Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
HyperGhost
New Contributor II

Created on ‎07-25-2016 04:05 AM

FortiOS CLI Command equal "show crypto ipsec sa"

Hi all,

 

How can i verify packet ( encaps & decaps / encrypt & decrypt) for specific IPSec VPN on FortiGate.

 

CLI command on Cisco IOS: "show crypto ipsec sa"

 

[size="2"]For example: [/size]

  interface: FastEthernet0
    Crypto map tag: test, local addr. 12.1.1.1
   local  ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
   current_peer: 12.1.1.2
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
    #pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

Thank you.
35503
0 Kudos
3 REPLIES 3
Toshi_Esumi
SuperUser
SuperUser

Created on ‎07-25-2016 08:40 AM

This is all I know what I can get. Maybe some arguments I don't know about with "diag vpn ipsec tun".

 

[host-name] (vdom-name) # get vpn ipsec tun name [phase1-name] gateway   name: '[phase1-name]'   type: route-based   local-gateway: x.x.x.x:0 (static)   remote-gateway: y.y.y.y:0 (static)   mode: ike-v1   interface: '[interface-name]' (249)   rx  packets: 116  bytes: 1898238  errors: 0   tx  packets: 116  bytes: 1886579  errors: 10   dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0   selectors     name: '[phase1-name]'     auto-negotiate: disable     mode: tunnel     src: 0:0.0.0.0/0.0.0.0:0     dst: 0:0.0.0.0/0.0.0.0:0     SA       lifetime/rekey: 1800/1425       mtu: 15262       tx-esp-seq: 16       replay: enabled       inbound         spi: 7547379f         enc:     aes  d1490c5746671460ccfed035f1c03858         auth:   sha1  3279a2ed970dd9f495e6a310c86095e739cc8840       outbound         spi: 9055a777         enc:     aes  6a6b3b20a5906356099343ace4c1fbbf         auth:   sha1  adf8d1bfa67a4c68009aca925793030dde35052d       NPU acceleration: encryption(outbound) decryption(inbound)

9230
emnoc
Esteemed Contributor III
In response to Toshi_Esumi

Created on ‎07-25-2016 09:33 AM

for t-shooting and diagnostic

 

phase1 diagnostics

 

diag vpn  ike gateway 

 

phase2 diagnostics

diag vpn tunnel  list

 

 

The get command are not very helpful  for phase2 imho. The following command is good for a summarize  status of how many  tunnels are up

 

get  vpn ipsec stats tunnel

 

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
9230
0 Kudos
Ale
New Contributor

Created on ‎07-29-2016 03:03 PM

I usually use

'diagnose vpn tunnel list name $VPN_NAME'

and

'diagnose sniffer packet $VPN_IF '' 4'

(all my vpn are configured in Interface mode)

Certs : Fortinet : NSE 3 | Checkpoint : CCSA | Cisco :CCIE ,CCNA Wireless ,CCNA Security , CCDP 

Knowledge : F5 , IronPort , Fortimail , Bluecoat 

Certs : Fortinet : NSE 3 | Checkpoint : CCSA | Cisco :CCIE ,CCNA Wireless ,CCNA Security , CCDP Knowledge : F5 , IronPort , Fortimail , Bluecoat
9230
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.