Command of the Day

Reply
Guru Elite
Posts: 20,591
Registered: ‎03-29-2007

COTD: show crypto ipsec sa

It is well known that the Aruba controller can support wireless access points. It is less known that it can also terminate client Cisco, L2TP and PPTP VPN sessions, Remote APs and site to site VPN connections (at this time, these connections require a VPN license or the Remote AP license). If you provisioned a device to terminate on the Aruba Controller you want to know if the tunnel came up successfully. "show crypto ipsec sa" will show you all of these "Security Associations" on your controller:

(M3.arubanetworks.com) # show crypto ipsec sa


Initiator IP: 97.234.54.215
Responder IP: 67.165.169.208
Initiator: No
Initiator cookie:7c017c0989cfbf2c Responder cookie:3ce42b765cca4986
SA Creation Date: Sat Jan 9 17:26:32 2010
Life secs: 7200
Initiator Phase2 ID: 10.4.1.178/255.255.255.255
Responder Phase2 ID: 0.0.0.0/0.0.0.0
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:UDP-encapsulated Tunnel
PFS: No
OUT SPI 369b9092, IN SPI b2f69f00
Inner IP 10.4.1.178, internal type C
Aruba AP
Reference count: 3


In this example, the "Initiator IP" is the public ip address of the device that initiated the VPN connection. The "Responder IP" is the device that responded to it. The "Initiator" parameter says whether the device we ran the command on initiated the connection; in this case, no. The SA creation date says when the security association or VPN tunnel was created. The "Inner IP" is the ip address assigned to the foreign device from the VPN pool. In this case the "Aruba AP" parameter means that the incoming device is an Aruba access point operating as a Remote AP. Other types of VPN connections will have a different

The command by default shows ALL security associations. You can also narrow it down to a single public IP address. For example, if you know a user has a remote AP that you want to know if it is up or not, you could do a "show crypto ipsec sa peer " it will narrow down the output to only that device.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: