Example: Configuring OCSP for Certificate Revocation Status

This example shows how to configure two peers using the Online Certificate Status Protocol (OCSP) to check the revocation status of the certificates used in Phase 1 negotiations for the IPsec VPN tunnel.

Requirements

On each device:

Overview

On both peers, a certificate authority (CA) profile OCSP-ROOT is configured with the following options:

Table 8 shows the Phase 1 options used in this example.

Table 8: Phase 1 Options for OCSP Configuration Example

Option

Peer A

Peer B

IKE proposal

ike_prop

ike_prop

Authentication method

RSA signatures

RSA signatures

DH group

group2

group2

Authentication algorithm

SHA 1

SHA 1

Encryption algorithm

3DES CBC

3DES CBC

IKE policy

ike_policy

ike_policy

Mode

aggressive

aggressive

Proposal

ike_prop

ike_prop

Certificate

local-certificate localcert1

local-certificate localcert1

IKE gateway

jsr_gateway

jsr_gateway

Policy

ike_policy

ike_policy

Gateway address

101.10.2.50

100.10.1.50

Remote identity

localcert11.juniper.net

-

Local identity

-

localcert11.juniper.net

External interface

reth1

ge-0/0/2.0

Version

v2

v2

Table 9 shows the Phase 2 options used in this example.

Table 9: Phase 2 Options for OCSP Configuration Example

Option

Peer A

Peer B

IPsec proposal

ipsec_prop

ipsec_prop

Protocol

ESP

ESP

Authentication algorithm

HMAC SHA1-96

HMAC SHA1-96

Encryption algorithm

3DES CBC

3DES CBC

Lifetime seconds

1200

1200

Lifetime kilobytes

150,000

150,000

IPsec policy

ipsec_policy

ipsec_policy

PFC keys

group2

group2

Proposal

ipsec_prop

ipsec_prop

VPN

test_vpn

test_vpn

Bind interface

st0.1

st0.1

IKE gateway

jsr_gateway

jsr_gateway

Policy

ipsec_policy

ipsec_policy

Establish tunnels

-

immediately

Figure 1 shows the peer devices that are configured in this example.

Figure 1: OCSP Configuration Example

 OCSP Configuration
Example

Configuration

Configuring Peer A

CLI Quick Configuration

To quickly configure VPN peer A to use OCSP, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set interfaces ge-0/0/3 gigether-options redundant-parent reth1set interfaces ge-9/0/3 gigether-options redundant-parent reth1set interfaces lo0 unit 0 family inet address 100.100.1.100/24set interfaces lo0 redundant-pseudo-interface-options redundancy-group 1set interfaces reth1 redundant-ether-options redundancy-group 1set interfaces reth1 unit 0 family inet address 100.10.1.50/24set interfaces st0 unit 1 family inet address 202.2.1.100/24set security pki ca-profile OCSP-ROOT ca-identity OCSP-ROOTset security pki ca-profile OCSP-ROOT enrollment url http://1.1.1.1:8080/scep/OCSP-ROOT/set security pki ca-profile OCSP-ROOT revocation-check ocsp url http://10.157.88.56:8210/OCSP-ROOT/set security pki ca-profile OCSP-ROOT revocation-check use-ocspset security pki ca-profile OCSP-ROOT revocation-check ocsp disable-responder-revocation-checkset security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crlset security pki ca-profile OCSP-ROOT revocation-check crl url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45set security ike proposal ike_prop authentication-method rsa-signaturesset security ike proposal ike_prop dh-group group2set security ike proposal ike_prop authentication-algorithm sha1set security ike proposal ike_prop encryption-algorithm 3des-cbcset security ike policy ike_policy mode aggressiveset security ike policy ike_policy proposals ike_propset security ike policy ike_policy certificate local-certificate localcert1set security ike gateway jsr_gateway ike-policy ike_policyset security ike gateway jsr_gateway address 101.10.2.50set security ike gateway jsr_gateway remote-identity hostname localcert11.juniper.netset security ike gateway jsr_gateway external-interface reth1set security ike gateway jsr_gateway version v2-onlyset security ipsec proposal ipsec_prop protocol espset security ipsec proposal ipsec_prop authentication-algorithm hmac-sha1-96set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbcset security ipsec proposal ipsec_prop lifetime-seconds 1200set security ipsec proposal ipsec_prop lifetime-kilobytes 150000set security ipsec policy ipsec_policy perfect-forward-secrecy keys group2set security ipsec policy ipsec_policy proposals ipsec_propset security ipsec vpn test_vpn bind-interface st0.1set security ipsec vpn test_vpn ike gateway jsr_gatewayset security ipsec vpn test_vpn ike ipsec-policy ipsec_policy

