Monitoring IPSec
This section contains information about troubleshooting and monitoring IPSec.
System Event Logs
To troubleshoot and monitor IPSec, use the following system event logs:
- auditIpsec—Lower layers of IKE SA negotiations
- ikepki—Upper layers of IKE SA negotiations
- stTunnel—Secure tunnel interface
For more information about using event logs, see the JUNOSe System Event Logging Reference Guide, Chapter 1, .
show Commands
To view your IPSec configuration and to monitor IPSec tunnels and statistics, use the following show commands.
show ipsec ike-policy-rule
 |
NOTE: The show ipsec ike-policy-rule command replaces the show ipsec isakmp-policy-rule command, which may be removed completely in a future release. |
- Protection suite priority—Priority number assigned to the policy rule
- encryption algorithm—Encryption algorithm used in the IKE policy: des, 3des
- hash algorithm—Hash algorithm used in the IKE policy: SHA, MD5
- authentication method—Authentication method used in the IKE policy: RSA signature, preshared keys
- Diffie-Hellman group—Size of the Diffie-Hellman group: 768-bit, 1024-bit, 1536-bit
- lifetime—Lifetime of SAs created with this policy: 60 to 86400 seconds
- aggressive mode—Allowed or not allowed
host1#show ipsec ike-policy-rule
IKE Policy Rules:
Protection suite priority: 5
encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys)
hash algorithm :SHA Secure Hash Standard
authentication method:RSA Signatures
Diffie-Hellman group :5 (1536 bit)
lifetime :7200 seconds
aggressive mode :Not Allowed
Protection suite priority: 6
encryption algorithm :3DES Triple Data Encryption Standard(168 bit keys)
hash algorithm :SHA Secure Hash Standard
authentication method:Pre Shared Keys
Diffie-Hellman group :2 (1024 bit)
lifetime :28800 seconds
aggressive mode :Not Allowed
show ipsec ike-sa
|
NOTE: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release. |
- Local:Port—Local IP address and UDP port number of phase 1 negotiation
- Remote:Port—Remote IP address and UDP port number of phase 1 negotiation
- Time(Sec)—Time remaining in phase 1 lifetime, in seconds
- State—Current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. Possible states are:
- AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder
- AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator
- AM_FINAL_I—Initiator has finished aggressive mode negotiation
- AM_DONE_R—Responder has finished aggressive mode negotiation
- MM_SA_I—Initiator has sent initial main mode SA payload to the responder
- MM_SA_R—Responder has sent a response to the initial main mode SA
- MM_KE_I—Initiator has sent initial main mode key exchange to the responder
- MM_KE_R—Responder has sent a response to the key exchange
- MM_FINAL_I—Initiator has sent the final packet in the main mode negotiation
- MM_FINAL_R—Responder has finished main mode negotiation
- MM_DONE_I—Initiator has finished main mode negotiation
- DONE—Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages
- Local Cookie—Unique identifier (SPI) for the local phase 1 IKE SA
- Remote Cookie—Unique identifier (SPI) for the remote phase 1 IKE SA
host1#show ipsec ike-sa
IKE Phase 1 SA's:
Local:Port Remote:Port Time(Sec) State Local Cookie Remote Cookie
195.0.0.100:500 195.0.0.200:500 1551 DONE 0x90ee723e6cb0c016 0xf7d3651e93d56431
195.0.0.100:500 195.0.0.200:500 1552 DONE 0x821bccf81dcedbb0 0x35152bdb7a9c734e
195.0.1.100:500 195.0.1.200:500 1687 DONE 0x1b4fbcebe36d1b16 0xed742166a305a6a0
195.0.1.100:500 195.0.1.200:500 1687 DONE 0xacf3acd1b3555b6a 0x0af9edbc95622869
195.0.2.100:500 195.0.2.200:500 1688 DONE 0x3153379b32d8c936 0x17f5d77f9badc3cf
195.0.2.100:500 195.0.2.200:500 1688 DONE 0x6573dcbc9bf31fae 0x7af8b4d13078b463
195.0.3.100:500 195.0.3.200:500 1685 DONE 0xdc7df648fcac375a 0x0346752d2881d5c5
195.0.3.100:500 195.0.3.200:500 1685 DONE 0xe776e9ffb6678635 0x8de857af1c681874
195.0.4.100:500 195.0.4.200:500 1690 DONE 0x16410d890500e94e 0xbd47831b55e81c27
show ipsec lifetime
host1#show ipsec lifetime
Default lifetime in seconds is '7200'.
