Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]

JUNOSe 9.1.x IP Services Configuration Guide > Securing L2TP and IP Tunnels with IPSec > Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels

This section contains information about troubleshooting and monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels.

System Event Logs

To troubleshoot and monitor DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels, use the following system event log:

itm—IPSec transport mode

For more information about using event logs, see the JUNOSe System Event Logging Reference Guide.

show Commands

To display profile and connection information for DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels, use the following show commands.

show dvmrp tunnel

show gre tunnel
Use to display information about DVMRP or GRE tunnels.

If the tunnel is protected by IPSec, the show dvmrp tunnel detail and show gre tunnel detail commands include a line indicating the IPSec transport interface. The line is not shown for unsecured tunnels. The following is a partial display. See Monitoring IP Tunnels in Chapter 10, Configuring IP Tunnels for full descriptions of the commands.

Example
host1#show gre tunnel detail
Tunnel operational configuration
  Tunnel name is 'vr1'
  Tunnel mtu is '10240'
  Tunnel source address is '10.0.0.2'
  Tunnel destination address is '10.0.0.1'
  Tunnel transport virtual router is vr1
  Tunnel checksum option is disabled
  Tunnel up/down trap is enabled
  Tunnel server location is 4/0
  Tunnel secured by ipsec transport interface 1
  Tunnel administrative state is up
. . . 
show ipsec ike-sa

show ike sa
 NOTE: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release.



 
Use to display IKE phase 1 SAs running on the router.

When NAT-T is enabled on both the client PC and the E-series router, and the router has negotiated NAT-T as part of the IKE SA, the local UDP port number displayed in the Local:Port column is typically 4500. When NAT-T is disabled or not supported on one or both sides of the IKE SA negotiation, the local UDP port number is 500. (See the Example for more information.)

Field descriptions

Local:Port—Local IP address and UDP port number of phase 1 negotiation

Remote:Port—Remote IP address and UDP port number of phase 1 negotiation

Time(Sec)—Time remaining in phase 1 lifetime, in seconds

State—Current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. Possible states are:

AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder

AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator

AM_FINAL_I—Initiator has finished aggressive mode negotiation

AM_DONE_R—Responder has finished aggressive mode negotiation

MM_SA_I—Initiator has sent initial main mode SA payload to the responder

MM_SA_R—Responder has sent a response to the initial main mode SA

MM_KE_I—Initiator has sent initial main mode key exchange to the responder

MM_KE_R—Responder has sent a response to the key exchange

MM_FINAL_I—Initiator has sent the final packet in the main mode negotiation

MM_FINAL_R—Responder has finished main mode negotiation

MM_DONE_I—Initiator has finished main mode negotiation

DONE—Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages

Local Cookie—Unique identifier (SPI) for the local phase 1 IKE SA

Remote Cookie—Unique identifier (SPI) for the remote phase 1 IKE SA

Example

The following example displays the IKE phase 1 SAs for three remote client PCs that are accessing an E-series router (IP address 21.227.9.8).

The first client PC listed (IP address 21.227.9.10) is not located behind a NAT device, and is therefore not using NAT-T to access the router. This PC appears in the Remote:Port column with its own IP address (21.227.9.10) and UDP port number 500.

The remaining two client PCs are located behind a NAT device that has IP address 21.227.9.11, and are using NAT-T to access the router. These PCs appear in the Remote:Port column with the same IP address (21.227.9.11) but with two different UDP port numbers, 4500 and 14500.
host1#show ipsec ike-sa
IKE Phase 1 SA's:
Local:Port             Remote:Port            Time(Sec) State        Local Cookie       Remote Cookie
21.227.9.8:500         21.227.9.10:500        26133     DONE         0x87a943562124c711 0xafa2cf4a260399a4
21.227.9.8:4500        21.227.9.11:4500       28774     DONE         0x01f9efa234d45ad8 0xada4cb7cafee9243
21.227.9.8:4500        21.227.9.11:14500      28729     DONE         0x0c5ccb6b94b00051 0xe975c0ae3b9ca8bf
show ipsec option
Use to display whether NAT-T is enabled or disabled on the current virtual router.

The show ipsec option command also displays the status of dead peer detection (DPD) on the virtual router. For information about configuring and monitoring DPD, see Chapter 6, Configuring IPSec.

Example
host1:westford#show ipsec option
IPsec options:
Dead Peer Detection: disabled
NAT Traversal      : enabled
show ipsec transport interface

Use to display information about transport connections.

Field descriptions

IPSec transport interface—Number and status of the IPSec transport connection

Configuration

Virtual router—Virtual router on which this profile is configured

Application—Type of application the connection can protect

pfs group—PFS group being used for the connection

Mtu—Tunnel's MTU size

Local address—Local endpoint address

Remote address—Remote endpoint address

Local identity—Shows the subnet, protocol, and port

Remote identity—Shows the subnet, protocol, and port

Inbound spi—Inbound security parameter index

Inbound transform—Inbound algorithm

Inbound lifetime—Inbound configured lifetime in seconds and kilobytes

Outbound spi—Outbound security parameter index

Outbound transform—Outbound algorithm

Outbound lifetime—Outbound configured lifetime in seconds and kilobytes

Statistics

InUserPackets—Number of user packets received

InUserOctets—Number of octets received from user packets

InAccPackets—Number of encapsulated packets received

InAccOctets—Number of octets received in encapsulated packets

InAuthErrors—Number of authentication errors received

InReplyErrors—Number of reply errors in received traffic

InPolicyErrors—Number of policy errors in received traffic

InOtherRxErrors—Number of packets received that have errors other than those listed above