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure VPN peer A to use OCSP:

  1. Configure interfaces.
    [edit interfaces]set ge-0/0/3 gigether-options redundant-parent reth1set ge-9/0/3 gigether-options redundant-parent reth1set lo0 unit 0 family inet address 100.100.1.100/24set lo0 redundant-pseudo-interface-options redundancy-group 1set reth1 redundant-ether-options redundancy-group 1set reth1 unit 0 family inet address 100.10.1.50/24set st0 unit 1 family inet address 202.2.1.100/24
  2. Configure the CA profile.
    [edit security pki ca-profile OCSP-ROOT]set ca-identity OCSP-ROOTset enrollment url http://1.1.1.1:8080/scep/OCSP-ROOT/set revocation-check ocsp url http://10.157.88.56:8210/OCSP-ROOT/set revocation-check use-ocspset revocation-check ocsp disable-responder-revocation-checkset revocation-check ocsp connection-failure fallback-crlset revocation-check crl url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45
  3. Configure Phase 1 options.
    [edit security ike proposal ike_prop]set authentication-method rsa-signaturesset dh-group group2set authentication-algorithm sha1set encryption-algorithm 3des-cbc[edit security ike policy ike_policy]set mode aggressiveset proposals ike_propset certificate local-certificate localcert1[edit security ike gateway jsr_gateway]set ike-policy ike_policyset address 101.10.2.50set remote-identity hostname localcert11.juniper.netset external-interface reth1set version v2-only
  4. Configure Phase 2 options.
    [edit security ipsec proposal ipsec_prop]set protocol espset authentication-algorithm hmac-sha1-96set encryption-algorithm 3des-cbcset lifetime-seconds 1200set lifetime-kilobytes 150000[edit security ipsec policy ipsec_policy]set perfect-forward-secrecy keys group2set proposals ipsec_prop[edit security ipsec vpn test_vpn]set bind-interface st0.1set ike gateway jsr_gatewayset ike ipsec-policy ipsec_policy

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security pki ca-profile OCSP-ROOT, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show interfaces
ge-0/0/3 {gigether-options {redundant-parent reth1;}}
ge-9/0/3 {gigether-options {redundant-parent reth1;}}
lo0 {unit 0 {family inet {address 100.100.1.100/24;}}redundant-pseudo-interface-options {redundancy-group 1;}}
reth1 {redundant-ether-options {redundancy-group 1;}unit 0 {family inet {address 100.10.1.50/24;}}}
st0 {unit 1 {family inet {address 202.2.1.100/24;}}}
[edit]user@host# show security pki ca-profile OCSP-ROOTca-identity OCSP-ROOT;
enrollment {url http://1.1.1.1:8080/scep/OCSP-ROOT/;}
revocation-check {crl {url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45;}ocsp {disable-responder-revocation-check;url http://10.157.88.56:8210/OCSP-ROOT/;}use-ocsp;}
[edit]user@host# show security ike
proposal ike_prop {authentication-method rsa-signatures;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}
policy ike_policy {mode aggressive;proposals ike_prop;certificate {local-certificate localcert1;}}
gateway jsr_gateway {ike-policy ike_policy;address 101.10.2.50;remote-identity hostname localcert11.juniper.net;external-interface reth1;version v2-only;}
[edit]user@host# show security ipsec
proposal ipsec_prop {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;lifetime-seconds 1200;lifetime-kilobytes 150000;}
policy ipsec_policy {perfect-forward-secrecy {keys group2;}proposals ipsec_prop;}
vpn test_vpn {bind-interface st0.1;ike {gateway jsr_gateway;ipsec-policy ipsec_policy;}}

