ipsec statusall | awk {'print $3,$4,$5,$6'} | grep up

   ipsec statusall

   ip -s xfrm policy


====== forums blogs ======

https://sysadmins.co.za/setup-a-site-to-site-ipsec-vpn-with-strongswan-on-ubuntu/

https://serverfault.com/questions/1002024/strongswan-ipsec-tunnel-block-traffic-one-way


====== child_sa issue with Palo Alto ======

  1) /etc/strongswan.d/charon.conf # Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
  reuse_ikesa = yes

  2) cron disabled
  #*/1 * * * * /usr/sbin/ipsec up evoke1
  #*/1 * * * * /usr/sbin/ipsec up evoke2
  #*/1 * * * * /usr/sbin/ipsec up evoke3
  #*/1 * * * * /usr/sbin/ipsec up evoke4

  3) change tunnel from start to route
  old; auto=start
  new; auto=route