Route-Based IPsec VPNs
A route-based VPN is a configuration in which an IPsec VPN tunnel created between two end points is referenced by a route that determines which traffic is sent through the tunnel based on a destination IP address.
Understanding Route-Based IPsec VPNs
With route-based VPNs, you can configure dozens of security policies to regulate traffic flowing through a single VPN tunnel between two sites, and there is just one set of IKE and IPsec SAs at work. Unlike policy-based VPNs, for route-based VPNs, a policy refers to a destination address, not a VPN tunnel. When Junos OS looks up a route to find the interface to use to send traffic to the packet’s destination address, it finds a route through a secure tunnel interface (st0.x). The tunnel interface is bound to a specific VPN tunnel, and the traffic is routed to the tunnel if the policy action is permit.
A secure tunnel (st0) interface supports only one IPv4 address
and one IPv6 address at the same time. This applies to all route-based
VPNs. The disable option is not supported on st0 interfaces.
Examples of where route-based VPNs can be used:
There are overlapping subnets or IP addresses between the two LANs.
A hub-and-spoke VPN topology is used in the network, and spoke-to-spoke traffic is required.
Primary and backup VPNs are required.
A dynamic routing protocol (for example, OSPF, RIP, or BGP) is running across the VPN.
Configuring RIP demand circuits over point-to-multipoint VPN interfaces is not supported.
We recommend that you use route-based VPN when you want to configure VPN between multiple remote sites. Route-based VPN allows for routing between the spokes between multiple remote sites; it is easier to configure, monitor, and troubleshoot.
See Also
Example: Configuring a Route-Based VPN
This example shows how to configure a route-based IPsec VPN to allow data to be securely transferred between a branch office and the corporate office.
Requirements
This example uses the following hardware:
Any SRX Series device
SSG140 device
Before you begin, read IPsec Overview.
Overview
In this example, you configure a route-based VPN for a branch office in Chicago, because you want to conserve tunnel resources but still get granular restrictions on VPN traffic. Users in the Chicago office will use the VPN to connect to their corporate headquarters in Sunnyvale, California.
Figure 1 shows an example of a route-based VPN topology. In this topology, the SRX Series devices are located in Sunnyvale, and an SSG Series device (or a third-party device) is located in Chicago.
In this example, you configure interfaces, an IPv4 default route, security zones, and address books. Then you configure IKE, IPsec, security policy, and TCP-MSS parameters. See Table 1 through Table 5 for specific configuration parameters used in this example.
Feature |
Name |
Configuration Parameters |
|---|---|---|
Interfaces |
ge-0/0/0.0 |
192.0.2.1/24 |
ge-0/0/1.0 |
10.1.1.2/30 |
|
st0.0 (tunnel interface) |
10.10.11.10/24 |
|
Static routes |
0.0.0.0/0 (default route) |
The next hop is st0.0. |
Security zones |
trust |
|
untrust |
|
|
vpn |
The st0.0 interface is bound to this zone. |
Feature |
Name |
Configuration Parameters |
|---|---|---|
Proposal |
ike-proposal |
|
Policy |
ike-policy |
|
Gateway |
gw-sunnyvale |
|
Feature |
Name |
Configuration Parameters |
|---|---|---|
Proposal |
ipsec_prop |
|
Policy |
ipsec_pol |
|
VPN |
ipsec_vpn1 |
|
Purpose |
Name |
Configuration Parameters |
|---|---|---|
The security policy permits traffic from the trust zone to the vpn zone. |
vpn |
|
The security policy permits traffic from the vpn zone to the trust zone. |
vpn |
|
Purpose |
Configuration Parameters |
|---|---|
TCP-MSS is negotiated as part of the TCP three-way handshake and limits the maximum size of a TCP segment to better fit the MTU limits on a network. For VPN traffic, the IPsec encapsulation overhead, along with the IP and frame overhead, can cause the resulting ESP packet to exceed the MTU of the physical interface, which causes fragmentation. Fragmentation increases bandwidth and device resources. We recommend a value of 1350 as the starting point for most Ethernet-based networks with an MTU of 1500 or greater. You might need to experiment with different TCP-MSS values to obtain optimal performance. For example, you might need to change the value if any device in the path has a lower MTU, or if there is any additional overhead such as PPP or Frame Relay. |
MSS value: 1350 |
Configuration
- Configuring Basic Network and Security Zone Information
- Configuring IKE
- Configuring IPsec
- Configuring Security Policies
- Configuring TCP-MSS
- Configuring the SSG Series Device
Configuring Basic Network and Security Zone Information
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24 set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/30 set interfaces st0 unit 0 family inet address 10.10.11.10/24 set routing-options static route 0.0.0.0/0 next-hop st0.0 set security zones security-zone untrust interfaces ge-0/0/1.0 set security zones security-zone untrust host-inbound-traffic system-services ike set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone vpn-chicago interfaces st0.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure interface, static route, security zone, and address book information:
Configure Ethernet interface information.
[edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 192.0.2.1/24 user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.1.1.2/30 user@host# set interfaces st0 unit 0 family inet address 10.10.11.10/24
Configure static route information.
[edit] user@host# set routing-options static route 0.0.0.0/0 next-hop st0.0
Assign an interface to the security zone.
[edit security zones security-zone untrust] user@host# set interfaces ge-0/0/1.0
Specify allowed system services for the security zone.
[edit security zones security-zone untrust] user@host# set host-inbound-traffic system-services ike
Configure the trust security zone.
[edit] user@host# edit security zones security-zone trust
Assign an interface to the trust security zone.
[edit security zones security-zone trust] user@host# set interfaces ge-0/0/0.0
Configure the vpn security zone.
[edit] user@host# edit security zones security-zone vpn
Assign an interface to the security zone.
[edit security zones security-zone vpn-chicago] user@host# set interfaces st0.0
Results
From configuration mode, confirm your configuration
by entering the show interfaces, show routing-options, show security zones, and show security address-book commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
address 192.0.2.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.1.1.2/30;
}
}
}
st0 {
unit 0 {
family inet {
address 10.10.11.10/24;
}
}
}
[edit]
user@host# show routing-options
static {
route 0.0.0.0/0 next-hop st0.0;
}
[edit]
user@host# show security zones
security-zone untrust {
host-inbound-traffic {
system-services {
ike;
}
}
interfaces {
ge-0/0/1.0;
}
}
security-zone trust {
host-inbound-traffic {
}
interfaces {
ge-0/0/0.0;
}
}
security-zone vpn-chicago {
host-inbound-traffic {
}
interfaces {
st0.0;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring IKE
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set security ike proposal ike-proposal authentication-method pre-shared-keys set security ike proposal ike-proposal dh-group group14 set security ike proposal ike-proposal authentication-algorithm sha-256 set security ike proposal ike-proposal encryption-algorithm aes-256-cbc set security ike policy ike-policy mode main set security ike policy ike-policy proposals ike-proposal set security ike policy ike-policy pre-shared-key ascii-text $ABC123 set security ike gateway gw-sunnyvale external-interface ge-0/0/1.0 set security ike gateway gw-sunnyvale ike-policy ike-policy set security ike gateway gw-sunnyvale address 10.2.2.2 set security ike gateway gw-sunnyvale version v1-only
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure IKE:
Create the IKE proposal.
[edit security ike] user@host# set proposal ike-proposal
Define the IKE proposal authentication method.
[edit security ike proposal ike-proposal] user@host# set authentication-method pre-shared-keys
Define the IKE proposal Diffie-Hellman group.
[edit security ike proposal ike-proposal] user@host# set dh-group group14
Define the IKE proposal authentication algorithm.
[edit security ike proposal ike-proposal] user@host# set authentication-algorithm sha-256
Define the IKE proposal encryption algorithm.
[edit security ike proposal ike-proposal] user@host# set encryption-algorithm aes-256-cbc
Create an IKE policy.
[edit security ike] user@host# set policy ike-policy
Set the IKE policy mode.
[edit security ike policy ike-policy] user@host# set mode main
Specify a reference to the IKE proposal.
[edit security ike policy ike-policy] user@host# set proposals ike-proposal
Define the IKE policy authentication method.
[edit security ike policy ike-policy] user@host# set pre-shared-key ascii-text $ABC123
Create an IKE gateway and define its external interface.
[edit security ike] user@host# set gateway gw-sunnyvale external-interface ge-0/0/1.0
Define the IKE policy reference.
[edit security ike gateway gw-sunnyvale] user@host# set ike-policy ike-policy
Define the IKE gateway address.
[edit security ike gateway gw-sunnyvale] user@host# set address 10.2.2.2
Define the IKE gateway version.
[edit security ike gateway gw-sunnyvale] user@host# set version v1-only
Results
From configuration mode, confirm your configuration
by entering the show security ike command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security ike
proposal ike-proposal {
authentication-method pre-shared-keys;
dh-group group14;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy ike-policy {
mode main;
proposals ike-proposal;
pre-shared-key ascii-text "$ABC123";
}
gateway gw-sunnyvale {
ike-policy ike-policy;
address 10.2.2.2;
external-interface ge-0/0/1.0;
version v1-only;
}
If you are done configuring the device, enter commit from configuration mode.
