc: users at openswan.org
Subject: Re: [Openswan Users] IKE status
On Tue, 5 Dec 2006, Mike Horn wrote:
> Is there an easy way to get the list of IPsec peers and their IKE status?
> Right now I'm using the "ipsec auto --status" command and grep'ing for
> ISAKMP, but that gets painful with large number of peers and rekeys.
>
> I was hoping for something along the lines of Cisco's "show crypto
> isakmp sa" command (output below). Which shows all peers and their
> current ISAKMP state. Is there a command in Openswan that provides
similar output?
If you are using klips, there is "ipsec eroute"
[root at tla root]# ipsec eroute
2 0.0.0.0/0 -> 0.0.0.0/0 => %trap
48278 193.110.157.130/32 -> 0.0.0.0/0 => %trap
6460 193.110.157.130/32 -> 24.36.180.146/32 => %pass
110 193.110.157.130/32 -> 205.150.200.165/32 =>
tun0x1256 at 205.150.200.134
0 193.110.157.130/32 -> 205.150.200.254/32 =>
tun0x123e at 205.150.200.254
18015 193.110.157.130/32 -> 209.112.44.0/24 => %hold
This however, does not know about the connection names. We are planning to
add that in the future, but it requires pushing the name from userland to
kernel.
Paul
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list