If you are done configuring the device, enter commit from configuration mode.

Configuring Peer B

CLI Quick Configuration

To quickly configure VPN peer B to use OCSP, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

set interfaces ge-0/0/2 unit 0 family inet address 101.10.2.50/24set interfaces lo0 unit 0 family inet address 102.100.1.100/24set interfaces st0 unit 1 family inet address 202.2.1.1/24set security pki ca-profile OCSP-ROOT ca-identity OCSP-ROOTset security pki ca-profile OCSP-ROOT enrollment url http://1.1.1.1:8080/scep/OCSP-ROOT/set security pki ca-profile OCSP-ROOT revocation-check ocsp url http://10.157.88.56:8210/OCSP-ROOT/set security pki ca-profile OCSP-ROOT revocation-check use-ocspset security pki ca-profile OCSP-ROOT revocation-check ocsp disable-responder-revocation-checkset security pki ca-profile OCSP-ROOT revocation-check ocsp connection-failure fallback-crlset security pki ca-profile OCSP-ROOT revocation-check crl url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45set security ike proposal ike_prop authentication-method rsa-signaturesset security ike proposal ike_prop dh-group group2set security ike proposal ike_prop authentication-algorithm sha1set security ike proposal ike_prop encryption-algorithm 3des-cbcset security ike policy ike_policy mode aggressiveset security ike policy ike_policy proposals ike_propset security ike policy ike_policy certificate local-certificate localcert11set security ike gateway jsr_gateway ike-policy ike_policyset security ike gateway jsr_gateway address 100.10.1.50set security ike gateway jsr_gateway local-identity hostname localcert11.juniper.netset security ike gateway jsr_gateway external-interface ge-0/0/2.0set security ike gateway jsr_gateway version v2-onlyset security ipsec proposal ipsec_prop protocol espset security ipsec proposal ipsec_prop authentication-algorithm hmac-sha1-96set security ipsec proposal ipsec_prop encryption-algorithm 3des-cbcset security ipsec proposal ipsec_prop lifetime-seconds 1200set security ipsec proposal ipsec_prop lifetime-kilobytes 150000set security ipsec policy ipsec_policy perfect-forward-secrecy keys group2set security ipsec policy ipsec_policy proposals ipsec_propset security ipsec vpn test_vpn bind-interface st0.1set security ipsec vpn test_vpn ike gateway jsr_gatewayset security ipsec vpn test_vpn ike ipsec-policy ipsec_policyset security ipsec vpn test_vpn establish-tunnels immediately

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure VPN peer B to use OCSP:

