[Swan-dev] IPSEC Active Tunnels Status using 'ipsec whack --status'

Paul Wouters paul at nohats.ca
Mon Jan 9 19:12:30 EET 2023

On Mon, 9 Jan 2023, Praveen Chavan wrote:

> With libreswan upgrade to 4.5.x, I've noticed changes in the output of 'ipsec whack --status' command. I relied on 'IPsec SA
> established' to verify the active tunnels. With the upgraded version this string is not present in the output. I rather notice
> 'STATE_V2_ESTABLISHED_CHILD_SA (established Child SA)' and 'STATE_V2_ESTABLISHED_IKE_SA (established IKE SA)'. 

"ipsec trafficstatus" would be easier and better for you to use.

> Also, please share details on different states for the tunnels ( STATE_V2_ESTABLISHED_CHILD_SA , STATE_V2_ESTABLISHED_IKE_SA etc etc
> ). 

Child SA's are IPsec SA's, aka "phase 2" aka kernel state. The IKE SA is
the Parent SA, aka "phase 1" aka userland/ike state.

ipsec whack --status will be due to change once every couple of
releases. We are looking at outputting this using a json or yang
format in the future that would be easier to parse and use.


More information about the Swan-dev mailing list