FortiOS CLI Command equal "show crypto ipsec sa"

Author
HyperGhost
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/25 03:13:23
  • Location: Egypt
  • Status: offline
2016/07/25 04:05:05 (permalink)
0

FortiOS CLI Command equal "show crypto ipsec sa"

Hi all,
 
How can i verify packet ( encaps & decaps / encrypt & decrypt) for specific IPSec VPN on FortiGate.
 
CLI command on Cisco IOS: "show crypto ipsec sa"
 
For example: 
  interface: FastEthernet0
Crypto map tag: test, local addr. 12.1.1.1
local ident (addr/mask/prot/port): (20.1.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.1.1.0/255.255.255.0/0/0)
current_peer: 12.1.1.2
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7767918, #pkts encrypt: 7767918, #pkts digest 7767918
#pkts decaps: 7760382, #pkts decrypt: 7760382, #pkts verify 7760382

Thank you.
#1

3 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2634
    • Scores: 257
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: FortiOS CLI Command equal "show crypto ipsec sa" 2016/07/25 08:40:57 (permalink)
    5 (1)
    This is all I know what I can get. Maybe some arguments I don't know about with "diag vpn ipsec tun".
     
    [host-name] (vdom-name) # get vpn ipsec tun name [phase1-name]

    gateway
      name: '[phase1-name]'
      type: route-based
      local-gateway: x.x.x.x:0 (static)
      remote-gateway: y.y.y.y:0 (static)
      mode: ike-v1
      interface: '[interface-name]' (249)
      rx  packets: 116  bytes: 1898238  errors: 0
      tx  packets: 116  bytes: 1886579  errors: 10
      dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0
      selectors
        name: '[phase1-name]'
        auto-negotiate: disable
        mode: tunnel
        src: 0:0.0.0.0/0.0.0.0:0
        dst: 0:0.0.0.0/0.0.0.0:0
        SA
          lifetime/rekey: 1800/1425
          mtu: 15262
          tx-esp-seq: 16
          replay: enabled
          inbound
            spi: 7547379f
            enc:     aes  d1490c5746671460ccfed035f1c03858
            auth:   sha1  3279a2ed970dd9f495e6a310c86095e739cc8840
          outbound
            spi: 9055a777
            enc:     aes  6a6b3b20a5906356099343ace4c1fbbf
            auth:   sha1  adf8d1bfa67a4c68009aca925793030dde35052d
          NPU acceleration: encryption(outbound) decryption(inbound)


    #2
    emnoc
    Expert Member
    • Total Posts : 6160
    • Scores: 429
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiOS CLI Command equal "show crypto ipsec sa" 2016/07/25 09:33:42 (permalink)
    5 (1)
    for t-shooting and diagnostic
     
    phase1 diagnostics
     
    diag vpn  ike gateway 
     
    phase2 diagnostics
    diag vpn tunnel  list
     
     
    The get command are not very helpful  for phase2 imho. The following command is good for a summarize  status of how many  tunnels are up
     
    get  vpn ipsec stats tunnel
     
     
     

    PCNSE 
    NSE 
    StrongSwan  
    #3
    Ale
    New Member
    • Total Posts : 3
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/07/28 09:53:27
    • Status: offline
    Re: FortiOS CLI Command equal "show crypto ipsec sa" 2016/07/29 15:03:46 (permalink)
    5 (1)
    I usually use
    'diagnose vpn tunnel list name $VPN_NAME'
    and
    'diagnose sniffer packet $VPN_IF '' 4'
    (all my vpn are configured in Interface mode)
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5