  1. Configure interfaces.
    [edit interfaces]set ge-0/0/2 unit 0 family inet address 101.10.2.50/24set lo0 unit 0 family inet address 102.100.1.100/24set st0 unit 1 family inet address 202.2.1.1/24
  2. Configure the CA profile.
    [edit security pki ca-profile OCSP-ROOT]set ca-identity OCSP-ROOTset enrollment url http://1.1.1.1:8080/scep/OCSP-ROOT/set revocation-check ocsp url http://10.157.88.56:8210/OCSP-ROOT/set revocation-check use-ocspset revocation-check ocsp disable-responder-revocation-checkset revocation-check ocsp connection-failure fallback-crlset revocation-check crl url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45
  3. Configure Phase 1 options.
    [edit security ike proposal ike_prop]set authentication-method rsa-signaturesset dh-group group2set authentication-algorithm sha1set encryption-algorithm 3des-cbc[edit security ike policy ike_policy]set mode aggressiveset proposals ike_propset certificate local-certificate localcert1[edit security ike gateway jsr_gateway]set ike-policy ike_policyset address 100.10.1.50set local-identity hostname localcert11.juniper.netset external-interface ge-0/0/2.0set version v2-only
  4. Configure Phase 2 options.
    [edit security ipsec proposal ipsec_prop]set protocol espset authentication-algorithm hmac-sha1-96set encryption-algorithm 3des-cbcset lifetime-seconds 1200set lifetime-kilobytes 150000[edit security ipsec policy ipsec_policy]set perfect-forward-secrecy keys group2set proposals ipsec_prop[edit security ipsec vpn test_vpn]set bind-interface st0.1set ike gateway jsr_gatewayset ike ipsec-policy ipsec_policyset establish-tunnels immediately

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security pki ca-profile OCSP-ROOT, show security ike, and show security ipsec commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show interfaces
ge-0/0/2 {unit 0 {family inet {address 101.10.2.50/24;}}}
lo0 {unit 0 {family inet {address 102.100.1.100/24;}}}
st0 {unit 1 {family inet {address 202.2.1.1/24;}}}
[edit]user@host# show security pki ca-profile OCSP-ROOT ca-identity OCSP-ROOT;
enrollment {url http://1.1.1.1:8080/scep/OCSP-ROOT/;}
revocation-check {crl {url http://1.1.1.1:8080/crl-as-der/currentcrl-45.crlid=45;}ocsp {disable-responder-revocation-check;url http://10.157.88.56:8210/OCSP-ROOT/;}use-ocsp;}
[edit]user@host# show security ike
proposal ike_prop {authentication-method rsa-signatures;dh-group group2;authentication-algorithm sha1;encryption-algorithm 3des-cbc;}
policy ike_policy {mode aggressive;proposals ike_prop;certificate {local-certificate localcert11;}}
gateway jsr_gateway {ike-policy ike_policy;address 100.10.1.50;local-identity hostname localcert11.juniper.net;external-interface ge-0/0/2.0;version v2-only;}
[edit]user@host# show security ipsec
proposal ipsec_prop {protocol esp;authentication-algorithm hmac-sha1-96;encryption-algorithm 3des-cbc;lifetime-seconds 1200;lifetime-kilobytes 150000;}
policy ipsec_policy {perfect-forward-secrecy {keys group2;}proposals ipsec_prop;}
vpn test_vpn {bind-interface st0.1;ike {gateway jsr_gateway;ipsec-policy ipsec_policy;}establish-tunnels immediately;}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying CA Certificates

Purpose

Verify the validity of a CA certificate on each peer device.

Action

From operational mode, enter the show security pki ca-certificate ca-profile OCSP-ROOT or show security pki ca-certificate ca-profile OCSP-ROOT detail command.