Configuring IPsec
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set security ipsec traceoptions flag all set security ipsec proposal ipsec_prop protocol esp set security ipsec proposal ipsec_prop authentication-algorithm hmac-sha-256 set security ipsec proposal ipsec_prop encryption-algorithm aes256-cbc set security ipsec policy ipsec_pol proposals ipsec_prop set security ipsec vpn ipsec_vpn1 ike ipsec-policy ipsec_pol set security ipsec vpn ipsec_vpn1 bind-interface st0.0 set security ipsec vpn ipsec_vpn1 ike ipsec-policy ipsec_pol set security ipsec vpn ipsec_vpn1 ike gateway gw_sunnyvale
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure IPsec:
Enable IPsec trace options.
[edit] user@host# set security ipsec traceoptions flag all
Create an IPsec proposal.
[edit] user@host# set security ipsec proposal ipsec_prop
Specify the IPsec proposal protocol.
[edit security ipsec proposal ipsec_prop] user@host# set protocol esp
Specify the IPsec proposal authentication algorithm.
[edit security ipsec proposal ipsec_prop] user@host# set authentication-algorithm hmac-sha-256
Specify the IPsec proposal encryption algorithm.
[edit security ipsec proposal ipsec_prop] user@host# set encryption-algorithm aes256-cbc
Create the IPsec policy.
[edit security ipsec] user@host# set policy ipsec_pol
Specify the IPsec proposal reference.
[edit security ipsec policy ipsec_pol] user@host# set proposals ipsec_prop
Specify the IKE gateway.
[edit security ipsec] user@host# set vpn ipsec_vpn1 ike gateway gw_sunnyvale
Specify the IPsec policy.
[edit security ipsec] user@host# set vpn ipsec_vpn1 ike ipsec-policy ipsec_pol
Specify the interface to bind.
[edit security ipsec] user@host# set vpn ipsec_vpn1 bind-interface st0.0
Results
From configuration mode, confirm your configuration
by entering the show security ipsec command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security ipsec
traceoptions {
flag all;
}
proposal ipsec_prop {
protocol esp;
authentication-algorithm hmac-sha-256;
encryption-algorithm aes256-cbc;
}
proposal ipsec_prop;
policy ipsec_pol {
proposals ipsec_prop;
}
vpn ipsec_vpn1 {
bind-interface st0.0;
ike {
gateway gw_sunnyvale;
ipsec-policy ipsec_pol;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring Security Policies
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set security policies from-zone trust to-zone vpn policy vpn match source-address sunnyvale set security policies from-zone trust to-zone vpn policy vpn match destination-address chicago set security policies from-zone trust to-zone vpn policy vpn match application any set security policies from-zone trust to-zone vpn policy vpn then permit set security policies from-zone vpn to-zone trust policy vpn match source-address chicago set security policies from-zone vpn to-zone trust policy vpn match destination-address sunnyvale set security policies from-zone vpn to-zone trust policy vpn match application any set security policies from-zone vpn to-zone trust policy vpn then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure security policies:
Create the security policy to permit traffic from the trust zone to the vpn zone.
[edit security policies from-zone trust to-zone vpn] user@host# set policy vpn match source-address sunnyvale user@host# set policy vpn match destination-address chicago user@host# set policy vpn match application any user@host# set policy vpn then permit
Create the security policy to permit traffic from the vpn zone to the trust zone.
[edit security policies from-zone vpn to-zone trust] user@host# set policy vpn match source-address chicago user@host# set policy vpn match destination-address sunnyvale user@host# set policy vpn match application any user@host# set policy vpn then permit
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security policies
from-zone trust to-zone vpn {
policy vpn {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit;
}
}
}
from-zone vpn to-zone trust {
policy vpn {
match {
source-address chicago;
destination-address sunnyvale;
application any;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring TCP-MSS
CLI Quick Configuration
To quickly configure this section of the example,
copy the following commands, paste them into a text file, remove any
line breaks, change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set security flow tcp-mss ipsec-vpn mss 1350
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure TCP-MSS information:
Configure TCP-MSS information.
[edit] user@host# set security flow tcp-mss ipsec-vpn mss 1350
Results
From configuration mode, confirm your configuration
by entering the show security flow command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show security flow
tcp-mss {
ipsec-vpn {
mss 1350;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the SSG Series Device
CLI Quick Configuration
For reference, the configuration for the SSG Series device is provided. For information about configuring SSG Series devices, see the Concepts and Examples ScreenOS Reference Guide, which is located at http://www.juniper.net/techpubs.
