Monitoring IPSec

This section contains information about troubleshooting and monitoring IPSec.

System Event Logs

To troubleshoot and monitor IPSec, use the following system event logs:

• auditIpsec—Lower layers of IKE SA negotiations
• ikepki—Upper layers of IKE SA negotiations
• stTunnel—Secure tunnel interface

For more information about using event logs, see the JUNOSe System Event Logging Reference Guide.

show Commands

To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands.

show ipsec ike-policy-rule

show ike policy-rule

Note: The show ipsec ike-policy-rule command replaces the show ipsec isakmp-policy-rule command, which may be removed completely in a future release.

• Use to display the configuration of IKE phase 1 policy rules.
• Field descriptions
  • Protection suite priority—Priority number assigned to the policy rule
  • encryption algorithm—Encryption algorithm used in the IKE policy: des, 3des
  • hash algorithm—Hash algorithm used in the IKE policy: SHA, MD5
  • authentication method—Authentication method used in the IKE policy: RSA signature, preshared keys
  • Diffie-Hellman group—Size of the Diffie-Hellman group: 768-bit, 1024-bit, 1536-bit
  • lifetime—Lifetime of SAs created with this policy: 60 to 86400 seconds
  • aggressive mode—Allowed or not allowed
• Example

  host1#show ipsec ike-policy-rule
  

  IKE Policy Rules:

  Protection suite priority: 5
      encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys)
      hash algorithm       :SHA Secure Hash Standard
      authentication method:RSA Signatures
      Diffie-Hellman group :5 (1536 bit)
      lifetime             :7200 seconds
      aggressive mode      :Not Allowed

  Protection suite priority: 6
      encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys)
      hash algorithm       :SHA Secure Hash Standard
      authentication method:Pre Shared Keys
      Diffie-Hellman group :2 (1024 bit)
      lifetime             :28800 seconds
      aggressive mode      :Not Allowed 

• See show ipsec ike-policy-rule.
• See show ike policy-rule.

show ipsec ike-sa

show ike sa

Note: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release.

• Use to display IKE phase 1 SAs running on the router.
• Field descriptions
  • Local:Port—Local IP address and UDP port number of phase 1 negotiation
  • Remote:Port—Remote IP address and UDP port number of phase 1 negotiation
  • Time(Sec)—Time remaining in phase 1 lifetime, in seconds
  • State—Current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. Possible states are:
    • AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder
    • AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator
    • AM_FINAL_I—Initiator has finished aggressive mode negotiation
    • AM_DONE_R—Responder has finished aggressive mode negotiation
    • MM_SA_I—Initiator has sent initial main mode SA payload to the responder
    • MM_SA_R—Responder has sent a response to the initial main mode SA
    • MM_KE_I—Initiator has sent initial main mode key exchange to the responder
    • MM_KE_R—Responder has sent a response to the key exchange
    • MM_FINAL_I—Initiator has sent the final packet in the main mode negotiation
    • MM_FINAL_R—Responder has finished main mode negotiation
    • MM_DONE_I—Initiator has finished main mode negotiation
    • DONE—Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages
  • Local Cookie—Unique identifier (SPI) for the local phase 1 IKE SA
  • Remote Cookie—Unique identifier (SPI) for the remote phase 1 IKE SA
• Example

  host1# show ipsec ike-sa
  IKE Phase 1 SA's:
  Local:Port             Remote:Port            Time(Sec) State        Local Cookie       Remote Cookie
  195.0.0.100:500        195.0.0.200:500        1551      DONE         0x90ee723e6cb0c016 0xf7d3651e93d56431
  195.0.0.100:500        195.0.0.200:500        1552      DONE         0x821bccf81dcedbb0 0x35152bdb7a9c734e
  195.0.1.100:500        195.0.1.200:500        1687      DONE         0x1b4fbcebe36d1b16 0xed742166a305a6a0
  195.0.1.100:500        195.0.1.200:500        1687      DONE         0xacf3acd1b3555b6a 0x0af9edbc95622869
  195.0.2.100:500        195.0.2.200:500        1688      DONE         0x3153379b32d8c936 0x17f5d77f9badc3cf
  195.0.2.100:500        195.0.2.200:500        1688      DONE         0x6573dcbc9bf31fae 0x7af8b4d13078b463
  195.0.3.100:500        195.0.3.200:500        1685      DONE         0xdc7df648fcac375a 0x0346752d2881d5c5
  195.0.3.100:500        195.0.3.200:500        1685      DONE         0xe776e9ffb6678635 0x8de857af1c681874
  195.0.4.100:500        195.0.4.200:500        1690      DONE         0x16410d890500e94e 0xbd47831b55e81c27
  

• See show ipsec ike-sa.
• See show ike sa.

show ipsec lifetime

• Use to display the configured IPSec default lifetime.
• Example

  host1#show ipsec lifetime
  Default lifetime in seconds is '7200'.
  Default lifetime in kilobytes is '4294967295'.