user@host> show security pki ca-certificate ca-profile OCSP-ROOT
Certificate identifier: OCSP-ROOT
  Issued to: OCSP-ROOT, Issued by: C = US, O = Juniper, CN = OCSP-ROOT
  Validity:
    Not before: 11-15-2013 22:26 UTC
    Not after: 11-14-2016 22:26 UTC
  Public key algorithm: rsaEncryption(2048 bits)
user@host> show security pki ca-certificate ca-profile OCSP-ROOT detail
Certificate identifier: OCSP-ROOT
  Certificate version: 3
  Serial number: 0000a17f
  Issuer:
    Organization: Juniper, Country: US, Common name: OCSP-ROOT
  Subject:
    Organization: Juniper, Country: US, Common name: OCSP-ROOT
  Subject string: 
    C=US, O=Juniper, CN=OCSP-ROOT
  Validity:
    Not before: 11-15-2013 22:26 UTC
    Not after: 11-14-2016 22:26 UTC
  Public key algorithm: rsaEncryption(2048 bits)
    30:82:01:0a:02:82:01:01:00:c6:38:e9:03:69:5e:45:d8:a3:ea:3d
    2e:e3:b8:3f:f0:5b:39:f0:b7:35:64:ed:60:a0:ba:89:28:63:29:e7
    27:82:47:c4:f6:41:53:c8:97:d7:1e:3c:ca:f0:a0:b9:09:0e:3d:f8
    76:5b:10:6f:b5:f8:ef:c5:e8:48:b9:fe:46:a3:c6:ba:b5:05:de:2d
    91:ce:20:12:8f:55:3c:a6:a4:99:bb:91:cf:05:5c:89:d3:a7:dc:a4
    d1:46:f2:dc:36:f3:f0:b5:fd:1d:18:f2:e6:33:d3:38:bb:44:8a:19
    ad:e0:b1:1a:15:c3:56:07:f9:2d:f6:19:f7:cd:80:cf:61:de:58:b8
    a3:f5:e0:d1:a3:3a:19:99:80:b0:63:03:1f:25:05:cc:b2:0c:cd:18
    ef:37:37:46:91:20:04:bc:a3:4a:44:a9:85:3b:50:33:76:45:d9:ba
    26:3a:3b:0d:ff:82:40:36:64:4e:ea:6a:d8:9b:06:ff:3f:e2:c4:a6
    76:ee:8b:58:56:a6:09:d3:4e:08:b0:64:60:75:f3:e2:06:91:64:73
    d2:78:e9:7a:cb:8c:57:0e:d1:9a:6d:3a:4a:9e:5b:d9:e4:a2:ef:31
    5d:2b:2b:53:ab:a1:ad:45:49:fd:a5:e0:8b:4e:0b:71:52:ca:6b:fa
    8b:0e:2c:7c:7b:02:03:01:00:01
  Signature algorithm: sha1WithRSAEncryption
  Distribution CRL: 
    http://1.1.1.1:8080/crl-as-der/currentcrl-45.crl?id=45
  Authority Information Access OCSP: 
    http://1.1.1.1:8090/OCSP-ROOT/
  Use for key: CRL signing, Certificate signing, Key encipherment, Digital signature
  Fingerprint:
    ed:ce:ec:13:1a:d2:ab:0a:76:e5:26:6d:2c:29:5d:49:90:57:f9:41 (sha1)
    af:87:07:69:f0:3e:f7:c6:b8:2c:f8:df:0b:ae:b0:28 (md5)

In this example, IP addresses are used in the URLs in the CA profile configuration. If IP addresses are not used with CA-issued certificates or CA certificates, DNS must be configured in the device’s configuration. DNS must be able to resolve the host in the distribution CRL and in the CA URL in the CA profile configuration. Additionally, you must have network reachability to the same host to receive revocation checks.

Verifying Local Certificates

Purpose

Verify the validity of a local certificate on each peer device.

Action

From operational mode, enter the show security pki local-certificate certificate-id localcert1 detail command.

