[SOLVED] IPSec status vs GUI



  • I can see some tunnels with UP status at the GUI, but, when i run ipsec status, the conXXXX do not show ESTABLISHED status. For example:

    ipsec statusall | grep con31006
        con31006:   child:  x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0 TUNNEL, dpdaction=restart
        con31006{23186}:  ROUTED, TUNNEL, reqid 684
        con31006{23186}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
        con31006{25820}:  INSTALLED, TUNNEL, reqid 684, ESP SPIs: cec9b817_i 90ef7890_o
        con31006{25820}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 16 minutes
        con31006{25820}:   x.x.x.x/32|x.x.x.x/27 === x.x.x.x/32|/0
    

    0_1540989123515_vpnStatus.png

    I know that interface uses vici to get ipsec status, but, this can be different from ipsec status command?


  • Rebel Alliance Developer Netgate

    doing that grep you could be missing some related info.

    If this is IKEv2 and one of several P2 entries for example it may not show how you expect. The fact that it has a rekey time on the second to last line implies that it's up, though.



  • Thank you by your insight @jimp. I just change the keyword on my script (to monitor VPN tunnels on zabbix) to know if the tunnel is up for "rekeying" insted of "ESTABLISHED".

    If you wanna take a look: https://github.com/alanwds/zabbix_ipsec_pfsense

    Thank you so much.