Supported Platforms
Related Documentation
- J, LN, SRX Series
- Monitoring Overview
- Monitoring Interfaces
- Additional Information
- Junos OS Interfaces Library for Security Devices
Monitoring VPNs
This section contains the following topics:
Monitoring IKE Gateway Information
Purpose
View information about IKE security associations (SAs).
Action
Select Monitor>IPSec VPN>IKE Gateway in the J-Web user interface. To view detailed information for a particular SA, select the IKE SA index on the IKE gateway page.
Alternatively, enter the following CLI commands:
- show security ike security-associations
- show security ike security-associations index index-id detail
Table 1 summarizes key output fields in the IKE gateway display.
Table 1: Summary of Key IKE SA Information Output Fields
Field | Values | Additional Information |
|---|---|---|
| IKE Security Associations | ||
IKE SA Index | Index number of an SA. | This number is an internally generated number you can use to display information about a single SA. |
Remote Address | IP address of the destination peer with which the local peer communicates. | – |
State | State of the IKE security associations:
| – |
Initiator cookie | Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered. | – |
Responder cookie | Random number generated by the remote node and sent back to the initiator as a verification that the packets were received. | A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity. |
Mode | Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are:
| – |
| IKE Security Association (SA) Index | ||
IKE Peer | IP address of the destination peer with which the local peer communicates. | – |
IKE SA Index | Index number of an SA. | This number is an internally generated number you can use to display information about a single SA. |
Role | Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder. | – |
State | State of the IKE security associations:
| – |
Initiator cookie | Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered. | – |
Responder cookie | Random number generated by the remote node and sent back to the initiator as a verification that the packets were received. | A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity. |
Exchange Type | Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are:
| – |
Authentication Method | Path chosen for authentication. | – |
Local | Address of the local peer. | – |
Remote | Address of the remote peer. | – |
Lifetime | Number of seconds remaining until the IKE SA expires. | – |
Algorithm | IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:
| – |
Traffic Statistics | Traffic statistics include the following:
| – |
IPsec security associations |
| – |
Role | Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder. | – |
Message ID | Message identifier. | – |
Local identity | Specifies the identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as any of the following: IPv4 address, fully qualified domain name, e-mail address, or distinguished name. | – |
Remote identity | IPv4 address of the destination peer gateway. | – |
Monitoring IPsec VPN—Phase I
Purpose
View IPsec VPN Phase I information.
Action
Select Monitor>IPSec VPN>Phase I in the J-Web user interface.
Table 2 describes the available options for monitoring IPsec VPN-Phase I.
Table 2: IPsec VPN—Phase I Monitoring Page
| Field | Values | Additional Information |
|---|---|---|
| IKE SA Tab Options | ||
| IKE Security Associations | ||
SA Index | Index number of an SA. | – |
Remote Address | IP address of the destination peer with which the local peer communicates. | – |
State | State of the IKE security associations:
| – |
Initiator Cookie | Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered. | – |
Responder Cookie | Random number generated by the remote node and sent back to the initiator as a verification that the packets were received. | A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie’s authenticity. |
Mode | Negotiation method agreed upon by the two IPsec endpoints, or peers, used to exchange information. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are:
| – |
Monitoring IPsec VPN—Phase II
Purpose
View IPsec VPN Phase II information.
Action
Select Monitor>IPSec VPN>Phase II in the J-Web user interface.
Table 3 describes the available options for monitoring IPsec VPN-Phase II.
Table 3: IPsec VPN—Phase II Monitoring Page
| Field | Values | Additional Information |
|---|---|---|
| Statistics Tab Details | ||
By bytes | Provides total number of bytes encrypted and decrypted by the local system across the IPsec tunnel. | – |
By packets | Provides total number of packets encrypted and decrypted by the local system across the IPsec tunnel. | – |
IPsec Statistics | Provides details of the IPsec statistics. | – |
| IPsec SA Tab Details | ||
| IPsec Security Associations | ||
ID | Index number of the SA. | – |
Gateway/Port | IP address of the remote gateway/port. | – |
Algorithm | Cryptography scheme used to secure exchanges between peers during the IKE Phase II negotiations:
| – |
SPI | Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase I and Phase II. | – |
Life | The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes. | – |
Monitoring | Specifies if VPN-Liveliness Monitoring has been enabled/disabled. Enabled - ' U ', Disabled- '—' | – |
Vsys | Specifies the root system. | – |
Monitoring IPsec VPN Information
Purpose
View information about IPsec security (SAs).
Action
Select Monitor>IPSec VPN>IPsec VPN in the J-Web user interface. To view the IPsec statistics information for a particular SA, select the IPsec SA ID value on the IPsec VPN page.
Alternatively, enter the following CLI commands:
- show security ipsec security-associations
- show security ipsec statistics
Table 4 summarizes key output fields in the IPsec VPN display.
Table 4: Summary of Key IPsec VPN Information Output Fields
Field | Values | Additional Information |
|---|---|---|
| IPsec Security Associations | ||
Total configured SA | Total number of IPsec security associations (SAs) configured on the device. | – |
ID | Index number of the SA. | – |
Gateway | IP address of the remote gateway. | – |
Port | If Network Address Translation (NAT-T) is used, this value is 4500. Otherwise, it is the standard IKE port, 500. | – |
Algorithm | Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations:
| – |
SPI | Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2. | – |
Life: sec/kb | The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes. | – |
State | State has two options, Installed and Not Installed.
| For transport mode, the value of State is always Installed. |
Vsys | The root system. | – |
| IPsec Statistics Information | ||
ESP Statistics | Encapsulation Security Protocol (ESP) statistics include the following:
| – |
AH Statistics | Authentication Header (AH) statistics include the following:
| – |
Errors | Errors include the following
| – |
| Details for IPsec SA Index: ID | ||
Virtual System | The root system. | – |
Local Gateway | Gateway address of the local system. | – |
Remote Gateway | Gateway address of the remote system. | – |
Local identity | Specifies the identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as any of the following: IPv4 address, fully qualified domain name, e-mail address, or distinguished name. | – |
Remote identity | IPv4 address of the destination peer gateway. | – |
Df bit | State of the don’t fragment bit—set or cleared. | – |
Policy name | Name of the applicable policy. | – |
Direction | Direction of the security association—inbound, or outbound. | – |
SPI | Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2. | – |
Mode | Mode of the security association. Mode can be transport or tunnel.
| – |
Type | Type of the security association, either manual or dynamic.
| – |
State | State has two options, Installed, and Not Installed.
| For transport mode, the value of State is always Installed. |
Protocol | Protocol supported:
| – |
Authentication/ Encryption |
| – |
Soft Lifetime | The soft lifetime informs the IPsec key management system that the SA is about to expire.
| Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. This allows the key management system to negotiate a new SA before the hard lifetime expires. |
Hard Lifetime | The hard lifetime specifies the lifetime of the SA.
| – |
Anti Replay Service | State of the service that prevents packets from being replayed. It can be Enabled or Disabled. | – |
Replay Window Size | Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled. | The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets. |
Related Documentation
- J, LN, SRX Series
- Monitoring Overview
- Monitoring Interfaces
- Additional Information
- Junos OS Interfaces Library for Security Devices
Published: 2014-12-07
Supported Platforms
Related Documentation
- J, LN, SRX Series
- Monitoring Overview
- Monitoring Interfaces
- Additional Information
- Junos OS Interfaces Library for Security Devices
