[Prev][Next][Report an Error]

Monitoring IPSec Tunnels

IPsec tunnel information includes information about active IPsec tunnels configured on the routing platform, as well as traffic statistics through the tunnels. To view IPsec tunnel information, select Monitor > IPSec in the J-Web interface, or enter the following CLI show commands:

Note: After you make changes to the configuration in this window, you must commit the changes immediately for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes (J-Web Procedure) for details about all commit options.

To limit the display of IDS information, type or select information in one or more of the Narrow Search boxes listed in Table 45 click OK.

Alternatively, enter the following CLI show commands:

Table 45 summarizes key output fields for stateful firewall filter intrusion detection.

Table 45: IDS Search-Narrowing Characteristics

Field

Values

IPSec Tunnels

Service Set

Name of the service set for which the IPSec tunnel is defined.

Rule

Name of the rule set applied to the IPSec tunnel.

Term

Name of the IPSec term applied to the IPSec tunnel.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

Direction

Direction of the IPSec tunnel: Inbound or Outbound.

Protocol

Protocol supported: either Encapsulation Security Protocol (ESP) or Authentication Header and ESP (AH+ESP).

Tunnel Index

Numeric identifier of the IPSec tunnel.

Tunnel Local Identity

Prefix and port number of the local endpoint of the IPSec tunnel.

Tunnel Remote Identity

Prefix and port number of the remote endpoint of the IPSec tunnel.

IPSec Statistics

Service Set

Name of the service set for which the IPSec tunnel is defined.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

ESP Encrypted Bytes

Total number of bytes encrypted by the local system across the IPSec tunnel.

ESP Decrypted Bytes

Total number of bytes decrypted by the local system across the IPSec tunnel.

AH Input Bytes

Total number of bytes received by the local system across the IPSec tunnel.

AH Output Bytes

Total number of bytes transmitted by the local system across the IPSec tunnel.

IKE Security

Remote Address

Responder's address.

State

State of the IKE security association:

  • Matured—IKE security association is established.
  • Not matured—IKE security association is in the process of negotiation.

Initiator Cookie

Random number sent to the remote node when the IKE negotiation is triggered. This number is generated by means of an algorithm and information shared during the IKE negotiation. Cookies provide a basic form of authenticity protection to help prevent denial-of-service (DoS) attacks.

Responder Cookie

Random number generated by the remote node when it receives the initiator cookie. The remote node sends the cookie back to the IKE initiator as verification that the negotiation packets were received.

Exchange Type

Type of IKE exchange. The IKE exchange type determines the number of messages in the exchange and the payload types contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants.

Role

Role of the router in the IKE exchange: Initiator or Responder.

Authentication Method

Method used for IKE authentication. The type of authentication determines which payloads are exchanged and when they are exchanged.

Local Address

Prefix and port number of the local tunnel endpoint.

Remote Address

Prefix and port number of the remote tunnel endpoint.

Lifetime

Number of seconds remaining until the IKE security association expires.

Algorithm Authentication

Type of authentication algorithm used for the security association: md5 or sha1.

Algorithm Encryption

Type of encryption algorithm used for the security association: des-cbc, 3des-cbc, or None.

Algorithm PRF

The pseudorandom function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

Input Bytes

Number of bytes received on the IKE security association.

Output Bytes

Number of bytes transmitted on the IKE security association.

Input Packets

Number of packets received on the IKE security association.

Output Packets

Number of packets transmitted on the IKE security association.

IPSec Security Associations

Number of IPSec security associations that have been created and deleted on the router. Only security associations whose negotiations are complete are listed. When a security association is taken down, it is listed as a deleted security association.

Phase 2 Negotiations in Progress

Number of phase 2 IKE negotiations in progress.


[Prev][Next][Report an Error]