Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HyperGhost
New Contributor II

FortiOS CLI Command equal "show crypto ipsec sa"

Hi all,

 

How can i verify packet ( encaps & decaps / encrypt & decrypt) for specific IPSec VPN on FortiGate.

 

CLI command on Cisco IOS: "show crypto ipsec sa"

 

[size="2"]For example: [/size]

  interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

Thank you.
3 REPLIES 3
Toshi_Esumi
Esteemed Contributor II

This is all I know what I can get. Maybe some arguments I don't know about with "diag vpn ipsec tun".

 

[host-name] (vdom-name) # get vpn ipsec tun name [phase1-name] gateway   name: '[phase1-name]'   type: route-based   local-gateway: x.x.x.x:0 (static)   remote-gateway: y.y.y.y:0 (static)   mode: ike-v1   interface: '[interface-name]' (249)   rx  packets: 116  bytes: 1898238  errors: 0   tx  packets: 116  bytes: 1886579  errors: 10   dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0   selectors     name: '[phase1-name]'     auto-negotiate: disable     mode: tunnel     src: 0:0.0.0.0/0.0.0.0:0     dst: 0:0.0.0.0/0.0.0.0:0     SA       lifetime/rekey: 1800/1425       mtu: 15262       tx-esp-seq: 16       replay: enabled       inbound         spi: 7547379f         enc:     aes  d1490c5746671460ccfed035f1c03858         auth:   sha1  3279a2ed970dd9f495e6a310c86095e739cc8840       outbound         spi: 9055a777         enc:     aes  6a6b3b20a5906356099343ace4c1fbbf         auth:   sha1  adf8d1bfa67a4c68009aca925793030dde35052d       NPU acceleration: encryption(outbound) decryption(inbound)

emnoc
Esteemed Contributor III

for t-shooting and diagnostic

 

phase1 diagnostics

 

diag vpn  ike gateway 

 

phase2 diagnostics

diag vpn tunnel  list

 

 

The get command are not very helpful  for phase2 imho. The following command is good for a summarize  status of how many  tunnels are up

 

get  vpn ipsec stats tunnel

 

 

 

PCNSE 

NSE 

StrongSwan  

Ale
New Contributor

I usually use

'diagnose vpn tunnel list name $VPN_NAME'

and

'diagnose sniffer packet $VPN_IF '' 4'

(all my vpn are configured in Interface mode)

Certs : Fortinet : NSE 3 | Checkpoint : CCSA | Cisco :CCIE ,CCNA Wireless ,CCNA Security , CCDP 

Knowledge : F5 , IronPort , Fortimail , Bluecoat