To quickly configure this section of the example, copy the following
commands, paste them into a text file, remove any line breaks, change
any details necessary to match your network configuration, copy and
paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration
mode.
set zone name vpn set interface ethernet0/6 zone Trust set interface ethernet0/0 zone Untrust set interface tunnel.1 zone vpn set interface ethernet0/6 ip 198.51.100.1/24 set interface ethernet0/6 route set interface ethernet0/0 ip 10.2.2.2/30 set interface ethernet0/0 route set interface tunnel.1 ip 10.11.11.11/24 set flow tcp-mss 1350 set address Trust “192.51.100-net” 198.51.100.0 255.255.255.0 set address vpn "10.1.1-net" 10.1.1.0 255.255.255.0 set ike gateway corp-ike address 10.1.1.2 Main outgoing-interface ethernet0/0 preshare $ABC123 sec-level standard set vpn corp-vpn gateway corp-ike replay tunnel idletime 0 sec-level standard set vpn corp-vpn monitor optimized rekey set vpn corp-vpn bind interface tunnel.1 set policy from Trust to Untrust “ANY” “ANY” “ANY” nat src permit set policy from Trust to vpn “192.51.100-net” “10.1.1-net” “ANY” permit set policy from vpn to Trust “10.1.1-net” “192.51.100-net” “ANY” permit set route 0.0.0.0/0 interface ethernet0/0 gateway 10.2.2.2
Verification
To confirm that the configuration is working properly, perform these tasks:
- Verifying the IKE Status
- Verifying the IPsec Status
- Reviewing Statistics and Errors for an IPsec Security Association
- Testing Traffic Flow Across the VPN
Verifying the IKE Status
Purpose
Verify the IKE status.
Action
Before starting the verification process, you need to send traffic from a host in the 192.0.2.10/24 network to a host in the 198.51.100.10/24 network. For route-based VPNs, traffic can be initiated by the SRX Series device through the tunnel. We recommend that when testing IPsec tunnels, test traffic be sent from a separate device on one side of the VPN to a second device on the other side of the VPN. For example, initiate a ping from 192.0.2.10 to 198.51.100.10.
From operational mode, enter the show security ike security-associations command. After obtaining an index number from the command, use the show security ike security-associations index index_number detail command.
user@host> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 1 10.2.2.2 UP 744a594d957dd513 1e1307db82f58387 Main
user@host> show security ike security-associations index 1 detail IKE peer 10.2.2.2, Index 1, Role: Responder, State: UP Initiator cookie: 744a594d957dd513, Responder cookie: 1e1307db82f58387 Exchange type: Main, Authentication method: Pre-shared-keys Local: 198.51.100.2:500, Remote: 10.2.2.2:500 Lifetime: Expires in 28570 seconds Algorithms: Authentication : sha1 Encryption : aes-cbc (128 bits) Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 852 Output bytes : 940 Input packets : 5 Output packets : 5 Flags: Caller notification sent IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0
Meaning
The show security ike security-associations command lists all active IKE SAs. If no SAs are listed, there was
a problem with IKE establishment. Check the IKE policy parameters
and external interface settings in your configuration.
If SAs are listed, review the following information:
Index—This value is unique for each IKE SA, which you can use in the
show security ike security-associations index detailcommand to get more information about the SA.Remote Address—Verify that the remote IP address is correct.
State
UP—The IKE SA has been established.
DOWN—There was a problem establishing the IKE SA.
Mode—Verify that the correct mode is being used.
Verify that the following are correct in your configuration:
External interfaces (the interface must be the one that receives IKE packets)
IKE policy parameters
Preshared key information
Proposal parameters (must match on both peers)
The show security ike security-associations index 1 detail command lists additional information about the security association
with an index number of 1:
Authentication and encryption algorithms used
lifetime
Traffic statistics (can be used to verify that traffic is flowing properly in both directions)
Role information
Troubleshooting is best performed on the peer using the responder role.
Initiator and responder information
Number of IPsec SAs created
Number of negotiations in progress
Verifying the IPsec Status
Purpose
Verify the IPsec status.
