[Swan-dev] IPSEC Active Tunnels Status using 'ipsec whack --status'

Praveen Chavan prawin219 at gmail.com
Mon Jan 9 19:49:10 EET 2023

Thanks for the clarification.

Follow up:
1. Could you share some examples for "ipsec trafficstatus" output?
2. Can I assume 'established Child SA' remains the same, in the output for
whack --status even if other things could change every couple releases?

Appreciate your help.


On Mon, Jan 9, 2023 at 11:12 AM Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 9 Jan 2023, Praveen Chavan wrote:
> > With libreswan upgrade to 4.5.x, I've noticed changes in the output of
> 'ipsec whack --status' command. I relied on 'IPsec SA
> > established' to verify the active tunnels. With the upgraded version
> this string is not present in the output. I rather notice
> > 'STATE_V2_ESTABLISHED_CHILD_SA (established Child SA)' and
> "ipsec trafficstatus" would be easier and better for you to use.
> > Also, please share details on different states for the tunnels (
> > ).
> Child SA's are IPsec SA's, aka "phase 2" aka kernel state. The IKE SA is
> the Parent SA, aka "phase 1" aka userland/ike state.
> ipsec whack --status will be due to change once every couple of
> releases. We are looking at outputting this using a json or yang
> format in the future that would be easier to parse and use.
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20230109/8798c9b4/attachment.htm>

More information about the Swan-dev mailing list