[Swan-dev] IPSEC Active Tunnels Status using 'ipsec whack --status'
Praveen Chavan
prawin219 at gmail.com
Mon Jan 9 19:49:10 EET 2023
Thanks for the clarification.
Follow up:
1. Could you share some examples for "ipsec trafficstatus" output?
2. Can I assume 'established Child SA' remains the same, in the output for
whack --status even if other things could change every couple releases?
Appreciate your help.
Thanks,
Praveen
On Mon, Jan 9, 2023 at 11:12 AM Paul Wouters <paul at nohats.ca> wrote:
> On Mon, 9 Jan 2023, Praveen Chavan wrote:
>
> > With libreswan upgrade to 4.5.x, I've noticed changes in the output of
> 'ipsec whack --status' command. I relied on 'IPsec SA
> > established' to verify the active tunnels. With the upgraded version
> this string is not present in the output. I rather notice
> > 'STATE_V2_ESTABLISHED_CHILD_SA (established Child SA)' and
> 'STATE_V2_ESTABLISHED_IKE_SA (established IKE SA)'.
>
> "ipsec trafficstatus" would be easier and better for you to use.
>
> > Also, please share details on different states for the tunnels (
> STATE_V2_ESTABLISHED_CHILD_SA , STATE_V2_ESTABLISHED_IKE_SA etc etc
> > ).
>
> Child SA's are IPsec SA's, aka "phase 2" aka kernel state. The IKE SA is
> the Parent SA, aka "phase 1" aka userland/ike state.
>
> ipsec whack --status will be due to change once every couple of
> releases. We are looking at outputting this using a json or yang
> format in the future that would be easier to parse and use.
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20230109/8798c9b4/attachment.htm>
More information about the Swan-dev
mailing list