How do I check the various IPsec tunnels on the Aruba controller?

Aruba Employee

Question:  How do I check the various IPsec tunnels on the Aruba controller?

 

Product and Software: This article applies to Aruba OS 5.0.1.0 and later.

 

If you provision a device to terminate an IPsec tunnel on the Aruba controller, you need to know if the tunnel came up successfully.

The 'show crypto ipsec sa' command shows all of these "Security Associations" on the controller.

Example

(Aruba) # show crypto ipsec sa

Initiator IP: 97.234.54.215
Responder IP: 67.165.169.208
Initiator: No
Initiator cookie:7c017c0989cfbf2c Responder cookie:3ce42b765cca4986
SA Creation Date: Sat Jan 9 17:26:32 2010
Life secs: 7200
Initiator Phase2 ID: 10.4.1.178/255.255.255.255
Responder Phase2 ID: 0.0.0.0/0.0.0.0
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:UDP-encapsulated Tunnel
PFS: No
OUT SPI 369b9092, IN SPI b2f69f00
Inner IP 10.4.1.178, internal type C
Aruba AP
Reference count: 3

In this example, the Initiator IP is the public IP address of the device that initiated the VPN connection. The Responder IP is the device that responded to it. The Initiator parameter says whether the device we ran the command on initiated the connection; in this case, no. The SA creation date says when the security association or VPN tunnel was created. The Inner IP is the IP address that was assigned to the foreign device from the VPN pool. In this case, the Aruba AP parameter means that the incoming device is an Aruba access point (AP) operating as a remote AP (RAP).

By default, the command shows ALL security associations. You can also narrow it down to a single public IP address. For example, if you know a user has a RAP that you want to know if it is up or not, you could issue a 'show crypto ipsec sa peer <public ip addrss of user>' command, and the output will show only that device.

After ArubaOS 5.0.1.0, there is a slight change in this output.

As more endpoints depended on IPsec connectivity, like APs with Control Plane Security (CPsec) on, as well as VIA client connectivity, this list became much longer. You needed to press the space bar many times to see the whole output. Starting with ArubaOS 5.0.1.0, the 'show crypto ipsec sa' command now has a list view.

(aruba) #show crypto ipsec sa
IPSEC SA Active Session Information
-----------------------------------
Initiator IP Responder IP InitiatorID ResponderID Flags Start Time Inner IP
------------ ------------ ----------- ----------- ------- ---------- --------
61.48.59.9 10.69.69.16 10.69.16.73/32 0.0.0.0/0 UT Jun 25 13:28:48 10.69.16.73
59.180.116.181 10.69.69.16 10.69.16.217/32 0.0.0.0/0 UT Jun 25 11:43:12 10.69.16.217
68.56.31.179 10.69.69.16 10.69.16.128/32 0.0.0.0/0 UT Jun 25 13:23:50 10.69.16.128
173.66.245.181 10.69.69.16 10.69.16.34/32 0.0.0.0/0 UT Jun 25 12:20:18 10.69.16.34
96.241.225.97 10.69.69.16 10.69.16.181/32 0.0.0.0/0 UT Jun 25 13:02:12 10.69.16.181
75.73.89.18 10.69.69.16 10.69.16.2/32 0.0.0.0/0 UT Jun 25 13:09:28 10.69.16.2
138.130.107.167 10.69.69.16 10.69.16.31/32 0.0.0.0/0 UT Jun 25 12:27:40 10.69.16.31
173.70.51.33 10.69.69.16 10.69.16.236/32 0.0.0.0/0 UT Jun 25 13:18:05 10.69.16.236
122.161.102.25 10.69.69.16 10.69.16.216/32 0.0.0.0/0 UT Jun 25 13:16:30 10.69.16.216
75.41.125.174 10.69.69.16 10.69.16.86/32 0.0.0.0/0 UT Jun 25 12:59:11 10.69.16.86
221.148.62.48 10.69.69.16 10.69.16.87/32 0.0.0.0/0 UT Jun 25 13:28:11 10.69.16.87
64.169.70.34 10.69.69.16 10.69.16.194/32 0.0.0.0/0 UT Jun 25 12:00:24 10.69.16.194
206.248.44.72 10.69.69.16 10.69.16.102/32 0.0.0.0/0 UT Jun 25 13:14:21 10.69.16.102
119.80.75.25 10.69.69.16 10.69.16.88/32 0.0.0.0/0 UT Jun 25 13:23:14 10.69.16.88
71.80.54.29 10.69.69.16 10.69.16.153/32 0.0.0.0/0 UT Jun 25 11:55:22 10.69.16.153
66.168.57.194 10.69.69.16 10.69.16.154/32 0.0.0.0/0 UT Jun 25 11:52:05 10.69.16.154
76.247.107.149 10.69.69.16 10.69.16.187/32 0.0.0.0/0 UT Jun 25 12:52:56 10.69.16.187
216.160.3.158 10.69.69.16 10.69.16.218/32 0.0.0.0/0 UT Jun 25 11:54:40 10.69.16.218
72.81.29.75 10.69.69.16 10.69.16.8/32 0.0.0.0/0 UT Jun 25 13:28:41 10.69.16.8
98.232.107.61 10.69.69.16 10.69.16.170/32 0.0.0.0/0 UT Jun 25 12:24:45 10.69.16.170
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client
Total IPSEC SAs: 20

To see details about an IPsec connection, you can still use the "peer" option.

Here is an example for a VIA client that has established an IPsec tunnel to the controller (using the peer IP):

(Aruba) #show crypto ipsec sa peer 80.254.65.210
Initiator IP: 80.254.65.210
Responder IP: 10.69.69.16
Initiator: No
Initiator cookie:018006409496dde5 Responder cookie:659f346abddccaf7
SA Creation Date: Fri Jun 25 13:21:23 2010
Life secs: 7200
Initiator Phase2 ID: 10.69.16.7/255.255.255.255
Responder Phase2 ID: 0.0.0.0/0.0.0.0
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:UDP-encapsulated Tunnel
PFS: No
OUT SPI 1b0aa012, IN SPI 1b5c5300
Inner IP 10.69.16.7, internal type C
Aruba VIA
Reference count: 3

Version history
Revision #:
1 of 1
Last update:
‎07-07-2014 02:33 PM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.