Verify Your IPsec VPN
Now we'll show you how to quickly confirm that your route-based IPsec VPN is doing its job of protecting your sensitive data.
Confirm Licensing Status
SRX Security Gateways have many advanced features. For example, deep packet inspection (DPI), real-time antivirus (AV) scanning, cloud-based URL blocking, and so on. Some of these features require a license. Many use a hard licensing model, which means the feature is disabled until you add the necessary license. However, you might be able to configure the feature without receiving any type of license warning. For information about feature-based licenses, see Licenses for SRX Series. For information about subscription-based licenses, see Flex Software License for SRX Series Devices.
It's always a good idea to display the licensing status of your SRX, especially when adding new features, like the IPsec VPN you just turned up.
root@branch-srx> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
remote-access-ipsec-vpn-client 0 2 0 permanent
remote-access-juniper-std 0 2 0 permanent
Licenses installed: none The output is good news. It shows that no specific licenses exist on the device. It also confirms that none of the features configured require any special add-on licensing. The base model license for the branch SRX includes support for VLANs, DHCP services, and basic IPsec VPNs.
Verify IKE Session
Verify that the SRX has successfully established an IKE association with the remote site:
root@branch-srx> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 3318115 UP 2ed75d71d9aeb5c5 680391201477e65b Aggressive 172.16.1.1
The output shows an established IKE session to the remote site at 172.16.1.1.
Verify the IPsec Tunnel
Verify IPsec tunnel establishment:
root@branch-srx> show security ipsec security-associations
Total active tunnels: 1 Total Ipsec sas: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 4f03e41c 947/ unlim - root 500 172.16.1.1
>131073 ESP:3des/sha1 70565ffd 947/ unlim - root 500 172.16.1.1
The output confirms IKE session establishment to the remote site at 172.16.1.1.
Verify Tunnel Interface Status
Verify that the tunnel interface is operational (and it must be operational, given the successful establishment of the IPsec tunnel). Also, check that you can ping the remote tunnel endpoint:
root@branch-srx> show interfaces terse st0
Interface Admin Link Proto Local Remote
st0 up up
st0.0 up up inet 10.0.0.1/24
root@branch-srx> show route 10.0.0.2
inet.0: 19 destinations, 19 routes (19 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/24 *[Direct/0] 00:11:19
> via st0.0
root@branch-srx> ping 10.0.0.2 count 2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=64 time=17.862 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=2.318 ms
--- 10.0.0.2 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.318/10.090/17.862/7.772 ms
Verify Static Routing for the IPsec Tunnel
Verify that the (static) route to the remote subnet correctly points to the IPsec tunnel interface as a next hop:
root@branch-srx> show route 172.16.200.0
inet.0: 16 destinations, 16 routes (16 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
172.16.200.0/24 *[Static/5] 00:45:52
> via st0.0
Verify Trust Zone Traffic Uses the Tunnel
Generate traffic from a trust zone device to a destination in the 172.16.200.0/24 subnet. We assigned address 172.16.200.1/32 to the remote location's loopback interface, and placed it into the vpn zone. This address provides a target to ping. If all is working, these pings should succeed.
To confirm this traffic is using the IPsec VPN, follow these steps.
- Clear the statistics for the IPsec
tunnel.
root@branch-srx> clear security ipsec statistics - Generate a known number of pings to the 172.16.200.1 destination from a
trust zone
client.
user@trust-device> ping 172.16.200.1 count 100 rapid PING 172.16.200.1 (172.16.200.1): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --- 172.16.200.1 ping statistics --- 100 packets transmitted, 100 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.895/1.062/2.322/0.326 ms
- Display tunnel usage
statistics.
root@branch-srx> show security ipsec statistics ESP Statistics: Encrypted bytes: 13600 Decrypted bytes: 8400 Encrypted packets: 100 Decrypted packets: 100 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0
This completes the verification of the IPsec VPN. Congratulations on the new branch location!