Monitoring IPSec Tunnels
IPsec tunnel information includes information about active IPsec tunnels configured on the routing platform, as well as traffic statistics through the tunnels. To view IPsec tunnel information, select Monitor > IPSec in the J-Web interface, or enter the following CLI show commands:
- show services ipsec-vpn ipsec statistics
- show services ipsec-vpn ipsec security-associations
- show services ipsec-vpn ike security-associations
 | Note: After you make changes to the configuration in this window, you must commit the changes immediately for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes (J-Web Procedure) for details about all commit options. |
To limit the display of IDS information, type or select information in one or more of the Narrow Search boxes listed in Table 46 click OK.
Alternatively, enter the following CLI show commands:
- show services ids destination-table
- show services ids source-table
- show services ids pair-table
Table 46 summarizes key output fields for stateful firewall filter intrusion detection.
Table 46: IDS Search-Narrowing Characteristics
Field | Values |
|---|---|
IPSec Tunnels | |
Service Set | Name of the service set for which the IPSec tunnel is defined. |
Rule | Name of the rule set applied to the IPSec tunnel. |
Term | Name of the IPSec term applied to the IPSec tunnel. |
Local Gateway | Gateway address of the local system. |
Remote Gateway | Gateway address of the remote system. |
Direction | Direction of the IPSec tunnel: Inbound or Outbound. |
Protocol | Protocol supported: either Encapsulation Security Protocol (ESP) or Authentication Header and ESP (AH+ESP). |
Tunnel Index | Numeric identifier of the IPSec tunnel. |
Tunnel Local Identity | Prefix and port number of the local endpoint of the IPSec tunnel. |
Tunnel Remote Identity | Prefix and port number of the remote endpoint of the IPSec tunnel. |
IPSec Statistics | |
Service Set | Name of the service set for which the IPSec tunnel is defined. |
Local Gateway | Gateway address of the local system. |
Remote Gateway | Gateway address of the remote system. |
ESP Encrypted Bytes | Total number of bytes encrypted by the local system across the IPSec tunnel. |
ESP Decrypted Bytes | Total number of bytes decrypted by the local system across the IPSec tunnel. |
AH Input Bytes | Total number of bytes received by the local system across the IPSec tunnel. |
AH Output Bytes | Total number of bytes transmitted by the local system across the IPSec tunnel. |
IKE Security | |
Remote Address | Responder's address. |
State | State of the IKE security association:
|
Initiator Cookie | Random number sent to the remote node when the IKE negotiation is triggered. This number is generated by means of an algorithm and information shared during the IKE negotiation. Cookies provide a basic form of authenticity protection to help prevent denial-of-service (DoS) attacks. |
Responder Cookie | Random number generated by the remote node when it receives the initiator cookie. The remote node sends the cookie back to the IKE initiator as verification that the negotiation packets were received. |
Exchange Type | Type of IKE exchange. The IKE exchange type determines the number of messages in the exchange and the payload types contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. |
Role | Role of the router in the IKE exchange: Initiator or Responder. |
Authentication Method | Method used for IKE authentication. The type of authentication determines which payloads are exchanged and when they are exchanged. |
Local Address | Prefix and port number of the local tunnel endpoint. |
Remote Address | Prefix and port number of the remote tunnel endpoint. |
Lifetime | Number of seconds remaining until the IKE security association expires. |
Algorithm Authentication | Type of authentication algorithm used for the security association: md5 or sha1. |
Algorithm Encryption | Type of encryption algorithm used for the security association: des-cbc, 3des-cbc, or None. |
Algorithm PRF | The pseudorandom function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1. |
Input Bytes | Number of bytes received on the IKE security association. |
Output Bytes | Number of bytes transmitted on the IKE security association. |
Input Packets | Number of packets received on the IKE security association. |
Output Packets | Number of packets transmitted on the IKE security association. |
IPSec Security Associations | Number of IPSec security associations that have been created and deleted on the router. Only security associations whose negotiations are complete are listed. When a security association is taken down, it is listed as a deleted security association. |
Phase 2 Negotiations in Progress | Number of phase 2 IKE negotiations in progress. |