Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 111

generate vpn x509 key‐pair <name>

Generates an X.509 private key file and a certificate signing request file.

Syntax
generate vpn x509 key-pair name

Command Mode
Operational mode.

Parameters

name The name to be used for the X.509 private key file and
certificate signing request file. The private key file will be called
/config/auth/name.key and the certificate signing request file
will be called /config/auth/name.csr.

Usage Guidelines
Use this command to generate an X.509 private key file and a certificate signing request
file. The private key file is required for configuring a VPN for X.509 authentication (see
vpn ipsec site-to-site peer <peer> authentication x509 key file <file-name>). The
certificate signing request file must be sent to a certificate authority (CA). In return, the
CA will provide a server certificate (e.g. name.crt), a CA certificate (e.g. ca.crt), and
potentially, a certificate revocation list (.crl) file. This procedure varies according to the
CA being used. The files returned are also used to configure a VPN for X.509
authentication (see vpn ipsec site-to-site peer <peer> authentication x509 cert-file <file-
name> for specifying the server certificate, vpn ipsec site-to-site peer <peer>
authentication x509 ca-cert-file <file-name> for specifying the CA certificate, and vpn
ipsec site-to-site peer <peer> authentication x509 crl-file <file-name> for specifying the
certificate revocation list).

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 112

reset vpn ipsec‐peer <peer>

Resets tunnels associated with the IPsec peer.

Syntax
reset vpn ipsec-peer peer [tunnel tunnel | vti]

Command Mode
Operational mode.

Parameters

peer The IPv4 or IPv6 address of the VPN peer.

tunnel The tunnel to be reset. The range is 0 to 4294967295.

vti Reset the virtual tunnel interface associated with the peer.

Usage Guidelines
Use this command to reset IPsec tunnels associated with the specified peer. Resetting
IPsec tunnels will cause the tunnels to be torn down and re-established.
If the peer is 0.0.0.0, “any”, or @id, then the tunnel is torn down and re-loaded but a
new connection is not initiated because the remote end could be multiple end-points.

If tunnel or vti is not specified then all IPsec connections associated with the peer will
be restarted.

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 113

restart vpn
Restarts the IPsec process.

Syntax
restart vpn

Command Mode
Operational mode.

Parameters
None.

Usage Guidelines
Use this command to restart the IPsec process.
Restarting IPsec will cause all tunnels to be torn down and re-established.

Examples
Example 2-55 shows the output resulting from the restart vpn command.
Example 2‐55 “restart vpn” sample output

vyatta@WEST> restart vpn

Stopping Openswan IPsec…
Starting Openswan IPsec 2.4.6…

vyatta@WEST>

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 114

show vpn debug

Provides trace-level information about IPsec VPN.

Syntax
show vpn debug [detail | peer peer [tunnel tunnel]]

Command Mode
Operational mode.

Parameters

detail Provides extra verbose output at the trace level.

peer Shows trace-level information for the specified VPN peer. The
format is the IPv4 or IPv6 address of the peer.

tunnel Shows trace-level information for the specified tunnel to the

specified peer. The tunnel argument is an integer that uniquely
identifies the tunnel to the specified peer. The range is 0 to
4294967295.

Usage Guidelines
Use this command to view trace-level messages for IPsec VPN.
This command is useful for troubleshooting and diagnostic situations.

Examples
Example 2-56 shows the output of the show vpn debug command.
Example 2‐56 “show vpn debug” sample output

vyatta@WEST> show vpn debug

000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 172.16.117.128:500
000 interface eth2/eth2 172.16.139.128:500
000 %myid = (none)

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 115

000 loaded plugins: curl ldap random pubkey openssl hmac gmp
000 debug options: none
000
0 "peer‐172.16.139.160‐tunnel‐1": 172.16.139.128...172.16.139.160; erouted;
eroute owner: #5
0 "peer‐172.16.139.160‐tunnel‐1": ike_life: 28800s; ipsec_life: 3600s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "peer‐172.16.139.160‐tunnel‐1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32;
interface: eth2;
000 "peer‐172.16.139.160‐tunnel‐1": newest ISAKMP SA: #4; newest IPsec SA: #5;
0 "peer‐172.16.139.160‐tunnel‐1": IKE proposal: AES_CBC_128/HMAC_SHA1/MODP_1536
0 "peer‐172.16.139.160‐tunnel‐1": ESP proposal: AES_CBC_128/HMAC_SHA1/<Phase1>
0
0 #5: "peer‐172.16.139.160‐tunnel‐1" STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3292s; newest IPSEC; eroute owner
000 #5: "peer‐172.16.139.160‐tunnel‐1" esp.c75a2bd9@172.16.139.160 (0
bytes) esp.d1c08d06@172.16.139.128 (0 bytes); tunnel
0 #4: "peer‐172.16.139.160‐tunnel‐1" STATE_MAIN_R3 (sent MR3, ISAKMP SA
established); EVENT_SA_REPLACE in 28491s; newest ISAKMP
‐‐More‐‐