InDecryptErrors—Number of decryption errors in received traffic

InPadErrors—Number of packets received that had invalid values after the packet was decrypted

OutUserPackets—Number of user packets sent

OutUserOctets—Number of octets sent in user packets

OutAccPackets—Number of encapsulated packets sent

OutAccOctets—Number of octets sent in encapsulated packets

OutPolicyErrors—Number of packets arriving at the transport connection for encapsulation that do not meet the specified identifier (selector)

OutOtherTxErrors—Number of outbound packets that have errors other than those listed above
Example 1
host1:vr11#show ipsec transport interface
IPSEC transport interface 5 is Up
IPSEC transport interface 6 is Up
2 Ipsec transport interfaces found
Example 2
host1:vr11#show ipsec transport interface 5
IPSEC transport interface 5 is Up
Example 3
host1:vr11#show ipsec transport interface detail 5
IPSEC transport interface 5 is Up
  Configuration
    Virtual router vr00
    Application gre
    No pfs group
    Mtu is 1440
    Local address is 10.255.0.61
    Remote address is 10.255.0.62
    Local identity is subnet 10.255.0.61 255.255.255.255, proto 47, port 0
    Remote identity is subnet 10.255.0.62 255.255.255.255, proto 47, port 0
    Inbound spi 0x15c30204
    Inbound transform transport-esp-3des-sha1
    Inbound lifetime 900 seconds 102400 kilobytes
    Outbound spi is 0x16a10205
    Outbound transform transport-esp-3des-sha1
    Outbound lifetime 900 seconds 102400 kilobytes
  Statistics
    InUserPackets           5
    InUserOctets            270
    InAccPackets            5
    InAccOctets             440
    InAuthErrors            0
    InReplayErrors          0
    InPolicyErrors          0
    InOtherRxErrors         0
    InDecryptErrors         0
    InPadErrors             0
    OutUserPackets          5
    OutUserOctets           270
    OutAccPackets           5
    OutAccOctets            440
    OutPolicyErrors         0
    OutOtherTxErrors        0
show ipsec transport interface summary

Use to display a summary of existing IPSec transport connections by application and state.

Field descriptions

up—Number of IPSec transport interfaces that are currently up

down—Number of IPSec transport interfaces that are currently down

upper-bound—Number of IPSec transport interfaces that are currently bound to the upper layer
Example
host1:vr11#show ipsec transport interface summary
Operational status       up         down       upper-bound
                         2          0          2
show ipsec transport profile

Use to display the configuration of an IPSec transport profile.

Field descriptions

IPSec transport profile—Name of the profile

Virtual router—Virtual router on which this profile is configured

Peer address—Remote endpoint address

Application—Type(s) of application that this profile is protecting

Lifetime range in seconds—Lifetime range in seconds configured for the profile

Lifetime range in kilobytes—Lifetime range in kilobytes configured for the profile

TransformSet—Transform set(s) configured for the profile

Pfs group—PFS group configured for the profile; 0 (zero) means that PFS is not configured for the profile

Local ip address—Local endpoint address
Example 1
host1:vr11#show ipsec transport profile
IPSEC transport profile goi1
IPSEC transport profile goi2
2 Ipsec transport profiles found
Example 2
host1:vr11#show ipsec transport profile goi1
IPSEC transport profile goi1
  Virtual router vr00
  Peer address 10.255.0.62
  Application gre,dvmrp
  Lifetime range in seconds 900 900
  Lifetime range in kilobytes 102400 4294967294
  TransformSet transport-esp-3des-sha1
  Pfs group 0
  Local ip address : 10.255.0.61
show l2tp destination profile

Use to display configuration information for an L2TP destination profile and its associated L2TP host profiles.

If single-shot tunnels are configured for a particular host profile, the command displays this information as an attribute of the profile for that remote host.

Field descriptions

Destination profile attributes:

Transport—Method used to transfer traffic

Virtual router—Name of the virtual router

Peer address—IP address of the LAC

Destination profile maximum sessions—Maximum number of sessions allowed for the destination profile

Destination profile current session count—Number of current sessions for the destination profile

Host profile attributes:

Remote host is—Name of the remote host

Tunnel password is—Password for the tunnel

Interface profile is—Name of the host profile

Local host name is—Name of the local host

Ipsec transport is—Status of the IPSec transport connection: enabled or disabled

Disconnect-cause avp is—Status of the disconnect cause AVP generation: enabled or disabled

Tunnels are single-shot—Indicates that single-shot tunnels are configured for this host profile

Current session count is—Number of current sessions for the host profile
Example
host1#show l2tp destination profile westford
L2TP destination profile westford
Configuration
  Destination address
    Transport ipUdp
    Virtual router default
    Peer address 172.31.1.99
Statistics
  Destination profile current session count is 1
Host profile attributes
  Remote host is lac-1
    Configuration
      Tunnel password is password
      Interface profile is tunneled-user
      Local host name is lns-1
      Ipsec transport is enabled
      Disconnect-cause avp is enabled
      Tunnels are single-shot
    Statistics
      Current session count is 1
1 L2TP host profile found

[Contents] [Prev] [Next] [Index] [Report an Error] [No Frames]