Default lifetime in kilobytes is '4294967295'.
show ipsec local-endpoint
- Use to display the address and transport virtual router of local endpoints.
- To display the local endpoint of a specific transport virtual router, include the virtual router name.
- Example
host1#show ipsec local-endpoint transport-virtual-router default
Local endpoint for transport-virtual-router default is '0.0.0.0'.
show ipsec option
- Use to display the status, enabled or disabled, of IPSec options configured on the current virtual router. Information is displayed for the following options:
- Dead peer detection (DPD)
- Network Address Translation Traversal (NAT-T). For information about configuring and monitoring NAT-T on L2TP/IPSec tunnels, see Chapter 13, Securing L2TP and IP Tunnels with IPSec.
- Transmission of invalid cookie notification in ISAKMP messages to peers
host1:vrA#show ipsec option
IPsec options:
Dead Peer Detection: disabled
NAT Traversal : enabled
TX Invalid Cookie : disabled
show ipsec transform-set
- Use to display transform sets configured on the router.
- To display a specific transform set, include the transform set name.
- Field descriptions
host1#show ipsec transform-set
Transform-set: Highest security = {esp-3des-hmac-sha }.
Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha }.
host1#show ipsec transform-set transform-esp-3des-hmac-sha
Transform-set: transform-esp-3des-hmac-sha = {esp-3des-hmac-sha}.
show ipsec tunnel detail
- IPSEC tunnel—Name and state of tunnel for which information is displayed
- Tunnel operational configuration—Configuration running on the tunnel
- Tunnel type—Manual, signaled
- Tunnel mtu—MTU size of the tunnel
- Tunnel localEndpoint—IP address of local tunnel endpoint
- Tunnel remoteEndpoint—IP address of remote tunnel endpoint
- Tunnel source—IP address or FQDN of tunnel source
- Tunnel destination—IP address or FQDN of tunnel destination
- Tunnel backup destination—Alternate tunnel destination
- Tunnel transport virtual router—Name of transport virtual router over which tunnel runs
- Tunnel transform set—Tunnel transform set in use on this tunnel
- Tunnel local identity—IP address of local endpoint identity that ISAKMP uses
- Tunnel peer identity—IP address of peer endpoint identity that ISAKMP uses
- Tunnel outbound spi/SA—SPI and SA in use on traffic sent to the tunnel (manual tunnels only)
- Tunnel inbound spi/SA—SPI and SA in use on traffic received from the tunnel (manual tunnels only)
- Tunnel lifetime seconds—Configured time-based lifetime in seconds
- Tunnel lifetime kilobytes—Configured traffic-based lifetime in kilobytes
- Tunnel pfs—PFS group in use on the tunnel: 0 (PFS is not in use), 1 (768-bit group), 2 (1024-bit group), 5 (1536-bit group)
- Tunnel administrative state—Up, Down
- inbound/outboundSpi/SA—SPI in use on traffic received from or sent to the tunnel
- inbound/outboundSa—SA in use on traffic received from or sent to the tunnel
- inbound/outbound lifetime allowed—Negotiated time-based lifetime in seconds
- inbound/outbound lifetime remaining—Number of seconds remaining before time-based lifetime expires
- inbound/outbound traffic allowed—Negotiated traffic-based lifetime in kilobytes
- inbound/outbound traffic remaining—Number of additional kilobytes that tunnel can send or receive before traffic-based lifetime expires
- InUserPackets—Number of user packets received
- InUserOctets—Number of octets received from user packets
- InAccPackets—Number of encapsulated packets received
