Skip to main content
HyperGhost
HyperGhost
New Member
July 25, 2016
Question

FortiOS CLI Command equal "show crypto ipsec sa"

  • July 25, 2016
  • 2 replies
  • 37474 views

Hi all,

 

How can i verify packet ( encaps & decaps / encrypt & decrypt) for specific IPSec VPN on FortiGate.

 

CLI command on Cisco IOS: "show crypto ipsec sa"

 

[size="2"]For example: [/size]

  interface: FastEthernet0
    Crypto map tag: test, local addr. 12.1.1.1
   local  ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 12.1.1.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
    #pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

Thank you.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    July 25, 2016

    This is all I know what I can get. Maybe some arguments I don't know about with "diag vpn ipsec tun".

     

    [host-name] (vdom-name) # get vpn ipsec tun name [phase1-name] gateway   name: '[phase1-name]'   type: route-based   local-gateway: x.x.x.x:0 (static)   remote-gateway: y.y.y.y:0 (static)   mode: ike-v1   interface: '[interface-name]' (249)   rx  packets: 116  bytes: 1898238  errors: 0   tx  packets: 116  bytes: 1886579  errors: 10   dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0   selectors     name: '[phase1-name]'     auto-negotiate: disable     mode: tunnel     src: 0:0.0.0.0/0.0.0.0:0     dst: 0:0.0.0.0/0.0.0.0:0     SA       lifetime/rekey: 1800/1425       mtu: 15262       tx-esp-seq: 16       replay: enabled       inbound         spi: 7547379f         enc:     aes  d1490c5746671460ccfed035f1c03858         auth:   sha1  3279a2ed970dd9f495e6a310c86095e739cc8840       outbound         spi: 9055a777         enc:     aes  6a6b3b20a5906356099343ace4c1fbbf         auth:   sha1  adf8d1bfa67a4c68009aca925793030dde35052d       NPU acceleration: encryption(outbound) decryption(inbound)

      emnoc
      emnoc
      New Member
      July 25, 2016

      for t-shooting and diagnostic

       

      phase1 diagnostics

       

      diag vpn  ike gateway 

       

      phase2 diagnostics

      diag vpn tunnel  list

       

       

      The get command are not very helpful  for phase2 imho. The following command is good for a summarize  status of how many  tunnels are up

       

      get  vpn ipsec stats tunnel

       

       

       

      Ale
      Ale
      New Member
      July 29, 2016

      I usually use

      'diagnose vpn tunnel list name $VPN_NAME'

      and

      'diagnose sniffer packet $VPN_IF '' 4'

      (all my vpn are configured in Interface mode)

      Terms & ConditionsAccessibility statement