Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Monitor IPsec VPN

You are here: Monitor > Network > IPsec VPN.

Use the monitoring functionality to view information of IKE, IPsec configuration, Security Associations (SA), and Statistics in a tabular format that includes sortable columns. A VPN provides a means by which remote computers communicate securely across a public WAN such as the Internet. IPsec VPN is a protocol that consist set of standards used to establish a VPN connection.

Table 1 describes the fields on the IPsec VPN page.

Table 1: Fields on the IPsec VPN Page

Field

Description

IPsec Statistics list menu

Displays summary of the global IPsec VPN or selected IPsec VPN statistics.

Clear SA list menu

Displays the options Clear All SAs or Clear Selected SA to clear SAs.

If you choose Clear All SAs, then you can select Clear All IKE SAs, Clear All IPsec SAs, or Clear All IKE & IPsec SAs.

If you choose Clear Selected SAs, then you can select Clear Selected IKE SA, Clear Selected IPsec SA, or Clear Selected IKE & IPsec SA.

Refresh icon

Click refresh icon to get latest operational data.

Note:

The configuration data is fetched from cache. Any changes to the CLI will be fetched only after you commit it and click Monitor > Network > IPsec VPN to refresh the page and get the latest configuration data.

Search

You can search and filter either the remote gateway or the VPN name.

Remote Gateway

Displays gateway name of the remote system.

IKE Status

Displays if IKE is up or down.

Local IP

Displays the external interface, IP address, and port of the local peer so that its remote peer can communicate with it.

Remote IP

Displays the IP address and port of the remote peer.

Note:

The remote IP displays only when the IKE is up.

VPN Name

Displays IPsec VPN name.

TS/Proxy ID Status

Displays information and status (up or down) of the traffic selector or the proxy ID that are negotiated between the peers.

Connection Profile

Displays the connection profile in the FQDN or FQDN/realm format if configured. If not configured, the field displays as external-IP/VPN-Name.

IPsec Soft Life

Displays the soft lifetime (in seconds) which indicates that the IPsec key management system that the SA is about to expire.

IKE Index

Displays index number for a particular IKE SA.

IPsec Index

Displays index number for a particular IPsec SA.

Topology

Displays the topology deployment for an IPsec VPN. For example: Site to Site/Hub & Spoke or Remote Access VPN.

IKE Proposal

Lists algorithms negotiated with the remote peer.

IPsec Proposal

Lists protocols and algorithms negotiated with the remote peer.

Authentication Type

Display if the preshared key or certificate based is used by the Virtual Private network (VPN).

DPD

Displays dead peer detection (DPD) method used by devices to verify the current existence and availability of IPsec peers.

Role

Displays whether the device is an initiator or a responder.

IKE Initiator Cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

IKE Responder Cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets are received.

IKE Life

Lifetime (in seconds) of an IKE SA.

Range: 180 through 86,400. Default is 3600.

Mode

Negotiation method agreed upon by the two IPsec endpoints, or peers, used to exchange information. Each exchange type determines the number of messages and the payload types that each message contains. The modes or exchange types are:

  • Main—The exchange is done with six messages. This mode, or exchange type, encrypts the payload, protecting the identity of the neighbor. Displays the authentication method used: preshared keys or certificate.

  • Aggressive—The exchange is done with three messages. This mode, or exchange type, does not encrypt the payload, leaving the identity of the neighbor unprotected.

Peer IKE-ID

Displays the IKE IDs for the local or remote devices.

Remote Access

Displays the remote access URL.

Note:

This option is applicable only for the remote access VPN with Juniper Secure Connect (JSC).

Remote User

Displays the remote IKE identity to exchange with the destination peer to establish communication.

DNS

Displays the IP addresses for a primary and a secondary DNS servers.

WINS

Displays the IP addresses for a primary and a secondary WINS servers.

Inbound SPI

Displays security parameter index (SPI) value to authenticate incoming traffic coming from the peer.

Outbound SPI

Displays algorithms, keys, or SPI values to decrypt and to authenticate outbound traffic to the peer.

IPsec Hard Life

Displays number of seconds until the SA expires.

IPsec Lifesize

Displays the lifesize remaining specifies the usage limits in kilobytes. If no lifesize is specified, it shows unlimited.