Monitoring IPSec Tunnels

IPSec tunnel information includes information about active IPSec tunnels configured on the routing platform, as well as traffic statistics through the tunnels. To view IPSec tunnel information, select Monitor>IPSec in the J-Web interface, or enter the following CLI show commands:

show services ipsec-vpn ipsec statistics
show services ipsec-vpn ipsec security-associations
show services ipsec-vpn ike security-associations

Table 31 summarizes key output fields in IPSec displays.

Table 31: Summary of Key IPSec Output Fields

Field	Values
IPSec Tunnels
Service Set	Name of the service set for which the IPSec tunnel is defined.
Rule	Name of the rule set applied to the IPSec tunnel.
Term	Name of the IPSec term applied to the IPSec tunnel.
Local Gateway	Gateway address of the local system.
Remote Gateway	Gateway address of the remote system.
Direction	Direction of the IPSec tunnel: Inbound or Outbound.
Protocol	Protocol supported: either Encapsulation Security Protocol (ESP) or Authentication Header and ESP (AH+ESP).
Tunnel Index	Numeric identifier of the IPSec tunnel.
Tunnel Local Identity	Prefix and port number of the local endpoint of the IPSec tunnel.
Tunnel Remote Identity	Prefix and port number of the remote endpoint of the IPSec tunnel.
IPSec Statistics
Service Set	Name of the service set for which the IPSec tunnel is defined.
Local Gateway	Gateway address of the local system.
Remote Gateway	Gateway address of the remote system.
ESP Encrypted Bytes	Total number of bytes encrypted by the local system across the IPSec tunnel.
ESP Decrypted Bytes	Total number of bytes decrypted by the local system across the IPSec tunnel.
AH Input Bytes	Total number of bytes received by the local system across the IPSec tunnel.
AH Output Bytes	Total number of bytes transmitted by the local system across the IPSec tunnel.
IKE Security
Remote Address	Responder's address.
State	State of the IKE security association: Matured—IKE security association is established. Not matured—IKE security association is in the process of negotiation.
Initiator Cookie	Random number sent to the remote node when the IKE negotiation is triggered. This number is generated by means of an algorithm and information shared during the IKE negotiation. Cookies provide a basic form of authenticity protection to help prevent denial-of-service (DoS) attacks.
Responder Cookie	Random number generated by the remote node when it receives the initiator cookie. The remote node sends the cookie back to the IKE initiator as verification that the negotiation packets were received.
Exchange Type	Type of IKE exchange. The IKE exchange type determines the number of messages in the exchange and the payload types contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. J-series Services Routers support the following types of IKE exchanges: Main—IKE exchange is done with six messages. The Main exchange type encrypts the payload, protecting the identity of the neighbor. Aggressive—IKE exchange is done with three messages. The Aggressive exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.
Role	Role of the router in the IKE exchange: Initiator or Responder.
Authentication Method	Method used for IKE authentication. The type of authentication determines which payloads are exchanged and when they are exchanged. J-series Services Routers support only the pre-shared keys authentication type.
Local Address	Prefix and port number of the local tunnel endpoint.
Remote Address	Prefix and port number of the remote tunnel endpoint.
Lifetime	Number of seconds remaining until the IKE security association expires.
Algorithm Authentication	Type of authentication algorithm used for the security association: md5 or sha1.
Algorithm Encryption	Type of encryption algorithm used for the security association: des-cbc, 3des-cbc, or None.
Algorithm PRF	The pseudorandom function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.
Input Bytes	Number of bytes received on the IKE security association.
Output Bytes	Number of bytes transmitted on the IKE security association.
Input Packets	Number of packets received on the IKE security association.
Output Packets	Number of packets transmitted on the IKE security association.
IPSec Security Associations	Number of IPSec security associations that have been created and deleted on the router. Only security associations whose negotiations are complete are listed. When a security association is taken down, it is listed as a deleted security association.
Phase 2 Negotiations in Progress	Number of phase 2 IKE negotiations in progress.

For more information about the J-Web Monitor task, see Monitor Tasks.

[Report an Error]