Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 132

show vpn ipsec status

Displays information about the status of IPsec processes.

Syntax
show vpn ipsec status

Command Mode
Operational mode.

Parameters
None

Usage Guidelines
Use this command to display information about the status about running IPsec
processes.
The information shown includes:
• The process ID
• The number of active tunnels
• The interfaces configured for IPsec
• The IP addresses of interfaces configured for IPsec

Examples
Example 2-68 shows the output of the show vpn ipsec status command.
Example 2‐68 “show vpn ipsec status” sample output

vyatta@WEST> show vpn ipsec status

IPSec Process Running PID: 5832

4 Active IPsec Tunnels

IPsec Interfaces:
eth1 (10.6.0.55)

vyatta@WEST>

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 133

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 134

vpn ipsec
Enables IPsec VPN functionality on the system.

Syntax
set vpn ipsec
delete vpn ipsec
show vpn ipsec

Command Mode
Configuration mode.

Configuration Statement
vpn {
ipsec {
}
}

Parameters
None.

Default
None.

Usage Guidelines
Use this command to enable IPsec VPN functionality on the Vyatta System.
To configure VPN connections, you must also enable IPsec VPN on each interface to be
used for sending and receiving VPN traffic. To do this, use the vpn ipsec ipsec-interfaces
interface <if-name> command.
NOTE The sending and receiving of ICMP redirects is disabled when IPsec VPN is configured.
Use the set form of this command to enable IPsec VPN.
Use the delete form of this command to remove all IPsec VPN configuration and
disable IPsec VPN functionality.
Use the show form of this command to view the IPsec VPN configuration.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 135

vpn ipsec auto‐update <interval>

Specifies the interval to automatically refresh IPsec connections.

Syntax
set vpn ipsec auto-update interval
delete vpn ipsec auto-update
show vpn ipsec auto-update

Command Mode
Configuration mode.

Configuration Statement
vpn {
ipsec {
auto‐update interval
}
}

Parameters

interval The interval (seconds) in which to review IPsec connections for

changes (for example, the IP address of a dynamic DNS peer
changes) and restart them if changes are found. The range is 30 to
65535.

Default
IPsec connections are not refreshed periodically.

Usage Guidelines
Use this command to specify the interval to automatically refresh IPsec connections.
This is most useful for connections where the remote peer uses dynamic DNS to keep
track of its address. Auto-update will review information pertaining to the connection at
the specified interval and, if it is changed (for example, if the dynamic DNS peer’s IP
address has changed), will restart the connection.
Use the set form of this command to specify the interval at which to automatically
refresh IPsec connections.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 136

Use the delete form of this command to remove the configuration.

Use the show form of this command to view the configuration.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 137

vpn ipsec esp‐group <name>

Defines a named ESP configuration for IKE Phase 2 negotiations.

Syntax
set vpn ipsec esp-group name
delete vpn ipsec esp-group
show vpn ipsec esp-group

Command Mode
Configuration mode.

Configuration Statement
vpn {
ipsec {
esp‐group name {
}
}
}

Parameters

name Multi-node. The name to be used to refer to the ESP configuration.

You can create multiple ESP configurations by creating multiple
esp-group configuration nodes. At least one ESP configuration
must be defined, for use in tunnel configuration.

Default
None.

Usage Guidelines
Use this command to define an ESP group.
An ESP group lets you set the Encapsulating Security Payload (ESP) parameters
required for IKE Phase 2, and to set the lifetime of the resulting IPsec security
association.
Use the set form of this command to create and modify an ESP group.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 138

Use the delete form of this command to remove ESP group configuration.
Use the show form of this command to view ESP group configuration.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 139

vpn ipsec esp‐group <name> compression <state>

Specifies whether this VPN gateway should propose the use of compression.

Syntax
set vpn ipsec esp-group name compression state
delete vpn ipsec esp-group name compression
show vpn ipsec esp-group name compression

Command Mode
Configuration mode.

Configuration Statement
vpn {
ipsec {
esp‐group name {
compression state
}
}
}

Parameters

name The name to be used to refer to the ESP configuration.

state Enables or disables proposal of ESP compression. Supported

values are as follows:
enable: Enables proposal of ESP compression.
disable: Disables proposal ESP compression.

Default
ESP compression is disabled.

Usage Guidelines
Use this command to specify whether or not to propose ESP compression during IKE
Phase 2 negotiation.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 140

NOTE Regardless of this setting, if the other gateway proposes compression, this gateway will
comply.
Use the set form of this command to specify whether or not to enable ESP
compression.
Use the delete form of this command to restore the default behavior.
Use the show form of this command to view ESP compression configuration.
VPN 6.5R1 v01 Vyatta