Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels

This section contains information about troubleshooting and monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels.

System Event Logs

To troubleshoot and monitor DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels, use the following system event log:

itm—IPSec transport mode

For more information about using event logs, see the JunosE System Event Logging Reference Guide.

show Commands

To display profile and connection information for DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec tunnels, use the following show commands.

show dvmrp tunnel

show gre tunnel

Use to display information about DVMRP or GRE tunnels.
If the tunnel is protected by IPSec, the show dvmrp tunnel detail and show gre tunnel detail commands include a line indicating the IPSec transport interface. The line is not shown for unsecured tunnels. The following is a partial display. See Monitoring IP Tunnels in Configuring IP Tunnels for full descriptions of the commands.

Example

host1#show gre tunnel detail
Tunnel operational configuration
  Tunnel name is 'vr1'
  Tunnel mtu is '10240'
  Tunnel source address is '10.0.0.2'
  Tunnel destination address is '10.0.0.1'
  Tunnel transport virtual router is vr1
  Tunnel checksum option is disabled
  Tunnel up/down trap is enabled
  Tunnel server location is 4/0
  Tunnel secured by ipsec transport interface 1
  Tunnel administrative state is up
. . .

See show dvmrp tunnel.
See show gre tunnel.

show ipsec ike-sa

show ike sa

Note: The show ipsec ike-sa command replaces the show ike sa command, which may be removed completely in a future release.

Use to display IKE phase 1 SAs running on the router.
When NAT-T is enabled on both the client PC and the E Series router, and the router has negotiated NAT-T as part of the IKE SA, the local UDP port number displayed in the Local:Port column is typically 4500. When NAT-T is disabled or not supported on one or both sides of the IKE SA negotiation, the local UDP port number is 500. (See the example under Field Descriptions for more information.)
Field descriptions
- Local:Port—Local IP address and UDP port number of phase 1 negotiation
- Remote:Port—Remote IP address and UDP port number of phase 1 negotiation
- Time(Sec)—Time remaining in phase 1 lifetime, in seconds
- State—Current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. Possible states are:
  - AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder
  - AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator
  - AM_FINAL_I—Initiator has finished aggressive mode negotiation
  - AM_DONE_R—Responder has finished aggressive mode negotiation
  - MM_SA_I—Initiator has sent initial main mode SA payload to the responder
  - MM_SA_R—Responder has sent a response to the initial main mode SA
  - MM_KE_I—Initiator has sent initial main mode key exchange to the responder
  - MM_KE_R—Responder has sent a response to the key exchange
  - MM_FINAL_I—Initiator has sent the final packet in the main mode negotiation
  - MM_FINAL_R—Responder has finished main mode negotiation
  - MM_DONE_I—Initiator has finished main mode negotiation
  - DONE—Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages
- Local Cookie—Unique identifier (SPI) for the local phase 1 IKE SA
- Remote Cookie—Unique identifier (SPI) for the remote phase 1 IKE SA
Example
The following example displays the IKE phase 1 SAs for three remote client PCs that are accessing an E Series router (IP address 21.227.9.8).
The first client PC listed (IP address 21.227.9.10) is not located behind a NAT device, and is therefore not using NAT-T to access the router. This PC appears in the Remote:Port column with its own IP address (21.227.9.10) and UDP port number 500.
The remaining two client PCs are located behind a NAT device that has IP address 21.227.9.11, and are using NAT-T to access the router. These PCs appear in the Remote:Port column with the same IP address (21.227.9.11) but with two different UDP port numbers, 4500 and 14500.
```
host1# show ipsec ike-sa
IKE Phase 1 SA's:
Local:Port             Remote:Port            Time(Sec) State        Local Cookie       Remote Cookie
21.227.9.8:500         21.227.9.10:500        26133     DONE         0x87a943562124c711 0xafa2cf4a260399a4
21.227.9.8:4500        21.227.9.11:4500       28774     DONE         0x01f9efa234d45ad8 0xada4cb7cafee9243
21.227.9.8:4500        21.227.9.11:14500      28729     DONE         0x0c5ccb6b94b00051 0xe975c0ae3b9ca8bf
```
See show ipsec ike-sa.
See show ike sa.

show ipsec option

Use to display whether NAT-T is enabled or disabled on the current virtual router.
The show ipsec option command also displays the status of dead peer detection (DPD) on the virtual router. For information about configuring and monitoring DPD, see Configuring IPSec.

Example

host1:westford#show ipsec option

IPsec options:
Dead Peer Detection: disabled
NAT Traversal      : enabled

See show ipsec option.

show ipsec transport interface

Use to display information about transport connections.
Field descriptions
- IPSec transport interface—Number and status of the IPSec transport connection
- Configuration
  - Virtual router—Virtual router on which this profile is configured
  - Application—Type of application the connection can protect
  - pfs group—PFS group being used for the connection
  - Mtu—Tunnel's MTU size
  - Local address—Local endpoint address
  - Remote address—Remote endpoint address
  - Local identity—Shows the subnet, protocol, and port
  - Remote identity—Shows the subnet, protocol, and port
  - Inbound spi—Inbound security parameter index
  - Inbound transform—Inbound algorithm
  - Inbound lifetime—Inbound configured lifetime in seconds and kilobytes
  - Outbound spi—Outbound security parameter index
  - Outbound transform—Outbound algorithm
  - Outbound lifetime—Outbound configured lifetime in seconds and kilobytes
- Statistics
  - InUserPackets—Number of user packets received
  - InUserOctets—Number of octets received from user packets
  - InAccPackets—Number of encapsulated packets received
  - InAccOctets—Number of octets received in encapsulated packets
  - InAuthErrors—Number of authentication errors received
  - InReplyErrors—Number of reply errors in received traffic
  - InPolicyErrors—Number of policy errors in received traffic
  - InOtherRxErrors—Number of packets received that have errors other than those listed above
  - InDecryptErrors—Number of decryption errors in received traffic
  - InPadErrors—Number of packets received that had invalid values after the packet was decrypted
  - OutUserPackets—Number of user packets sent
  - OutUserOctets—Number of octets sent in user packets
  - OutAccPackets—Number of encapsulated packets sent
  - OutAccOctets—Number of octets sent in encapsulated packets
  - OutPolicyErrors—Number of packets arriving at the transport connection for encapsulation that do not meet the specified identifier (selector)
  - OutOtherTxErrors—Number of outbound packets that have errors other than those listed above