Example 2-57 shows the output of the show vpn debug detail command.
Example 2‐57 “show vpn debug detail” sample output

vyatta@WEST> show vpn debug detail

Unable to find IKEv2 messages. Strongswan might be running with IKEv2 turned off
or alternatively, your log files have been emptied (ie, logwatch)
vDUT‐1
Wed Jan 20 23:22:27 GMT 2010
+ _________________________ version
+ ipsec ‐‐version
Linux strongSwan U4.3.2/K2.6.31‐1‐586‐vyatta Institute
for Internet Technologies and Applications University of
Applied Sciences Rapperswil, Switzerland See 'ipsec ‐‐
copyright' for copyright information.
+ _________________________ /proc/net/pfkey
+ test ‐r /proc/net/pfkey
+ cat /proc/net/pfkey
sk RefCnt Rmem Wmem User Inode
+ _________________________ ip‐xfrm‐state
+ ip ‐s xfrm state
src 172.16.139.128 dst 172.16.139.160
proto esp spi 0xc75a2bd9(3344575449) reqid 16385(0x00004001) mode
tunnel replay‐window 32 seq 0x00000000 flag (0x00000000)
auth hmac(sha1) 0x7cd0c727850b972ef14ad983e4067833ac9e9b74 (160 bits)
enc cbc(aes) 0x492215c8e674a858e887d23b05ec8fb1 (128 bits)

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 116

sel src 0.0.0.0/0 dst 0.0.0.0/0 uid 0

lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2010‐01‐20 22:44:56 use ‐
stats:
replay‐window 0 replay 0 failed 0
‐‐More‐‐

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 117

show vpn ike rsa‐keys

Displays RSA public keys recorded in the system.

Syntax
show vpn ike rsa-keys

Command Mode
Operational mode.

Parameters
None.

Usage Guidelines
Use this command to display the public portion of all RSA digital signatures recorded on
the system.
This will include the public portion of the RSA digital signature of the local host (the
private portion will not be displayed), plus the public key configured for any VPN peer.

Examples
Example 2-58 shows output of the show vpn ike rsa-keys command, which displays the
RSA digital signatures stored on router WEST. In this example:
• The public portion of the key for the local host is shown, but the private portion of
the local key remains hidden in the RSA keys file.
• The RSA public key recorded for the VPN peer EAST is also shown.
Example 2‐58 “show vpn ike rsa‐keys” sample output

vyatta@WEST> show vpn ike rsa‐keys

Local public key

0sAQNfpZicOXWl1rMvNWLIfFppq1uWtUvj8esyjBl/zBfrK4ecZbt7WzMdMLiLugYtVgo+zJ
QV5dmQnN+n3qkU9ZLM5QWBxG4iLFtYcwC5fCMx0hBJfnIEd68d11h7Ea6J4IAm3ZWXcBeOV4
S8mC4HV+mqZfv3xyh1ELjfmLM3fWkp8g5mX7ymgcTpneHiSYX1T9NU3i2CHjYfeKPFb4zJIo
pu2R654kODGOa+4r241Zx3cDIJgHBYSYOiSFYbcdQhKQS3cclFPGVMHYGXjjoiUSA7d2eMab
DtIU4FwnqH3qVN/kdedK34sEJiMUgieT6pJQ6W8y+5PgESvouykx8cyTiOobnx0G9oqFcxYL
knQ3GbrPej

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 118

===============================================================
Peer IP: 10.1.0.55 (EAST)

0sAQOVBIJL+rIkpTuwh8FPeceAF0bhgLr++W51bOAIjFbRDbR8gX3Vlz6wiUbMgGwQxWlYQi
qsCeacicsfZx/amlEn9PkSE4e7tqK/JQo40L5C7gcNM24mup1d+0WmN3zLb9Qhmq5q3pNJxE
wnVbPPQeIdZMJxnb1+lA8DPC3SIxJM/3at1/KrwqCAhX3QNFY/zNmOtFogELCeyl4+d54wQl
jA+3dwFAQ4bboJ7YIDs+rqORxWd3l3I7IajT/pLrwr5eZ8OA9NtAedbMiCwxyuyUbznxXZ8Z
/MAi3xjL1pjYyWjNNiOij82QJfMOrjoXVCfcPn96ZN+Jqk+KknoVeNDwzpoahFOseJREeXzk
w3/lkMN9N1
vyatta@WEST>

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 119

show vpn ike sa

Provides information about all currently active IKE (ISAKMP) security associations.

Syntax
show vpn ike sa [nat-traversal | peer peer]

Command Mode
Operational mode.

Parameters

nat-traversal Displays all the IKE SAs that are using RFC 3947 NAT
Traversal.
peer Shows IKE SA information for the specified VPN peer. The
format is the IPv4 or IPv6 address of the peer.
There will be at most one IKE SA per peer (except possibly
during re-key negotiation).

Usage Guidelines
Use this command to display information about IKE security associations (SAs).

Examples
Example 2-59 shows the output of the show vpn ike sa command.
Example 2‐59 “show vpn ike sa” sample output

vyatta@WEST> show vpn ike sa

Peer ID / IP Local ID / IP
‐‐‐‐‐‐‐‐‐‐‐‐ ‐‐‐‐‐‐‐‐‐‐‐‐‐
192.168.1.1 192.168.1.2

Description: site‐to‐site x509 tunnel

State Encrypt Hash D‐H Grp NAT‐T A‐Time L‐Time

‐‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐ ‐‐‐‐‐‐‐ ‐‐‐‐‐ ‐‐‐‐‐‐ ‐‐‐‐‐‐
up aes128 sha1 5 no 2162 28800

VPN 6.5R1 v01 Vyatta

Chapter 2: IPsec Site‐to‐Site VPN IPsec Site‐to‐Site VPN Commands 120

vyatta@WEST>
VPN 6.5R1 v01 Vyatta