Monitoring IPsec VPN—Phase I

Purpose

View IPsec VPN Phase I information.

Action

Select Monitor>IPSec VPN>Phase I in the J-Web user interface.

Table 231 describes the available options for monitoring IPsec VPN-Phase I.

Table 231: IPsec VPN—Phase I Monitoring Page

FieldValuesAdditional Information
IKE SA Tab Options
IKE Security Associations

SA Index

Index number of an SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

State

State of the IKE security associations:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.

Initiator Cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder Cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity.

Mode

Negotiation method agreed upon by the two IPsec endpoints, or peers, used to exchange information. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are:

  • Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.

Related Documentation