[Contents] [Prev] [Next] [Index] [Report an Error]

Router 2

Another way to verify that matched traffic is being diverted to the bidirectional IPSec tunnel is to view the firewall filter counter. After you issue the ping command from Router 1 (seven packets), the es-traffic firewall filter counter looks like this:

user@R2> show firewall filter es-traffic

Filter: es-traffic

Counters:

Name                                                Bytes              Packets

ipsec-tunnel                                          588                    7

After you issue the ping command from both Router 1 (seven packets) and Router 4 (five packets), the es-traffic firewall filter counter looks like this:

user@R2> show firewall filter es-traffic

Filter: es-traffic

Counters:

Name                                                Bytes              Packets

ipsec-tunnel                                         1008                   12

To verify that the IKE SA negotiation between Routers 2 and 3 is successful, issue the show ike security-associations detail command. Notice that the SA contains the settings you specified, such as SHA-1 for the authentication algorithm and 3DES-CBC for the encryption algorithm.

user@R2> show ike security-associations detail

IKE peer 10.1.15.2

  Role: Initiator, State: Matured

  Initiator cookie: b5dbdfe2f9000000, Responder cookie: a24c868410000041

  Exchange type: Main, Authentication method: Pre-shared-keys

  Local: 10.1.15.1:500, Remote: 10.1.15.2:500

  Lifetime: Expires in 401 seconds

  Algorithms:

   Authentication        : sha1 

   Encryption            : 3des-cbc

   Pseudo random function: hmac-sha1

  Traffic statistics:

   Input  bytes  :                 1736

   Output bytes  :                 2652

   Input  packets:                    9

   Output packets:                   15

  Flags: Caller notification sent 

  IPSec security associations: 3 created, 0 deleted

  Phase 2 negotiations in progress: 0

To verify that the IPSec security association is active, issue the show ipsec security-associations detail command. Notice that the SA contains the settings you specified, such as ESP for the protocol, HMAC-SHA1-96 for the authentication algorithm, and 3DES-CBC for the encryption algorithm.

user@R2> show ipsec security-associations detail

Security association: sa-dynamic, Interface family: Up



  Local gateway: 10.1.15.1, Remote gateway: 10.1.15.2

  Local identity: ipv4_subnet(any:0,[0..7]=10.1.12.0/24)

  Remote identity: ipv4_subnet(any:0,[0..7]=10.1.56.0/24)



    Direction: inbound, SPI: 2133029543, AUX-SPI: 0

    Mode: tunnel, Type: dynamic, State: Installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc

    Soft lifetime: Expires in 26212 seconds

    Hard lifetime: Expires in 26347 seconds

    Anti-replay service: Disabled



    Direction: outbound, SPI: 1759450863, AUX-SPI: 0

    Mode: tunnel, Type: dynamic, State: Installed

    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc

    Soft lifetime: Expires in 26212 seconds

    Hard lifetime: Expires in 26347 seconds

    Anti-replay service: Disabled
[Contents] [Prev] [Next] [Index] [Report an Error]