- InAccOctets—Number of octets received in encapsulated packets
- InAuthErrors—Number of authentication errors received
- InReplayErrors—Number of replay errors in received traffic
- InPolicyErrors—Number of policy errors in received traffic
- InOtherRxErrors—Number of packets received that have errors other than those listed above
- InDecryptErrors—Number of decryption errors in received traffic
- InPadErrors—Number of packets received that had invalid values after the packet was decrypted
- OutUserPackets—Number of user packets sent
- OutUserOctets—Number of octets sent in user packets
- OutAccPackets—Number of encapsulated packets sent
- OutAccOctets—Number of octets sent in encapsulated packets
- OutPolicyErrors—Number of packets arriving at tunnel for encapsulation that do not meet specified tunnel identifier (selector)
- OutOtherTxErrors—Number of outbound packets that have errors other than those listed above
hostl#show ipsec tunnel detail
IPSEC tunnel r200000 is Up
Tunnel configuration:
Tunnel type is signaled
Tunnel mtu is 1440
Tunnel local endpoint is 195.0.0.200
Tunnel remote endpoint is 195.0.0.100
Tunnel source is 195.0.0.200
Tunnel destination is 195.0.0.100
Tunnel backup destination is 0.0.0.0
Tunnel transport virtual router is r
Tunnel transform set is perf
Tunnel local identity is ipAddress: 4.0.0.100
Tunnel peer identity is ipAddress: 3.0.0.100
Tunnel lifetime seconds is 7200
Tunnel lifetime kilobytes is 1024000
Tunnel pfs is group 5
Tunnel administrative state is Up
Tunnel Operational Attributes:
inboundSpi = 0x17270202, inboundSa = esp-3des-hmac-sha
inbound lifetime: allowed 7200s, remaining 7100s
inbound traffic: allowed 1024000KB, remaining 1023997KB
outboundSpi = 0x283b0201, outboundSa = esp-3des-hmac-sha
outbound lifetime: allowed 7200s, remaining 7100s
outbound traffic: allowed 1024000KB, remaining 1023997KB
Tunnel Statistics:
InUserPackets 15
InUserOctets 1920
InAccPackets 15
InAccOctets 2760
InAuthErrors 0
InReplayErrors 0
InPolicyErrors 0
InOtherRxErrors 0
InDecryptErrors 0
InPadErrors 0
OutUserPackets 15
OutUserOctets 1920
OutAccPackets 15
OutAccOctets 2760
OutPolicyErrors 0
OutOtherTxErrors 0
show ipsec tunnel summary
- Total number of ipsec interface—Number of tunnels configured on the router
- Administrative status—Number of tunnels with an administrative status of enabled and disabled
- Operational status—Number of tunnels with an operational status of up, down, lower layer down, not present
host1#show ipsec tunnel summary
Total number of ipsec interface is 40
Administrative status enabled disabled
40 0
Operational status up down lower-down not-present
40 0 0 0
show ipsec tunnel virtual-router
- Use to display the status of tunnels configured on a virtual router.
- To display only tunnels that are in a specific state, use the state keyword.
- To display tunnels that are using a particular IP address, use the ip keyword.
- Field descriptions
host1#show ipsec tunnel virtual-router default ip 10.255.1.13
IPSEC tunnel s0l1e3d0 is up
IPSEC tunnel s0l1e3d1 is up
IPSEC tunnel s0l2e3d0 is up
IPSEC tunnel s0l2e3d1 is up
IPSEC tunnel s0l3e3d0 is up
IPSEC tunnel s0l4e3d0 is up
IPSEC tunnel s0l4e3d1 is up
IPSEC tunnel s0l5e3d0 is up
show license ipsec-tunnels
- Use to display the IPSec license key configured on the router and the number of tunnels allowed on the router.
- Example
host1#show license ipsec-tunnels
ipsec-tunnels license is 'g1k23b23eb2j' which allows 5000 tunnels with 1 IPsec card and 7500 tunnels with 2 or more IPsec cards.