• See show ipsec lifetime.

show ipsec local-endpoint

• Use to display the address and transport virtual router of local endpoints.
• To display the local endpoint of a specific transport virtual router, include the virtual router name.
• Example

  host1#show ipsec local-endpoint transport-virtual-router default
  Local endpoint for transport-virtual-router default is '0.0.0.0'. 

• See show ipsec local-endpoint.

show ipsec option

• Use to display the status, enabled or disabled, of IPSec options configured on the current virtual router. Information is displayed for the following options:
  • Dead peer detection (DPD)
  • Network Address Translation Traversal (NAT-T). For information about configuring and monitoring NAT-T on L2TP/IPSec tunnels, see Securing L2TP and IP Tunnels with IPSec .
  • Transmission of invalid cookie notification in ISAKMP messages to peers
• Example

  host1:vrA#show ipsec option
  

  IPsec options:
  Dead Peer Detection: disabled
  NAT Traversal      : enabled
  TX Invalid Cookie  : disabled

• See show ipsec option.

show ipsec transform-set

• Use to display transform sets configured on the router.
• To display a specific transform set, include the transform set name.
• Field descriptions
  • Transform-set—Displays the transforms in the transform set
• Example 1

  host1#show ipsec transform-set
  Transform-set: Highest security = {esp-3des-hmac-sha }.
  Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha }.

• Example 2

  host1#show ipsec transform-set transform-esp-3des-hmac-sha
  Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha}.

• See show ipsec transform-set.

show ipsec tunnel detail

• Use to display the running configuration and statistics for each tunnel.
• Field descriptions
  • IPSEC tunnel—Name and state of tunnel for which information is displayed
  • Tunnel operational configuration—Configuration running on the tunnel
    • Tunnel type—Manual, signaled
    • Tunnel mtu—MTU size of the tunnel
    • Tunnel localEndpoint—IP address of local tunnel endpoint
    • Tunnel remoteEndpoint—IP address of remote tunnel endpoint
    • Tunnel source—IP address or FQDN of tunnel source
    • Tunnel destination—IP address or FQDN of tunnel destination
    • Tunnel backup destination—Alternate tunnel destination
    • Tunnel transport virtual router—Name of transport virtual router over which tunnel runs
    • Tunnel transform set—Tunnel transform set in use on this tunnel
    • Tunnel local identity—IP address of local endpoint identity that ISAKMP uses
    • Tunnel peer identity—IP address of peer endpoint identity that ISAKMP uses
    • Tunnel outbound spi/SA—SPI and SA in use on traffic sent to the tunnel (manual tunnels only)
    • Tunnel inbound spi/SA—SPI and SA in use on traffic received from the tunnel (manual tunnels only)
    • Tunnel lifetime seconds—Configured time-based lifetime in seconds
    • Tunnel lifetime kilobytes—Configured traffic-based lifetime in kilobytes
    • Tunnel pfs—PFS group in use on the tunnel: 0 (PFS is not in use), 1 (768-bit group), 2 (1024-bit group), 5 (1536-bit group)
    • Tunnel administrative state—Up, Down
  • Tunnel Operational Attributes—Displays statistics related to the tunnel lifetime
    • inbound/outboundSpi/SA—SPI in use on traffic received from or sent to the tunnel
    • inbound/outboundSa—SA in use on traffic received from or sent to the tunnel
    • inbound/outbound lifetime allowed—Negotiated time-based lifetime in seconds
    • inbound/outbound lifetime remaining—Number of seconds remaining before time-based lifetime expires
    • inbound/outbound traffic allowed—Negotiated traffic-based lifetime in kilobytes
    • inbound/outbound traffic remaining—Number of additional kilobytes that tunnel can send or receive before traffic-based lifetime expires
  • Tunnel Statistics—Displays statistics on traffic received on and sent from this tunnel
    • InUserPackets—Number of user packets received
    • InUserOctets—Number of octets received from user packets
    • InAccPackets—Number of encapsulated packets received
    • InAccOctets—Number of octets received in encapsulated packets
    • InAuthErrors—Number of authentication errors received
    • InReplayErrors—Number of replay errors in received traffic
    • InPolicyErrors—Number of policy errors in received traffic
    • InOtherRxErrors—Number of packets received that have errors other than those listed above
    • InDecryptErrors—Number of decryption errors in received traffic
    • InPadErrors—Number of packets received that had invalid values after the packet was decrypted
    • OutUserPackets—Number of user packets sent
    • OutUserOctets—Number of octets sent in user packets
    • OutAccPackets—Number of encapsulated packets sent
    • OutAccOctets—Number of octets sent in encapsulated packets
    • OutPolicyErrors—Number of packets arriving at tunnel for encapsulation that do not meet specified tunnel identifier (selector)
    • OutOtherTxErrors—Number of outbound packets that have errors other than those listed above
• Example

