[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels
This section contains information about troubleshooting
and monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels.
System Event Logs
To troubleshoot and monitor DVMRP/IPSec, GRE/IPSec,
and L2TP/IPSec tunnels, use the following system event log:
For more information about using event logs, see
the JUNOSe System Event Logging Reference Guide.
show Commands
To display profile and connection information for
DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels, use the following show commands.
show dvmrp tunnel
show
gre tunnel
- Use to display information about DVMRP or GRE tunnels.
- If the tunnel is protected by IPSec, the show dvmrp tunnel detail and show gre tunnel detail commands include a
line indicating the IPSec transport interface. The line is not shown
for unsecured tunnels. The following is a partial display. See Monitoring IP Tunnels in Configuring IP Tunnels for full
descriptions of the commands.
- Example
host1#show gre tunnel detail
Tunnel operational configuration
Tunnel name is 'vr1'
Tunnel mtu is '10240'
Tunnel source address is '10.0.0.2'
Tunnel destination address is '10.0.0.1'
Tunnel transport virtual router is vr1
Tunnel checksum option is disabled
Tunnel up/down trap is enabled
Tunnel server location is 4/0
Tunnel secured by ipsec transport interface 1
Tunnel administrative state is up
. . .
- See show dvmrp tunnel.
- See show gre tunnel.
show
ipsec ike-sa
show
ike sa
 |
Note:
The show ipsec ike-sa command replaces
the show ike sa command, which may be removed
completely in a future release.
|
- Use to display IKE phase 1 SAs running on the router.
- When NAT-T is enabled on both the client PC and the E-series
router, and the router has negotiated NAT-T as part of the IKE SA,
the local UDP port number displayed in the Local:Port column is typically
4500. When NAT-T is disabled or not supported on one or both sides
of the IKE SA negotiation, the local UDP port number is 500. (See
the example under Field Descriptions for more information.)
- Field descriptions
- Local:Port—Local IP address and UDP port number
of phase 1 negotiation
- Remote:Port—Remote IP address and UDP port number
of phase 1 negotiation
- Time(Sec)—Time remaining in phase 1 lifetime, in
seconds
- State—Current state of the phase 1 negotiation.
Corresponds to the messaging state in the main mode and aggressive
mode negotiations. Possible states are:
- AM_SA_I—Initiator has sent initial aggressive mode
SA payload and key exchange to the responder
- AM_SA_R—Responder has sent aggressive mode SA payload
and key exchange to the initiator
- AM_FINAL_I—Initiator has finished aggressive mode
negotiation
- AM_DONE_R—Responder has finished aggressive mode
negotiation
- MM_SA_I—Initiator has sent initial main mode SA
payload to the responder
- MM_SA_R—Responder has sent a response to the initial
main mode SA
- MM_KE_I—Initiator has sent initial main mode key
exchange to the responder
- MM_KE_R—Responder has sent a response to the key
exchange
- MM_FINAL_I—Initiator has sent the final packet in
the main mode negotiation
- MM_FINAL_R—Responder has finished main mode negotiation
- MM_DONE_I—Initiator has finished main mode negotiation
- DONE—Phase 1 SA negotiation is complete, as evidenced
by receipt of some phase 2 messages
- Local Cookie—Unique identifier (SPI) for the local
phase 1 IKE SA
- Remote Cookie—Unique identifier (SPI) for the remote
phase 1 IKE SA
- Example
The following example displays the IKE phase 1
SAs for three remote client PCs that are accessing an E-series router
(IP address 21.227.9.8).
The first client PC listed (IP address 21.227.9.10)
is not located behind a NAT device, and is therefore
not using NAT-T to access the router. This PC appears in the Remote:Port
column with its own IP address (21.227.9.10) and UDP port number 500.
