Router 3

To verify that the IPSec security association is active, issue the show services ipsec-vpn ipsec security-associations detail command. To be successful, the SA on Router 3 must contain the same settings you specified on Router 2.

user@R3> show services ipsec-vpn ipsec security-associations detail

Service set: service-set-manual-BiEspshades

  Rule: rule-manual-SA-BiEspshades, Term: term-manual-SA-BiEspshades,

  Tunnel index: 1

  Local gateway: 10.1.15.2, Remote gateway: 10.1.15.1

  Local identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/8)

  Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)

    Direction: inbound, SPI: 261, AUX-SPI: 0

    Mode: tunnel, Type: manual, State: Installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc

    Anti-replay service: Disabled

    Direction: outbound, SPI: 261, AUX-SPI: 0

    Mode: tunnel, Type: manual, State: Installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc

    Anti-replay service: Disabled

To verify that traffic is traveling over the bidirectional IPSec tunnel, issue the show services ipsec-vpn statistics command:

user@R3> show services ipsec-vpn ipsec statistics

PIC: sp-1/2/0, Service set: service-set-manual-BiEspshades

ESP Statistics:

  Encrypted bytes:             1560

  Decrypted bytes:             1616

  Encrypted packets:             19

  Decrypted packets:             20

AH Statistics:

  Input bytes:                    0

  Output bytes:                   0

  Input packets:                  0

  Output packets:                 0

Errors:

  AH authentication failures: 0, Replay errors: 0

  ESP authentication failures: 0, ESP decryption failures: 0

  Bad headers: 0, Bad trailers: 0