cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

How to view "phase 2" SPI details

Jump to solution

Is it possible to find out the local and remote identities associated with a specific phase 2 SPI for an IPsec encrypted VPN?

The output from 'vpn tu' is rather limited:

4

Enter IP of peer (format: xxx.xxx.xxx.xxx): 192.0.2.1

Peer 192.0.2.1 SAs:

1. SPI's related to IKE SA <7dc3f321cf09371c,bc0373ef85ca407e>:
INBOUND:
1. 0xe75e94b5
OUTBOUND:
1. 0x2d692cda

Tags (1)
0 Kudos
1 Solution

Accepted Solutions

Re: How to view "phase 2" SPI details

Jump to solution

Hi Phil,

You can verify the following:  

Regards.

0 Kudos
5 Replies

Re: How to view "phase 2" SPI details

Jump to solution

Hi Phil,

You can verify the following:  

Regards.

0 Kudos

Re: How to view "phase 2" SPI details

Jump to solution

Hi Kenny,

That looks like it should be helpful, but the command on this page doesn't print anything on my firewall instance. However I can go through the "fw tab -f -t vpn_routing -u" table manually to find my answer, so thank you!

I would need to go through this command in detail to find out what the problem is, but at first look the first grep statement is removing all the lines in my output as they all include the '+' sign. There's a deeper problem than that, though...

Re: How to view "phase 2" SPI details

Jump to solution

I tested the main command of the suggested post on R77.30 and R80.10 and both work as expected (expert mode); however, you can give a try to Alexey Bilay‌'s modification:

fw tab -t vpn_routing -u | awk 'NR>3 {$0=substr($0,2,28); gsub(", ", ""); gsub("; ", ""); gsub("..", "0x& "); print}' | xargs printf "%d.%d.%d.%d\t-\t%d.%d.%d.%d\tPeer: %d.%d.%d.%d\r\n"

Regards.

0 Kudos

Re: How to view "phase 2" SPI details

Jump to solution

I am running R77.10 on the firewall I was testing against, which I know is out of support. Neither the original command nor my modified command worked on R77.30. I had to use separate versions for each as the output format has changed across versions. The original command may not work in future releases as the format output of the vpn_routing table does not seem to be stable:

R77.10
echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |awk '{split($0,a,";"); print a[6]}' |sort -ng |uniq | awk '{split($0,a," "); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[2] b[3]}'\''| sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '


R77.30
echo -e "\033[0m####################\n# VPN Routing #\n####################";fw tab -f -t vpn_routing -u 2>&1 |awk '{split($0,a,";"); print a[6]}' |sort -ng |uniq | awk '{split($0,a,":"); print a[2]}' | xargs -I % sh -c 'echo -n "External Gateway: ";echo -e "\033[0;31m % \\033[37m";echo -e " Routing: \033[32m";fw tab -f -t vpn_routing -u 2>&1 |grep % |awk '\''{split($0,b,";"); print b[2] b[3]}'\''| sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m" '

Re: How to view "phase 2" SPI details

Jump to solution

For anyone interested I created this script based on the original so I can easily check idents for single VPN peers (tested 0n R7710 & R77.30; mileage may vary on different versions):

#!/bin/bash
echo -e "\033[0m####################\n# VPN Routing #\n####################"
if [ $# -eq 0 ]
then
read -p 'Gateway: ' ipaddr
else
ipaddr=$1
fi
echo -n "For Single Gateway: "
echo -e "\033[0;31m $ipaddr \\033[37m"
echo -e " Routing: \033[32m"
fw tab -f -t vpn_routing -u 2>&1 |grep $ipaddr |awk '{split($0,b,";"); print b[2] b[3]}' | sed 's/,//'| sed 's/From\://'| sed 's/To\:/-/'|sort -u ;echo -e "\033[0m"

0 Kudos