Example 1

host1:vr11#show ipsec transport interface
IPSEC transport interface 5 is Up
IPSEC transport interface 6 is Up
2 Ipsec transport interfaces found

Example 2

host1:vr11#show ipsec transport interface 5
IPSEC transport interface 5 is Up

Example 3

host1:vr11#show ipsec transport interface detail 5
IPSEC transport interface 5 is Up
  Configuration
    Virtual router vr00
    Application gre
    No pfs group
    Mtu is 1440
    Local address is 10.255.0.61
    Remote address is 10.255.0.62
    Local identity is subnet 10.255.0.61 255.255.255.255, proto 47, port 0
    Remote identity is subnet 10.255.0.62 255.255.255.255, proto 47, port 0
    Inbound spi 0x15c30204
    Inbound transform transport-esp-3des-sha1
    Inbound lifetime 900 seconds 102400 kilobytes
    Outbound spi is 0x16a10205
    Outbound transform transport-esp-3des-sha1
    Outbound lifetime 900 seconds 102400 kilobytes

  Statistics
    InUserPackets           5
    InUserOctets            270
    InAccPackets            5
    InAccOctets             440
    InAuthErrors            0
    InReplayErrors          0
    InPolicyErrors          0
    InOtherRxErrors         0
    InDecryptErrors         0
    InPadErrors             0

    OutUserPackets          5
    OutUserOctets           270
    OutAccPackets           5
    OutAccOctets            440
    OutPolicyErrors         0
    OutOtherTxErrors        0

See show ipsec transport interface.

show ipsec transport interface summary

Use to display a summary of existing IPSec transport connections by application and state.
Field descriptions
- up—Number of IPSec transport interfaces that are currently up
- down—Number of IPSec transport interfaces that are currently down
- upper-bound—Number of IPSec transport interfaces that are currently bound to the upper layer

Example

host1:vr11#show ipsec transport interface summary
Operational status       up         down       upper-bound
                         2          0          2

See show ipsec transport interface.

show ipsec transport profile

Use to display the configuration of an IPSec transport profile.
Field descriptions
- IPSec transport profile—Name of the profile
  - Virtual router—Virtual router on which this profile is configured
  - Peer address—Remote endpoint address
  - Application—Type(s) of application that this profile is protecting
  - Lifetime range in seconds—Lifetime range in seconds configured for the profile
  - Lifetime range in kilobytes—Lifetime range in kilobytes configured for the profile
  - TransformSet—Transform set(s) configured for the profile
  - Pfs group—PFS group configured for the profile; 0 (zero) means that PFS is not configured for the profile
  - Local ip address—Local endpoint address

Example 1

host1:vr11#show ipsec transport profile
IPSEC transport profile goi1
IPSEC transport profile goi2
2 Ipsec transport profiles found

Example 2

host1:vr11#show ipsec transport profile goi1
IPSEC transport profile goi1
  Virtual router vr00
  Peer address 10.255.0.62
  Application gre,dvmrp
  Lifetime range in seconds 900 900
  Lifetime range in kilobytes 102400 4294967294
  TransformSet transport-esp-3des-sha1
  Pfs group 0
  Local ip address : 10.255.0.61

See show ipsec transport profile.

show l2tp destination profile

Use to display configuration information for an L2TP destination profile and its associated L2TP host profiles.
If single-shot tunnels are configured for a particular host profile, the command displays this information as an attribute of the profile for that remote host.
Field descriptions
- Destination profile attributes:
  - Transport—Method used to transfer traffic
  - Virtual router—Name of the virtual router
  - Peer address—IP address of the LAC
  - Destination profile maximum sessions—Maximum number of sessions allowed for the destination profile
  - Destination profile current session count—Number of current sessions for the destination profile
- Host profile attributes:
  - Remote host is—Name of the remote host
  - Tunnel password is—Password for the tunnel
  - Interface profile is—Name of the host profile
  - Local host name is—Name of the local host
  - Ipsec transport is—Status of the IPSec transport connection: enabled or disabled
  - Disconnect-cause avp is—Status of the disconnect cause AVP generation: enabled or disabled
  - Tunnels are single-shot—Indicates that single-shot tunnels are configured for this host profile
  - Current session count is—Number of current sessions for the host profile

Example

host1#show l2tp destination profile westford
L2TP destination profile westford
Configuration
  Destination address
    Transport ipUdp
    Virtual router default
    Peer address 172.31.1.99
Statistics
  Destination profile current session count is 1
Host profile attributes
  Remote host is lac-1
    Configuration
      Tunnel password is password
      Interface profile is tunneled-user
      Local host name is lns-1
      Ipsec transport is enabled
      Disconnect-cause avp is enabled
      Tunnels are single-shot
    Statistics
      Current session count is 1
1 L2TP host profile found

See show l2tp destination profile.