Use the following command to verify the outbound connections for pairwise keys:
Device# show sdwan ipsec pwk outbound-connections
REMOTE SA PKEY NONCE PKEY SS E-KEY AH
SOURCE IP Source Port SOURCE IP DEST Port LOCAL TLOC ADDRESS REMOTE TLOC COLOR REMOTE TLOC ADDRESS REMOTE TLOC COLOR PWK-SPI INDEX ID HASH HASH HASH HASH AUTH
----------------------------------------+--------+----------------------------------------+--------+----------------+----------------+----------------+----------------+---------+------+------+------+------+------+------+----
10.168.11.3 12346 192.168.90.3 12346 10.1.0.2 lte 10.1.0.1 private1 000000 202 0 6668 17B0 F5A5 true
10.168.11.3 12346 192.168.92.6 12346 10.1.0.2 lte 10.1.0.6 default 00A001 52 10 0ED6 AF12 0A09 8030 true
10.168.12.3 12346 192.168.90.3 12346 10.1.0.2 blue 10.1.0.1 private1 000000 205 0 6668 17B0 F5A5 true
10.168.12.3 12346 192.168.92.6 12346 10.1.0.2 blue 10.1.0.6 default 00A001 55 10 0ED6 AF12 B9B7 BE29 true
Use the following command to verify the inbound connections on IPsec pairwise keys:
Device# show sdwan ipsec pwk inbound-connections
SOURCE DEST LOCAL LOCAL REMOTE REMOTE SA PKEY NONCE PKEY SS D-KEY AH
SOURCE IP PORT DEST IP PORT TLOC ADDRESS TLOC COLOR TLOC ADDRESS TLOC COLOR PWK-SPI INDEX ID HASH HASH HASH HASH AUTH
----------------------------------------+--------+----------------------------------------+--------+----------------+----------------+----------------+----------------+---------+------+------+------+------+------+------+----
192.168.90.3 12346 10.168.11.3 12346 10.1.0.2 lte 10.1.0.1 private1 000000 2 1 5605 70C7 17B0 F5A5 true
192.168.92.6 12346 10.168.11.3 12346 10.1.0.2 lte 10.1.0.6 default 00100B 52 1 5605 70C7 CCC2 C9E1 true
192.168.90.3 12346 10.168.12.3 12346 10.1.0.2 blue 10.1.0.1 private1 000000 5 1 B9F9 5C75 17B0 F5A5 true
192.168.92.6 12346 10.168.12.3 12346 10.1.0.2 blue 10.1.0.6 default 00100B 55 1 B9F9 5C75 A0F8 7B6B true
Device# show sdwan ipsec pwk local-sa
SA PKEY NONCE PKEY
TLOC-ADDRESS TLOC-COLOR SOURCE-IP SOURCE PORT SPI INDEX ID
---------------+---------------+---------------------------------------+-------+-------+-----+-----+-----+-----
10.1.0.2 lte 10.168.11.3 12346 257 6 1 5605 70C7
10.1.0.2 blue 10.168.12.3 12346 257 3 1 B9F9 5C75
Device# show platform hardware qfp active feature ipsec da spi
g_hash_idx Flow id QFP SA hdl source IP sport dest IP dport SA ptr spi/old crypto_hdl/old
-----------+--------+-----------+----------------------------------------+------+----------------------------------------+------+-----------+----------------------+-------------------------------------
1541 3 11 192.168.90.3 12346 192.168.92.6 12346 0x312b84f0 0x00000115/0x00000114 0x0000000031fbfa80/0x0000000031fbd520
6661 131 36 10.168.12.3 12346 192.168.92.6 12346 0x312b9990 0x0000b001/0x0000a001 0x0000000031fbe380/0x0000000031fbc9a0
7429 117 6 10.168.11.3 12346 192.168.92.6 12346 0x312b9300 0x0000b001/0x0000a001 0x0000000031fbd970/0x0000000031fbb580
System id Wan int Wan ip
Yubei-cedge 5102 Gi2.xxx Sub 10.168.xxx
Yubei-tsn 5108 Gi0/0/1 192.168.92.8
Yubei-ovld 5106 Gi0/0/0 192.168.92.6
Yubei-1ng 5107 Gi0/0/0 192.168.92.7
Yubei-utah 5104 Gi0/0/0 192.168.92.4
Yubei-vedge 5101 ge0/0 192.168.90.3
Use the following command to display IPsec pairwise keys information on a Cisco IOS XE Catalyst SD-WAN device:
Device# show sdwan security-info
security-info authentication-type "AH_SHA1_HMAC SHA1_HMAC"
security-info rekey 86400
security-info replay-window 512
security-info encryption-supported "AES_GCM_256 (and AES_256_CBC for multicast)"
security-info fips-mode Enabled
security-info pairwise-keying Enabled
Debug Commands on Cisco IOS XE Catalyst SD-WAN Devices
Use the following debug commands for debugging issues related to IPsec pairwise keys:
debug plat soft sdwan ftm pwk [dump | log]
debug plat soft sdwan ttm pwk [dump | log]
debug plat soft sdwan vdaemon pwk [dump | log]