The ipsec show show if the target IP address would get encrypted. Currently requires the XFRM/NETKEY stack root access. If no target IP is given, show all active source - dest tunnels.
It's pretty simplistic, so there might be cases where it is wrong. There is also obviously a race condition if you run this show and right afterwards the tunnel goes down.