IKE peer
|
Remote end of the IKE negotiation.
|
detail
|
Role
|
Part played in the IKE session.
The router triggering the IKE negotiation is the initiator, and the
router accepting the first IKE exchange packets is the responder.
|
detail
|
Remote Address
|
Responder's address.
|
none specified
|
State
|
State of the IKE security association:
- Matured—IKE security association is established.
- Not matured—The IKE security association
is in the process of negotiation.
|
none specified
|
Initiator cookie
|
When the IKE negotiation is triggered,
a random number is sent to the remote node.
|
All levels
|
Responder cookie
|
The remote node generates its own
random number and sends it back to the initiator as a verification
that the packets were received.
Of the numerous security services available, protection against
denial of service (DoS) is one of the most difficult to address. A
“cookie” or anticlogging token (ACT) is aimed at protecting
the computing resources from attack without spending excessive CPU
resources to determine the cookie's authenticity. An exchange prior
to CPU-intensive public key operations can thwart some DoS attempts
(such as simple flooding with invalid IP source addresses).
|
All levels
|
Exchange type
|
Specifies the number of messages
in an IKE exchange, and the payload types that are contained in each
message. Each exchange type provides a particular set of security
services, such as anonymity of the participants, perfect forward secrecy
of the keying material, and authentication of the participants. JUNOS
Software supports two types of exchanges:
- Main—The exchange is done with six messages. Main encrypts the payload, protecting the identity of the neighbor.
- Aggressive—The exchange is done with three
messages. Aggressive does not encrypt the payload, leaving
the identity of the neighbor unprotected.
|
All levels
|
Authentication method
|
Type of authentication determines
which payloads are exchanged and when they are exchanged. The JUNOS
Software supports only pre-shared keys.
|
detail
|
Local
|
Prefix and port number of the local
end.
|
detail
|
Remote
|
Prefix and port number of the remote
end.
|
detail
|
Lifetime
|
Number of seconds remaining until
the IKE security association expires.
|
detail
|
Algorithms
|
Header for the IKE algorithms output.
- Authentication—(detail output
only) Type of authentication algorithm used: md5 or sha1
- Encryption—(detail output only)
Type of encryption algorithm used: des-cbc, 3des-cbc, or None.
- Pseudo random function—Function that generates
highly unpredictable random numbers: hmac-md5 or hmac-sha1.
|
detail
|
Traffic statistics
|
Number of bytes and packets received
and transmitted on the IKE security association.
- Input bytes, Output bytes—Number of bytes
received and transmitted on the IKE security association.
- Input packets, Output packets—Number of
packets received and transmitted on the IKE security association.
|
detail
|
Flags
|
Notification to the key management
process of the status of the IKE negotiation:
- caller notification sent—Caller program
notified about the completion of the IKE negotiation.
- waiting for done—Negotiation is done. The
library is waiting for the remote end retransmission timers to expire.
- waiting for remove—Negotiation has failed.
The library is waiting for the remote end retransmission timers to
expire before removing this negotiation.
- waiting for policy manager—Negotiation
is waiting for a response from the policy manager.
|
detail
|
IPSec security associates
|
Number of IPSec security associations
created and deleted with this IKE security association.
|
detail
|
Phase 2 negotiations in progress
|
Number of phase 2 IKE negotiations
in progress and status information:
- Negotiation type—Type of phase 2 negotiation. The
JUNOS Software currently supports quick mode.
- Message ID—Unique identifier for a phase 2 negotiation.
- Local identity—Identity of the local phase 2 negotiation.
The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).
- Remote identity—Identity of the remote phase 2
negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
- Flags—Notification to the key management process
of the status of the IKE negotiation:
- caller notification sent—Caller program
notified about the completion of the IKE negotiation.
- waiting for done—Negotiation is done. The
library is waiting for the remote end retransmission timers to expire.
- waiting for remove—Negotiation has failed.
The library is waiting for the remote end retransmission timers to
expire before removing this negotiation.
- waiting for policy manager—Negotiation
is waiting for a response from the policy manager.
|
detail
|