Monitoring IPsec Tunnel Profiles

Purpose

Display information about all existing IPsec tunnel profiles or a specified tunnel profile.

Use the detail keyword to display detailed information about the tunnel profile.

Action

To display information about all existing IPsec tunnel profiles:

host1#show ipsec tunnel profile
IPsec tunnel profile ipsec-spg is active with no subscriber
1 IPsec tunnel profile found

To display more detailed information about the specified IPsec tunnel profile:

host1#show ipsec tunnel profile detail ipsec-spg
IPsec tunnel profile ipsec-spg is active with no subscriber
  Extended-authentication: pap, no re-authentication
  Peer IP characteristics configuration: enabled
  Virtual router: default
  Local IP address: 10.227.5.31
  Local IKE identity: 10.227.5.31
  Peer  IKE identity: IP network: not allowed
                      username: *
                      domain-name: spg.juniper.net
                      DN: not allowed
  Maximum subscribers: no limit
  Domain suffix: @spg
  IP profile: ip-spg
  Local IPsec identity: subnet 0.0.0.0 0.0.0.0, proto 0, port 0
  Peer IPsec identity: invalid identity
  Lifetime: between 1800 and 7200 seconds, and between 100000 and 500000 KB
  Reachable networks: none
  PFS not configured
  Transforms:, tunnel-esp-3des-sha1
  Subscribers rejected due to maximum subscribers limit: 0
  Completed sessions: 43, totaling 4873 seconds, statistics:
  ipsec stats:
    outbound:
      outboundUserPacketsReceived = 88
      outboundUserOctetsReceived  = 74544
      outboundAccPacketsReceived = 88
      outboundAccOctetsReceived = 79168
      outboundOtherTxErrors = 0
      outboundPolicyErrors = 0
    inbound:
      inboundUserPacketsReceived = 88
      inboundUserOctetsReceived  = 74880
      inboundAccPacketsReceived  = 88
      inboundAccOctetsReceived   = 79488
      inboundAuthenticationErrors= 0
      inboundReplayErrors = 0
      inboundPolicyErrors = 0
      inboundOtherRxErrors = 0
      inboundDecryptErrors = 0
      inboundPadErrors = 0

Meaning

Table 22 lists the show ipsec tunnel profile command output fields.

Table 22: show ipsec tunnel profile Output Fields

Field Name

Field Description

Extended-authentication

Configured extended user authentication protocol

Peer IP characteristics configuration

Peer IP characteristics configuration status

Virtual router

Name of the virtual router context

Local IP address

Local IP address on the specified virtual router

Local IKE identity

Configured local IKE identity

Peer IKE identity

Configured peer IKE identity

Maximum subscribers

Maximum number of subscribers allowed on the profile

Domain suffix

Domain suffix appended to any usernames on the profile

IP Profile

IP profile that is passed from the IPsec layer to the IP layer

Local IPsec identity

Local identity used for IPsec security association negotiations

Peer IPsec identity

Peer identity used for IPsec security association negotiations

Lifetime

Configured lifetime parameters

Reachable networks

Reachable networks on the VPN

PFS not configured

Perfect forward secrecy configuration status

Transforms

IPsec transforms that IPsec SA negotiations use

Subscribers rejected due to maximum subscribers limit

Subscribers rejected because of the configured limit of maximum number of subscribers on profile

Completed sessions

Number of successful subscriber sessions

ipsec stats

Inbound and Outbound IPsec statistics

Related Documentation