The remaining two client PCs are located behind
a NAT device that has IP address 21.227.9.11, and are using NAT-T
to access the router. These PCs appear in the Remote:Port column with
the same IP address (21.227.9.11) but with two different UDP port
numbers, 4500 and 14500.
host1# show ipsec ike-sa
IKE Phase 1 SA's:
Local:Port Remote:Port Time(Sec) State Local Cookie Remote Cookie
21.227.9.8:500 21.227.9.10:500 26133 DONE 0x87a943562124c711 0xafa2cf4a260399a4
21.227.9.8:4500 21.227.9.11:4500 28774 DONE 0x01f9efa234d45ad8 0xada4cb7cafee9243
21.227.9.8:4500 21.227.9.11:14500 28729 DONE 0x0c5ccb6b94b00051 0xe975c0ae3b9ca8bf
- See show ipsec ike-sa.
- See show ike sa.
show
ipsec option
- Use to display whether NAT-T is enabled or disabled on
the current virtual router.
- The show ipsec option command
also displays the status of dead peer detection (DPD) on the virtual
router. For information about configuring and monitoring DPD, see Configuring IPSec.
- Example
host1:westford#show ipsec option
IPsec options:
Dead Peer Detection: disabled
NAT Traversal : enabled
- See show ipsec option.
show
ipsec transport interface
- Use to display information about transport connections.
- Field descriptions
- IPSec transport interface—Number and status of the
IPSec transport connection
- Configuration
- Virtual router—Virtual router on which this profile
is configured
- Application—Type of application the connection can
protect
- pfs group—PFS group being used for the connection
- Mtu—Tunnel's MTU size
- Local address—Local endpoint address
- Remote address—Remote endpoint address
- Local identity—Shows the subnet, protocol, and port
- Remote identity—Shows the subnet, protocol, and
port
- Inbound spi—Inbound security parameter index
- Inbound transform—Inbound algorithm
- Inbound lifetime—Inbound configured lifetime in
seconds and kilobytes
- Outbound spi—Outbound security parameter index
- Outbound transform—Outbound algorithm
- Outbound lifetime—Outbound configured lifetime in
seconds and kilobytes
- Statistics
- InUserPackets—Number of user packets received
- InUserOctets—Number of octets received from user
packets
- InAccPackets—Number of encapsulated packets received
- InAccOctets—Number of octets received in encapsulated
packets
- InAuthErrors—Number of authentication errors received
- InReplyErrors—Number of reply errors in received
traffic
- InPolicyErrors—Number of policy errors in received
traffic
- InOtherRxErrors—Number of packets received that
have errors other than those listed above
- InDecryptErrors—Number of decryption errors in received
traffic
- InPadErrors—Number of packets received that had
invalid values after the packet was decrypted
- OutUserPackets—Number of user packets sent
- OutUserOctets—Number of octets sent in user packets
- OutAccPackets—Number of encapsulated packets sent
- OutAccOctets—Number of octets sent in encapsulated
packets
- OutPolicyErrors—Number of packets arriving at the
transport connection for encapsulation that do not meet the specified
identifier (selector)
- OutOtherTxErrors—Number of outbound packets that
have errors other than those listed above
- Example 1
host1:vr11#show ipsec transport interface
IPSEC transport interface 5 is Up
IPSEC transport interface 6 is Up
2 Ipsec transport interfaces found
- Example 2
host1:vr11#show ipsec transport interface 5
IPSEC transport interface 5 is Up
- Example 3
host1:vr11#show ipsec transport interface detail 5
IPSEC transport interface 5 is Up
Configuration
Virtual router vr00
Application gre
No pfs group
Mtu is 1440
Local address is 10.255.0.61
Remote address is 10.255.0.62
Local identity is subnet 10.255.0.61 255.255.255.255, proto 47, port 0
Remote identity is subnet 10.255.0.62 255.255.255.255, proto 47, port 0
Inbound spi 0x15c30204
Inbound transform transport-esp-3des-sha1
Inbound lifetime 900 seconds 102400 kilobytes
Outbound spi is 0x16a10205
Outbound transform transport-esp-3des-sha1
Outbound lifetime 900 seconds 102400 kilobytes Statistics
InUserPackets 5
InUserOctets 270
InAccPackets 5
InAccOctets 440
InAuthErrors 0
InReplayErrors 0
InPolicyErrors 0
InOtherRxErrors 0
InDecryptErrors 0
InPadErrors 0 OutUserPackets 5
OutUserOctets 270
OutAccPackets 5
OutAccOctets 440
OutPolicyErrors 0
OutOtherTxErrors 0
- See show ipsec transport interface.
