[Report an Error]

Monitoring IPSec Tunnels

IPSec tunnel information includes information about active IPSec tunnels configured on the routing platform, as well as traffic statistics through the tunnels. To view IPSec tunnel information, select Monitor>IPSec in the J-Web interface, or enter the following CLI show commands:

Table 31 summarizes key output fields in IPSec displays.

Table 31: Summary of Key IPSec Output Fields

Field

Values

IPSec Tunnels

Service Set

Name of the service set for which the IPSec tunnel is defined.

Rule

Name of the rule set applied to the IPSec tunnel.

Term

Name of the IPSec term applied to the IPSec tunnel.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

Direction

Direction of the IPSec tunnel: Inbound or Outbound.

Protocol

Protocol supported: either Encapsulation Security Protocol (ESP) or Authentication Header and ESP (AH+ESP).

Tunnel Index

Numeric identifier of the IPSec tunnel.

Tunnel Local Identity

Prefix and port number of the local endpoint of the IPSec tunnel.

Tunnel Remote Identity

Prefix and port number of the remote endpoint of the IPSec tunnel.

IPSec Statistics

Service Set

Name of the service set for which the IPSec tunnel is defined.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

ESP Encrypted Bytes

Total number of bytes encrypted by the local system across the IPSec tunnel.

ESP Decrypted Bytes

Total number of bytes decrypted by the local system across the IPSec tunnel.

AH Input Bytes

Total number of bytes received by the local system across the IPSec tunnel.

AH Output Bytes

Total number of bytes transmitted by the local system across the IPSec tunnel.

IKE Security

Remote Address

Responder's address.

State

State of the IKE security association:

  • Matured—IKE security association is established.
  • Not matured—IKE security association is in the process of negotiation.

Initiator Cookie

Random number sent to the remote node when the IKE negotiation is triggered. This number is generated by means of an algorithm and information shared during the IKE negotiation. Cookies provide a basic form of authenticity protection to help prevent denial-of-service (DoS) attacks.

Responder Cookie

Random number generated by the remote node when it receives the initiator cookie. The remote node sends the cookie back to the IKE initiator as verification that the negotiation packets were received.

Exchange Type

Type of IKE exchange. The IKE exchange type determines the number of messages in the exchange and the payload types contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. J-series Services Routers support the following types of IKE exchanges:

  • Main—IKE exchange is done with six messages. The Main exchange type encrypts the payload, protecting the identity of the neighbor.
  • Aggressive—IKE exchange is done with three messages. The Aggressive exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

Role

Role of the router in the IKE exchange: Initiator or Responder.

Authentication Method

Method used for IKE authentication. The type of authentication determines which payloads are exchanged and when they are exchanged. J-series Services Routers support only the pre-shared keys authentication type.

Local Address

Prefix and port number of the local tunnel endpoint.

Remote Address

Prefix and port number of the remote tunnel endpoint.

Lifetime

Number of seconds remaining until the IKE security association expires.

Algorithm Authentication

Type of authentication algorithm used for the security association: md5 or sha1.

Algorithm Encryption

Type of encryption algorithm used for the security association: des-cbc, 3des-cbc, or None.

Algorithm PRF

The pseudorandom function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

Input Bytes

Number of bytes received on the IKE security association.

Output Bytes

Number of bytes transmitted on the IKE security association.

Input Packets

Number of packets received on the IKE security association.

Output Packets

Number of packets transmitted on the IKE security association.

IPSec Security Associations

Number of IPSec security associations that have been created and deleted on the router. Only security associations whose negotiations are complete are listed. When a security association is taken down, it is listed as a deleted security association.

Phase 2 Negotiations in Progress

Number of phase 2 IKE negotiations in progress.

For more information about the J-Web Monitor task, see Monitor Tasks.


[Report an Error]