[Prev][Next][Report an Error]

Monitoring IKE Gateway Information

To view information about IKE security associations (SAs), select Monitor>IPSec VPN>IKE Gateway in the J-Web interface. To view detailed information for a particular SA, select the IKE SA index on the IKE gateway page.

Alternatively, enter the following CLI commands:

Table 40 summarizes key output fields in the IKE gateway display.

Table 40: Summary of Key IKE SA Information Output Fields

Field

Values

Additional Information
IKE Security Associations

IKE SA Index

Index number of an SA.

This number is an internally generated number you can use to display information about a single SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

 

State

State of the IKE security associations:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.
 

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

 

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity.

Mode

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

  • Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.
 
IKE Security Association (SA) Index

IKE Peer

IP address of the destination peer with which the local peer communicates.

 

IKE SA Index

Index number of an SA.

This number is an internally generated number you can use to display information about a single SA.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

 

State

State of the IKE security associations:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.
 

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

 

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity.

Exchange Type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

  • Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.
 

Authentication Method

Path chosen for authentication.

  

Local

Address of the local peer.

  

Remote

Address of the remote peer.

  

Lifetime

Number of seconds remaining until the IKE SA expires.

 

Algorithm

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Authentication—Type of authentication algorithm used.
    • sha1—Secure Hash Algorithm 1 (SHA-1) authentication.
    • md5—MD5 authentication.
  • Encryption—Type of encryption algorithm used.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
    • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption.
    • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption.
    • 3des-cbc—3 Data Encryption Standard (DES) encryption.
    • des-cbc—Data Encryption Standard (DES) encryption.
    • Pseudo random function—Cryptographically secure pseudorandom function family.
 

Traffic Statistics

Traffic statistics include the following:

  • Input bytes—The number of bytes presented for processing by the device.
  • Output bytes—The number of bytes actually processed by the device.
  • Input packets—The number of packets presented for processing by the device.
  • Output packets—The number of packets actually processed by the device.
 

IPsec security associations

  • number created—The number of SAs created.
  • number deleted—The number of SAs deleted.
 

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

 

Message ID

Message identifier.

  

Local identity

Specifies the identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as any of the following: IPv4 address, fully qualified domain name, e-mail address, or distinguished name.

 

Remote identity

IPv4 address of the destination peer gateway.

  
[Prev][Next][Report an Error]

Copyright © 2010, Juniper Networks, Inc. All rights reserved. Trademark Notice.