Phase 1 / IKE
IKE – Alle Sessions anzeigen
show vpn ike-sa
XXX@PAC1(active)> show vpn ike-sa
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
8 90.186.0.48:51489 P1_244_TEMP1_LTE Resp Aggr PSK/ DH5/A256/SHA256 v1 3 0 0
8 90.186.0.48:51489 P1_244_TEMP1_LTE Resp Aggr PSK/ DH5/A256/SHA256 v1 3 -1 0
8 90.186.2.30:32730 P1_244_TEMP1_LTE Resp Aggr PSK/ DH5/A256/SHA256 Nov.20 10:07:11 Nov.20 18:07:11 v1 12 4 1
10 90.186.44.133 P1_029_Alach Resp Aggr PSK/ DH5/A256/SHA256 Nov.20 09:11:00 Nov.20 17:11:00 v1 12 4 0
11 185.9.110.62 T004_PH_Arnstadt Resp Main PSK/ DH5/A256/SHA256 Nov.20 08:02:45 Nov.20 16:02:45 v1 12 4 7
Show IKEv1 IKE SA: Total 3 gateways found. 5 ike sa found.
IKE – eine bestimmte Session anzeigen
show vpn ike-sa gateway
XXX@PAC1(active)> show vpn ike-sa gateway P1_244_TEMP1_LTE IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 8 90.186.0.48:51489 P1_244_TEMP1_LTE Resp Aggr PSK/ DH5/A256/SHA256 v1 3 0 0 Show IKEv1 IKE SA: Total 3 gateways found. 1 ike sa found. There is no IKEv1 phase-2 SA found. There is no IKEv2 SA found.
IKE – Details einer bestimmten Session anzeigen
show vpn ike-sa detail gateway
XXX@PAC1(active)> show vpn ike-sa detail gateway P1_244_TEMP1_LTE
IKE Gateway P1_244_TEMP1_LTE, ID 8 185.9.110.39 => 90.186.2.140:38820
Current time: Nov.20 13:20:12
IKE Phase1 SA:
Cookie: 5F792E82B5F90620:A0A1B8A83211BACB Resp
State: Established
Mode: Aggr
Authentication: PSK
Proposal: AES256-CBC/SHA256/DH5
NAT: Not detected
Message ID: 0, phase 2: 0
Phase 2 SA created : 1
Created: Nov.20 13:17:58, 2 minutes 14 seconds ago
Expires: Nov.20 21:17:58
IKE – Session beenden / abbauen
clear vpn ike-sa gateway <gateway-name>
XXX@PAC1(active)> clear vpn ike-sa gateway P1_244_TEMP1_LTE
Clear IKE SA for gateway P1_244_TEMP1_LTE: 1 IKEv1 SA, 0 IKEv2 SA.
IKE – Session aufbauen
test vpn ike-sa gateway <gateway-name>
XXX@PAC1(active)> test vpn ike-sa gateway P1_244_TEMP1_LTE
Initiate IKE SA: Total 1 gateways found. 1 ike sa found.
Phase 2 / IP-Sec
IKE – Alle Tunnel anzeigen
show vpn ipsec-sa
XXX@PAC1(active)> show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 8 17 90.186.8.0 P2_244_TEMP1_LTE:PXY1(P1_244_TEMP1_LTE) ESP/A256/SHA256 E0A51549 74092DE7 1541/0 11 13 185.9.110.62 P2_T004-PH-Arnstadt:T004-PH-Arnstadt-1(T004_PH ESP/A256/SHA256 E2F4142C 3E8D6A0D 1717/0 Show IPSec SA: Total 3 tunnels found. 2 ipsec sa found.
IKE – Einen Tunnel anzeigen
show vpn ipsec-sa tunnel
rkrakovic@PAC1(active)> show vpn ipsec-sa tunnel P2_244_TEMP1_LTE:PXY1 GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 8 17 90.186.8.0 P2_244_TEMP1_LTE:PXY1(P1_244_TEMP1_LTE) ESP/A256/SHA256 E0A51549 74092DE7 1458/0 Show IPSec SA: Total 3 tunnels found. 1 ipsec sa found.
IKE – Einen Tunnel abbauen / beenden
clear vpn ipsec-sa tunnel
XXX@PAC1(active)> clear vpn ipsec-sa tunnel P2_244_TEMP1_LTE:PXY1 Clear IPSec SA for tunnel P2_244_TEMP1_LTE:PXY1: 1 IKEv1 SA, 0 IKEv2 SA.
Im Systemlog sieht man dann dies:
IPSec key deleted. Deleted SA: 185.9.110.39[500]-90.186.8.0[500] SPI:0xE0A51549/0x74092DE7 IKE protocol IPSec SA delete message sent to peer. SPI:0xE0A51549
Aufbau:
test vpn ipsec-sa tunnel
XXX@PAC1(active)> test vpn ipsec-sa tunnel P2_244_TEMP1_LTE:PXY1 Initiate 1 IPSec SA for tunnel P2_244_TEMP1_LTE:PXY1.
clear vpn ipsec-sa tunnel
IKEv1 phase-2 SAs GwID/client IP Peer-Address Gateway Name Role Algorithm SPI(in) SPI(out) MsgID ST Xt -------------- ------------ ------------ ---- --------- ------- -------- ----- -- -- 11 185.9.110.62 T004_PH_Arnstadt Init ESP/ DH5/tunl/SHA2 F9C15947 3E8D6A09 3DD6D721 9 1 Show IKEv1 phase2 SA: Total 3 gateways found. 1 ike sa found. There is no IKEv2 SA found.
Aufgebaute Tunnel anzeigen
rkrakovic@PAC1(active)> show vpn flow total tunnels configured: 3 filter - type IPSec, state any total IPSec tunnel configured: 3 total IPSec tunnel shown: 3 id name state monitor local-ip peer-ip tunnel-i/f -- ---- ----- ------- -------- ------- ---------- 7 P2_029_AST1:AST_029 inactiv off 185.9.110.39 0.0.0.0 tunnel.29 17 P2_244_TEMP1_LTE:PXY1 inactiv off 185.9.110.39 0.0.0.0 tunnel.244 13 P2_T004-PH-Arnstadt:T004-PH-A active off 185.9.110.39 185.9.110.62 tunnel.4