Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] IPSec status vs GUI

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 479 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alanwds
      last edited by alanwds

      I can see some tunnels with UP status at the GUI, but, when i run ipsec status, the conXXXX do not show ESTABLISHED status. For example:

      ipsec statusall | grep con31006
          con31006:   child:  x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0 TUNNEL, dpdaction=restart
          con31006{23186}:  ROUTED, TUNNEL, reqid 684
          con31006{23186}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
          con31006{25820}:  INSTALLED, TUNNEL, reqid 684, ESP SPIs: cec9b817_i 90ef7890_o
          con31006{25820}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
          con31006{25820}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
      

      0_1540989123515_vpnStatus.png

      I know that interface uses vici to get ipsec status, but, this can be different from ipsec status command?

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        doing that grep you could be missing some related info.

        If this is IKEv2 and one of several P2 entries for example it may not show how you expect. The fact that it has a rekey time on the second to last line implies that it's up, though.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          alanwds
          last edited by alanwds

          Thank you by your insight @jimp. I just change the keyword on my script (to monitor VPN tunnels on zabbix) to know if the tunnel is up for "rekeying" insted of "ESTABLISHED".

          If you wanna take a look: https://github.com/alanwds/zabbix_ipsec_pfsense

          Thank you so much.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.