user@host> show security pki local-certificate certificate-id localcert1 detail
Certificate identifier: localcert1
  Certificate version: 3
  Serial number: 013e3f1d
  Issuer:
    Organization: Juniper, Country: US, Common name: OCSP-ROOT
  Subject:
    Organization: juniper1, Organizational unit: sltqa1, State: california1, Locality: sunnyvale1, Common name: localcert1, Domain component: domain_component1
  Subject string: 
    DC=domain_component1, CN=localcert1, OU=sltqa1, O=juniper1, L=sunnyvale1, ST=california1, C=us1
  Alternate subject: "localcert1@juniper.net", localcert1.juniper.net, 100.10.1.50
  Validity:
    Not before: 01-28-2014 22:23 UTC
    Not after: 03-29-2014 22:53 UTC
  Public key algorithm: rsaEncryption(1024 bits)
    30:81:89:02:81:81:00:a6:df:c1:57:59:f8:4d:0f:c4:a8:96:25:97
    03:c4:a0:fb:df:d5:f3:d5:56:b6:5a:26:65:b8:1a:ec:be:f6:c6:5f
    b3:d7:d3:59:39:48:52:4a:e3:1b:e4:e0:6d:24:c3:c1:50:8c:55:3b
    c0:c1:29:a0:45:29:8e:ec:3e:52:2f:84:b3:e8:89:9a:0f:8b:7d:e8
    90:4b:c1:28:48:95:b3:aa:11:ab:b4:8c:a8:80:ce:90:07:2a:13:a2
    2f:84:44:92:3b:be:7d:39:5b:2f:9a:4c:7a:2f:2d:31:8b:12:6d:52
    34:7d:6b:e4:69:7e:f3:86:55:e2:89:31:98:c9:15:02:03:01:00:01
  Signature algorithm: sha1WithRSAEncryption
  Distribution CRL: 
    http://1.1.1.1:8080/crl-as-der/currentcrl-45.crl?id=45
  Authority Information Access OCSP: 
    http://1.1.1.1/:8090/OCSP-ROOT/
  Fingerprint:
    00:c6:56:64:ad:e3:ce:8e:26:6b:df:17:1e:de:fc:14:a4:bb:8c:e4 (sha1)
    7f:43:c6:ed:e4:b3:7a:4f:9a:8c:0b:61:95:01:c9:52 (md5)
  Auto-re-enrollment:
    Status: Disabled
    Next trigger time: Timer not started

Verifying IKE Phase 1 Status

Purpose

Verify the IKE Phase 1 status on each peer device.

Action

From operational mode, enter the show security ike security-associations command.

user@host> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
6534660 UP     3e62e05abd6a703f  c552b238e8a26668  IKEv2          101.10.2.50     

From operational mode, enter the show security ike security-associations detail command.

user@host> show security ike security-associations detail
IKE peer 101.10.2.50, Index 6534660, Gateway Name: jsr_gateway
  Role: Responder, State: UP
  Initiator cookie: 3e62e05abd6a703f, Responder cookie: c552b238e8a26668
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 100.10.1.50:500, Remote: 101.10.2.50:500
  Lifetime: Expires in 26906 seconds
  Peer ike-id: localcert11.juniper.net
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 2152
   Output bytes  :                 2097
   Input  packets:                    4
   Output packets:                    4
  Flags: IKE SA is created 
  IPSec security associations: 4 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 100.10.1.50:500, Remote: 101.10.2.50:500
    Local identity: 100.10.1.50
    Remote identity: localcert11.juniper.net
    Flags: IKE SA is created

Verifying IPsec Phase 2 Status

Purpose

Verify the IPsec Phase 2 status on each peer device.

Action

From operational mode, enter the show security ipsec security-associations command.

user@host> show security ipsec security-associations
  Total active tunnels: 1
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:3des/sha1 9d1066e2 252/   150000 -   root 500   101.10.2.50     
  >131073 ESP:3des/sha1 82079c2c 252/   150000 -   root 500   101.10.2.50     

From operational mode, enter the show security ipsec security-associations detail command.

user@host> show security ipsec security-associations detail
  ID: 131073 Virtual-system: root, VPN Name: test_vpn
  Local Gateway: 100.10.1.50, Remote Gateway: 101.10.2.50
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
    DF-bit: clear
    Bind-interface: st0.1

  Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 
  Last Tunnel Down Reason: Delete payload received
    Direction: inbound, SPI: 9d1066e2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 249 seconds
    Lifesize Remaining:  150000 kilobytes
    Soft lifetime: Expires in 10 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 82079c2c, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 249 seconds
    Lifesize Remaining:  150000 kilobytes
    Soft lifetime: Expires in 10 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

Related Documentation