  hostl#show ipsec tunnel detail
  IPSEC tunnel r200000 is Up
  Tunnel configuration:
    Tunnel type is signaled
    Tunnel mtu is 1440
    Tunnel local endpoint is 195.0.0.200
    Tunnel remote endpoint is 195.0.0.100
    Tunnel source is 195.0.0.200
    Tunnel destination is 195.0.0.100
    Tunnel backup destination is 0.0.0.0
    Tunnel transport virtual router is r
    Tunnel transform set is perf
    Tunnel local identity is ipAddress: 4.0.0.100
    Tunnel peer identity is ipAddress: 3.0.0.100
    Tunnel lifetime seconds is 7200
    Tunnel lifetime kilobytes is 1024000
    Tunnel pfs is group 5
    Tunnel administrative state is Up

  Tunnel Operational Attributes:
    inboundSpi  = 0x17270202, inboundSa = esp-3des-hmac-sha
    inbound lifetime: allowed 7200s, remaining 7100s
    inbound traffic: allowed 1024000KB, remaining 1023997KB

    outboundSpi = 0x283b0201,  outboundSa = esp-3des-hmac-sha
    outbound lifetime: allowed 7200s, remaining 7100s
    outbound traffic: allowed 1024000KB, remaining 1023997KB

  Tunnel Statistics:
    InUserPackets           15
    InUserOctets            1920
    InAccPackets            15
    InAccOctets             2760
    InAuthErrors            0
    InReplayErrors          0
    InPolicyErrors          0
    InOtherRxErrors         0
    InDecryptErrors         0
    InPadErrors             0

    OutUserPackets          15
    OutUserOctets           1920
    OutAccPackets           15
    OutAccOctets            2760
    OutPolicyErrors         0
    OutOtherTxErrors        0

• See show ipsec tunnel.

show ipsec tunnel summary

• Use to display a summary of all tunnels configured on the router.
• Field descriptions
  • Total number of ipsec interface—Number of tunnels configured on the router
  • Administrative status—Number of tunnels with an administrative status of enabled and disabled
  • Operational status—Number of tunnels with an operational status of up, down, lower layer down, not present
• Example

  host1#show ipsec tunnel summary
  Total number of ipsec interface is 40
  Administrative status    enabled    disabled
                           40         0
  Operational status  up         down       lower-down  not-present
                       40         0          0           0         

• See show ipsec tunnel.

show ipsec tunnel virtual-router

• Use to display the status of tunnels configured on a virtual router.
• To display only tunnels that are in a specific state, use the state keyword.
• To display tunnels that are using a particular IP address, use the ip keyword.
• Field descriptions
  • For a description of fields, see the show ipsec tunnel detail command.
• Example

  host1#show ipsec tunnel virtual-router default ip 10.255.1.13
  IPSEC tunnel s0l1e3d0 is up
  IPSEC tunnel s0l1e3d1 is up
  IPSEC tunnel s0l2e3d0 is up
  IPSEC tunnel s0l2e3d1 is up
  IPSEC tunnel s0l3e3d0 is up
  IPSEC tunnel s0l4e3d0 is up
  IPSEC tunnel s0l4e3d1 is up
  IPSEC tunnel s0l5e3d0 is up

• See show ipsec tunnel.

show license ipsec-tunnels

• Use to display the IPSec license key configured on the router and the number of tunnels allowed on the router.
• Example

  host1#show license ipsec-tunnels
  ipsec-tunnels license is 'g1k23b23eb2j' which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards.

• See show license.