Action
From operational mode, enter the show security
ipsec security-associations command. After obtaining an index
number from the command, use the show security ipsec security-associations
index index_number detail command.
user@host> show security ipsec security-associations total configured sa: 2 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <16384 10.2.2.2 500 ESP:aes-128/sha1 76d64d1d 3363/ unlim - 0 >16384 10.2.2.2 500 ESP:aes-128/sha1 a1024ee2 3363/ unlim - 0
user@host> show security ipsec security-associations index 16384 detail
Virtual-system: Root
Local Gateway: 198.51.100.2, Remote Gateway: 10.2.2.2
Local Identity: ipv4_subnet(any:0,[0..7]=192.0.2.0/24)
Remote Identity: ipv4_subnet(any:0,[0..7]=192.0.2.168/24)
DF-bit: clear
Direction: inbound, SPI: 1993755933, AUX-SPI: 0
Hard lifetime: Expires in 3352 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2775 seconds
Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: -
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: enabled, Replay window size: 32
Direction: outbound, SPI: 2701283042, AUX-SPI: 0
Hard lifetime: Expires in 3352 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2775 seconds
Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: -
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc
(128 bits)
Anti-replay service: enabled, Replay window size: 32
Meaning
The output from the show security ipsec security-associations command lists the following information:
The ID number is 16384. Use this value with the
show security ipsec security-associations indexcommand to get more information about this particular SA.There is one IPsec SA pair using port 500, which indicates that no NAT-traversal is implemented. (NAT-traversal uses port 4500 or another random high-number port.)
The SPIs, lifetime (in seconds), and usage limits (or lifesize in KB) are shown for both directions. The 3363/ unlim value indicates that the lifetime expires in 3363 seconds, and that no lifesize has been specified, which indicates that it is unlimited. Lifetime can differ from lifetime, as IPsec is not dependent on IKE after the VPN is up.
VPN monitoring is not enabled for this SA, as indicated by a hyphen in the Mon column. If VPN monitoring is enabled, U indicates that monitoring is up, and D indicates that monitoring is down.
The virtual system (vsys) is the root system, and it always lists 0.
The output from the show security ipsec security-associations
index 16384 detail command lists the following information:
The local identity and remote identity make up the proxy ID for the SA.
A proxy ID mismatch is one of the most common causes for a IPsec failure. If no IPsec SA is listed, confirm that IPsec proposals, including the proxy ID settings, are correct for both peers. For route-based VPNs, the default proxy ID is local=0.0.0.0/0, remote=0.0.0.0/0, and service=any. Issues can occur with multiple route-based VPNs from the same peer IP. In this case, a unique proxy ID for each IPsec SA must be specified. For some third-party vendors, the proxy ID must be manually entered to match.
Another common reason for IPsec failure is not specifying the ST interface binding. If IPsec cannot complete, check the kmd log or set trace options.
Reviewing Statistics and Errors for an IPsec Security Association
Purpose
Review ESP and authentication header counters and errors for an IPsec security association.
Action
From operational mode, enter the show security
ipsec statistics index index_number command,
using the index number of the VPN for which you want to see statistics.
user@host> show security ipsec statistics index 16384 ESP Statistics: Encrypted bytes: 920 Decrypted bytes: 6208 Encrypted packets: 5 Decrypted packets: 87 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
You can also use the show security ipsec statistics command to review statistics and errors for all SAs.
To clear all IPsec statistics, use the clear security ipsec
statistics command.
Meaning
If you see packet loss issues across a VPN, you can
run the show security ipsec statistics or show security
ipsec statistics detail command several times to confirm that
the encrypted and decrypted packet counters are incrementing. You
should also check whether the other error counters are incrementing.
Testing Traffic Flow Across the VPN
Purpose
Verify the traffic flow across the VPN.
Action
You can use the ping command from the SRX
Series device to test traffic flow to a remote host PC. Make sure
that you specify the source interface so that the route lookup is
correct and the appropriate security zones are referenced during policy
lookup.
From operational mode, enter the ping command.
ssg-> ping 10.10.11.10 interface ge-0/0/0 count 5 PING 10.10.11.10 (10.10.11.10): 56 data bytes 64 bytes from 10.10.11.10: icmp_seq=0 ttl=127 time=8.287 ms 64 bytes from 10.10.11.10: icmp_seq=1 ttl=127 time=4.119 ms 64 bytes from 10.10.11.10: icmp_seq=2 ttl=127 time=5.399 ms 64 bytes from 10.10.11.10: icmp_seq=3 ttl=127 time=4.361 ms 64 bytes from 10.10.11.10: icmp_seq=4 ttl=127 time=5.137 ms --- 10.10.11.10 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.119/5.461/8.287/1.490 ms
You can also use the ping command from the SSG Series
device.
user@host> ping 198.51.100.1 from ethernet0/6 Type escape sequence to abort Sending 5, 100-byte ICMP Echos to 198.51.100.1, timeout is 1 seconds from ethernet0/6 !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=4/4/5 ms
Meaning
If the ping command fails from the SRX Series
or SSG Series device, there might be a problem with the routing, security
policies, end host, or encryption and decryption of ESP packets.