The most important and basic functionality overview can be displayed in the Web interface in the VPN / IPsec menu. Click on the “Refresh status” to see current IPsec tunnels’ states.
Green (“Up”): The corresponding IKE SA and all corresponding CHILD SAs are created.
Red (“Down”): The IKE SA is not created and the tunnel is not established.
Yellow (“Unknown”): The IKE SA status is not available.
Gray: The individual CHILD SA line can be gray if:
it is not marked as Active, or
its configuration was not accepted.
A quick overview can be also checked via CLI command “cli_status_ipsec_show”. This command prints the IKE SA states identified by the Peer IDs.
Status of active IPsec associations:
Peer ID: RipEX1-remote Status: up
Peer ID: RipEX8-remote Status: up
Another option is to check the packets in the Monitoring menu. IKE uses UDP packets on ports 500 or 4500. ESP is the IP protocol 50. A filter can be specified as UDP and “Other”. An example of received ESP packet: