[Prev][Report an Error]

Monitoring IPsec VPN Information

To view information about IPsec security (SAs), select Monitor>IPSec VPN>IPsec VPN in the J-Web interface. To view the IPsec statistics information for a particular SA, select the IPsec SA ID value on the IPsec VPN page.

Alternatively, enter the following CLI commands:

Table 44 summarizes key output fields in the IPsec VPN display.

Table 44: Summary of Key IPsec VPN Information Output Fields

Field

Values

Additional Information
IPsec Security Associations

Total configured SA

Total number of IPsec security associations (SAs) configured on the device.

 

ID

Index number of the SA.

  

Gateway

IP address of the remote gateway.

 

Port

If Network Address Translation (NAT-T) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

 

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations:

  • An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-95 or hmac-sha1-96.
  • An encryption algorithm used to encrypt data traffic. Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc.
 

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

 

Life: sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

 

State

State has two options, Installed and Not Installed.

  • Installed—The security association is installed in the security association database.
  • Not Installed—The security association is not installed in the security association database.

For transport mode, the value of State is always Installed.

Vsys

The root system.

  
IPsec Statistics Information

ESP Statistics

Encapsulation Security Protocol (ESP) statistics include the following:

  • Encrypted bytes—Total number of bytes encrypted by the local system across the IPsec tunnel.
  • Decrypted bytes—Total number of bytes decrypted by the local system across the IPsec tunnel.
  • Encrypted packets—Total number of packets encrypted by the local system across the IPsec tunnel.
  • Decrypted packets—Total number of packets decrypted by the local system across the IPsec tunnel.
 

AH Statistics

Authentication Header (AH) statistics include the following:

  • Input bytes—The number of bytes presented for processing by the device.
  • Output bytes—The number of bytes actually processed by the device.
  • Input packets—The number of packets presented for processing by the device.
  • Output packets—The number of packets actually processed by the device.
 

Errors

Errors include the following

  • AH authentication failures—Total number of authentication header (AH) failures. An AH failure occurs when there is a mismatch of the authentication header in a packet transmitted across an IPsec tunnel.
  • Replay errors—Total number of replay errors. A replay error is generated when a duplicate packet is received within the replay window.
  • ESP authentication failures—Total number of Encapsulation Security Payload (ESP) failures. An ESP failure occurs when there is an authentication mismatch in ESP packets.
  • ESP decryption failures—Total number of ESP decryption errors.
  • Bad headers—Total number of invalid headers detected.
  • Bad trailers—Total number of invalid trailers detected.
 
Details for IPsec SA Index: ID

Virtual System

The root system.

  

Local Gateway

Gateway address of the local system.

  

Remote Gateway

Gateway address of the remote system.

  

Local identity

Specifies the identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as any of the following: IPv4 address, fully qualified domain name, e-mail address, or distinguished name.

 

Remote identity

IPv4 address of the destination peer gateway.

 

Df bit

State of the don’t fragment bit—set or cleared.

 

Policy name

Name of the applicable policy.

  

Direction

Direction of the security association—inbound, or outbound.

 

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

 

Mode

Mode of the security association. Mode can be transport or tunnel.

  • transport—Protects host-to-host connections.
  • tunnel—Protects connections between security gateways.
 

Type

Type of the security association, either manual or dynamic.

  • manual—Security parameters require no negotiation. They are static and are configured by the user.
  • dynamic—Security parameters are negotiated by the IKE protocol. Dynamic security associations are not supported in transport mode.
 

State

State has two options, Installed, and Not Installed.

  • Installed—The security association is installed in the security association database.
  • Not Installed—The security association is not installed in the security association database.

For transport mode, the value of State is always Installed.

Protocol

Protocol supported:

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).
  • Tunnel mode supports ESP and AH.
    • Authentication—Type of authentication used.
    • Encryption—Type of encryption used.
 

Authentication/ Encryption
  • Authentication—Type of authentication algorithm used.
    • sha1—Secure Hash Algorithm 1 (SHA-1) authentication.
    • md5—MD5 authentication.
  • Encryption—Type of encryption algorithm used.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
    • aes-192-cbc—Advanced Encryption Standard (AES) 192-bit encryption.
    • aes-128-cbc—Advanced Encryption Standard (AES) 128-bit encryption.
    • 3des-cbc—3 Data Encryption Standard (DES) encryption.
    • des-cbc—Data Encryption Standard (DES) encryption.
 

Soft Lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire.

  • Expires in seconds—Number of seconds left until the SA expires.
  • Expires in kilobytes—Number of kilobytes left until the SA expires.

Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. This allows the key management system to negotiate a new SA before the hard lifetime expires.

Hard Lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds—Number of seconds left until the SA expires.
  • Expires in kilobytes—Number of kilobytes left until the SA expires.
 

Anti Replay Service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

 

Replay Window Size

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets.

[Prev][Report an Error]

Copyright © 2010, Juniper Networks, Inc. All rights reserved. Trademark Notice.