show
ipsec transport interface summary
- Use to display a summary of existing IPSec transport connections
by application and state.
- Field descriptions
- up—Number of IPSec transport interfaces that are
currently up
- down—Number of IPSec transport interfaces that are
currently down
- upper-bound—Number of IPSec transport interfaces
that are currently bound to the upper layer
- Example
host1:vr11#show ipsec transport interface summary
Operational status up down upper-bound
2 0 2
- See show ipsec transport interface.
show
ipsec transport profile
- Use to display the configuration of an IPSec transport
profile.
- Field descriptions
- IPSec transport profile—Name of the profile
- Virtual router—Virtual router on which this profile
is configured
- Peer address—Remote endpoint address
- Application—Type(s) of application that this profile
is protecting
- Lifetime range in seconds—Lifetime range in seconds
configured for the profile
- Lifetime range in kilobytes—Lifetime range in kilobytes
configured for the profile
- TransformSet—Transform set(s) configured for the
profile
- Pfs group—PFS group configured for the profile;
0 (zero) means that PFS is not configured for the profile
- Local ip address—Local endpoint address
- Example 1
host1:vr11#show ipsec transport profile
IPSEC transport profile goi1
IPSEC transport profile goi2
2 Ipsec transport profiles found
- Example 2
host1:vr11#show ipsec transport profile goi1
IPSEC transport profile goi1
Virtual router vr00
Peer address 10.255.0.62
Application gre,dvmrp
Lifetime range in seconds 900 900
Lifetime range in kilobytes 102400 4294967294
TransformSet transport-esp-3des-sha1
Pfs group 0
Local ip address : 10.255.0.61
- See show ipsec transport profile.
show
l2tp destination profile
- Use to display configuration information for an L2TP destination
profile and its associated L2TP host profiles.
- If single-shot tunnels are configured for a particular
host profile, the command displays this information as an attribute
of the profile for that remote host.
- Field descriptions
- Destination profile attributes:
- Transport—Method used to transfer traffic
- Virtual router—Name of the virtual router
- Peer address—IP address of the LAC
- Destination profile maximum sessions—Maximum number
of sessions allowed for the destination profile
- Destination profile current session count—Number
of current sessions for the destination profile
- Host profile attributes:
- Remote host is—Name of the remote host
- Tunnel password is—Password for the tunnel
- Interface profile is—Name of the host profile
- Local host name is—Name of the local host
- Ipsec transport is—Status of the IPSec transport
connection: enabled or disabled
- Disconnect-cause avp is—Status of the disconnect
cause AVP generation: enabled or disabled
- Tunnels are single-shot—Indicates that single-shot
tunnels are configured for this host profile
- Current session count is—Number of current sessions
for the host profile
- Example
host1#show l2tp destination profile westford
L2TP destination profile westford
Configuration
Destination address
Transport ipUdp
Virtual router default
Peer address 172.31.1.99
Statistics
Destination profile current session count is 1
Host profile attributes
Remote host is lac-1
Configuration
Tunnel password is password
Interface profile is tunneled-user
Local host name is lns-1
Ipsec transport is enabled
Disconnect-cause avp is enabled
Tunnels are single-shot
Statistics
Current session count is 1
1 L2TP host profile found
- See show l2tp destination profile.
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
