[Openswan Users] IKE status

Mike Horn lists at caddisconsulting.com
Tue Dec 5 16:54:47 EST 2006

Thanks Paul,

I believe this command gives you the IPsec status (via the tun0x reference),
but what I really wanted was a separate listing for ISAKMP SA status for
each configured peer.  For example, during the troubleshooting process this
would enable me to determine if IKE (phase 1) was up, but ESP (phase 2)
wasn't.  Then I would know where to go and troubleshoot, phase 2 parameters
in this case.


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Tuesday, December 05, 2006 2:35 PM
To: Mike Horn
Cc: users at openswan.org
Subject: Re: [Openswan Users] IKE status

On Tue, 5 Dec 2006, Mike Horn wrote:

> Is there an easy way to get the list of IPsec peers and their IKE status?
> Right now I'm using the "ipsec auto --status" command and grep'ing for 
> ISAKMP, but that gets painful with large number of peers and rekeys.
> I was hoping for something along the lines of Cisco's "show crypto 
> isakmp sa" command (output below).  Which shows all peers and their 
> current ISAKMP state.  Is there a command in Openswan that provides
similar output?

If you are using klips, there is "ipsec eroute"

[root at tla root]# ipsec eroute
2          ->          => %trap
48278 ->          => %trap
6460 ->   => %pass
110 -> =>
tun0x1256 at
0 -> =>
tun0x123e at
18015 ->    => %hold

This however, does not know about the connection names. We are planning to
add that in the future, but it requires pushing the name from userland to

Building and integrating Virtual Private Networks with Openswan:

More information about the Users mailing list