Technical Tip: Verifying IPsec VPN references via the CLI
| Description | This article describes how to reference an IPsec tunnel using the CLI. |
| Scope | FortiGate. |
| Solution | In this example, the IPsec tunnel is named 'IPSECtunnel' and has five references, as displayed in the next image.
Expanding the references reveals that it includes two firewall policies, one static route, and two phase 2 selectors.
However, it is not always possible to access the FortiGate GUI, so the following commands are used to find the references of the IPsec tunnel through CLI.
diagnose sys cmdb refcnt show system.interface.name < IPsec Tunnel Name>
As shown in the GUI, the tunnel has five references, however, the previous image displays only three. This suggests that the FortiGate is configured with two Phase 2 selectors. To view them, the following command can be used:
Use the grep command to filter phase 2 proposals containing the IPsec tunnel name.
show vpn ipsec phase2-interface | grep IPSECtunnel -f
Alternatively, use the command below for IPsec phase 2 references. The command diagnose sys cmdb refcnt show vpn.ipsec.phase1-interface.name <name> is used to display the reference details for a specific IPsec Phase 1 name in the IPSEC Phase 2 table.
diagnose sys cmdb refcnt show vpn.ipsec.phase1-interface.name IPSECtunnel
Related article: Troubleshooting Tip: Verifying FortiGate configuration object references and dependencies |
