| IPsec Security Associations |
|
Total configured SA
|
Total number of IPsec security associations (SAs) configured
on the device.
| |
|
ID
|
Index number of the SA.
| |
|
Gateway
|
IP address of the remote gateway.
| |
|
Port
|
If Network Address Translation (NAT-T) is used, this value is
4500. Otherwise it is the standard IKE port, 500.
| |
|
Algorithm
|
Cryptography used to secure exchanges between peers during the
IKE Phase 2 negotiations:
- An authentication algorithm used to authenticate exchanges
between the peers. Options are hmac-md5-95, or hmac-sha1-96.
- An encryption algorithm used to encrypt data traffic.
Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc.
| |
|
SPI
|
Security parameter index (SPI) identifier. An SA is uniquely
identified by an SPI. Each entry includes the name of the VPN, the
remote gateway address, the SPIs for each direction, the encryption
and authentication algorithms, and keys. The peer gateways each have
two SAs, one resulting from each of the two phases of negotiation:
Phase 1 and Phase 2.
| |
|
Life: sec/kb
|
The lifetime of the SA, after which it expires, expressed either
in seconds or kilobytes.
| |
|
Sta
|
State has two options, Installed and Not Installed.
-
Installed—The security association is installed
in the security association database.
-
Not Installed—The security association
is not installed in the security association database.
|
For transport mode, the value of State is
always Installed.
|
|
Vsys
|
The root system.
| |
| IPsec Statistics Information |
|
ESP Statistics
|
Encapsulation Security Protocol (ESP) statistics include the
following:
-
Encrypted bytes—Total number of bytes encrypted
by the local system across the IPsec tunnel.
-
Decrypted bytes— Total number of bytes
decrypted by the local system across the IPsec tunnel.
-
Encrypted packets—Total number of packets
encrypted by the local system across the IPsec tunnel.
-
Decrypted packets—Total number of packets
decrypted by the local system across the IPsec tunnel.
| |
|
AH Statistics
|
Authentication Header (AH) statistics include the following:
-
Input bytes—The number of bytes presented
for processing by the device.
-
Output bytes— The number of bytes actually
processed by the device.
-
Input packets— The number of packets presented
for processing by the device.
-
Output packets—The number of packets actually
processed by the device.
| |
|
Errors
|
Errors include the following
-
AH authentication failures—Total number
of authentication header (AH) failures. An AH failure occurs when
there is a mismatch of the authentication header in a packet transmitted
across an IPsec tunnel.
-
Replay errors—Total number of replay errors.
A replay error is generated when a duplicate packet is received within
the replay window.
-
ESP authentication failures—Total number
of Encapsulation Security Payload (ESP) failures. An ESP failure occurs
when there is an authentication mismatch in ESP packets.
-
ESP decryption failures—Total number of
ESP decryption errors.
-
Bad headers—Total number of invalid headers
detected.
-
Bad trailers—Total number of invalid trailers
detected.
| |
| Details for IPsec SA Index: ID |
|
Virtual System
|
The root system.
| |
|
Local Gateway
|
Gateway address of the local system.
| |
|
Remote Gateway
|
Gateway address of the remote system.
| |
|
Local identity
|
Specifies the identity of the local peer so that its partner
destination gateway can communicate with it. The value is specified
as any of the following: IPv4 address, fully qualified domain name,
e-mail address, or distinguished name.
| |
|
Remote identity
|
IPv4 address of the destination peer gateway.
| |
|
Df bit
|
State of the don’t fragment bit—set or cleared.
| |
|
Policy name
|
Name of the applicable policy.
| |
|
Direction
|
Direction of the security association—inbound, or outbound.
| |
|
SPI
|
Security parameter index (SPI) identifier. An SA is uniquely
identified by an SPI. Each entry includes the name of the VPN, the
remote gateway address, the SPIs for each direction, the encryption
and authentication algorithms, and keys. The peer gateways each have
two SAs, one resulting from each of the two phases of negotiation:
Phase 1 and Phase 2.
| |
|
Mode
|
Mode of the security association. Mode can be transport or tunnel.
-
transport—Protects host-to-host connections.
-
tunnel—Protects connections between security
gateways.
| |
|
Type
|
Type of the security association, either manual, or dynamic.
-
manual—Security parameters require no negotiation.
They are static and are configured by the user.
-
dynamic—Security parameters are negotiated
by the IKE protocol. Dynamic security associations are not supported
in transport mode.
| |
|
State
|
State has two options, Installed, and Not Installed.
-
Installed—The security association is installed
in the security association database.
-
Not Installed—The security association
is not installed in the security association database.
|
For transport mode, the value of State is
always Installed.
|
|
Protocol
|
Protocol supported:
-
Transport mode supports Encapsulation Security
Protocol (ESP) and Authentication Header (AH).
-
Tunnel mode supports ESP and AH.
-
Authentication—Type of authentication used.
-
Encryption—Type of encryption used.
| |
|
Authentication/ Encryption
|
-
Authentication—Type of authentication algorithm
used.
-
sha1—Secure Hash Algorithm 1 (SHA-1) authentication.
-
md5—MD5 authentication.
-
Encryption—Type of encryption algorithm
used.
-
aes-256-cbc—Advanced Encryption Standard
(AES) 256-bit encryption.
-
aes-192-cbc—Advanced Encryption Standard
(AES) 192-bit encryption
-
aes-128-cbc—Advanced Encryption Standard
(AES) 128-bit encryption.
-
3des-cbc—3 Data Encryption Standard (DES)
encryption.
-
des-cbc—Data Encryption Standard (DES)
encryption.
| |
|
Soft Lifetime
|
The soft lifetime informs the IPsec key management system that
the SA is about to expire.
-
Expires in seconds—Number of seconds left
until the SA expires.
-
Expires in kilobytes—Number of kilobytes
left until the SA expires.
|
Each lifetime of a security association has two display options,
hard and soft, one of which must be present for a dynamic security
association. This allows the key management system to negotiate a
new SA before the hard lifetime expires.
|
|
Hard Lifetime
|
The hard lifetime specifies the lifetime of the SA.
-
Expires in seconds—Number of seconds left
until the SA expires.
-
Expires in kilobytes—Number of kilobytes
left until the SA expires.
| |
|
Anti Replay Service
|
State of the service that prevents packets from being replayed.
It can be Enabled, or Disabled.
| |
|
Replay Window Size
|
Configured size of the antireplay service window. It can be
32 or 64 packets. If the replay window size is 0, the antireplay service
is disabled.
|
The antireplay window size protects the receiver against replay
attacks by rejecting old or duplicate packets.
|