IPSec VPN

Monitoring IPsec VPN—Phase I

To view IPsec VPN Phase I information, select Monitor>IPSec VPN>Phase I in the J-Web interface.

Table 169 describes the available options for monitoring IPsec VPN-Phase I.

Table 169: IPsec VPN—Phase I Monitoring Page

FieldValuesAdditional Information
IKE SA Tab Options
IKE Security Associations

SA Index

Index number of an SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

State

State of the IKE security associations:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.
 

Initiator Cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

 

Responder Cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity.

Mode

Negotiation method agreed upon by the two IPsec endpoints, or peers, used to exchange information. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are:

  • Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.
 

Monitoring IPsec VPN—Phase II

To view IPsec VPN Phase II information, select Monitor>IPSec VPN>Phase II in the J-Web interface:

Table 170 describes the available options for monitoring IPsec VPN-Phase II.

Table 170: IPsec VPN—Phase II Monitoring Page

FieldValuesAdditional Information
Statistics Tab Details

By bytes

Provides total number of bytes encrypted and decrypted by the local system across the IPsec tunnel.

By packets

Provides total number of packets encrypted and decrypted by the local system across the IPsec tunnel.

IPsec Statistics

Provides details of the IPsec statistics.

IPsec SA Tab Details
IPsec Security Associations

ID

Index number of the SA.

Gateway/Port

IP address of the remote gateway/port.

Algorithm

Cryptography scheme used to secure exchanges between peers during the IKE Phase II negotiations:

  • An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-95 or hmac-sha1-96.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase I and Phase II.

Life

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Monitoring

Specifies if VPN-Liveliness Monitoring has been enabled/disabled. Enabled - ' U ', Disabled- '—'

Vsys

Specifies the root system.