| 40.4. IPSEC and IKE diagnostics and statistics | ||
|---|---|---|
 | Chapter 40. IPSEC - Internet Protocol SECurity |  |
| 40.4. IPSEC and IKE diagnostics and statistics | ||
|---|---|---|
| | Chapter 40. IPSEC - Internet Protocol SECurity | |
To display the diagnostics of the IPSEC resource the following commands are used:
Shows the IPSEC resource diagnostics (the state of the resource, the working mode, the inbound policy check flag, the inbound security policies, etc..) and the IPSEC Security Associations diagnostics (the number of bundle of Security Association record, the state of Security Association record, etc..).
[11:42:10] ABILIS_CPX:d d ipsecRES:IpSec --------------------------------------------------------------------- IP_Security_Protocol STATE:ACTIVE MODE:IKE IN-CHK:YES POLICY-IN :1 SA-IN :1 SA-BND-IN :1 POLICY-OUT:1 SA-OUT:1 SA-BND-OUT:1 - Security Associations diagnostics: ----------------------------------- SA Bundle State SPI SrcIp Auth SoftTime Prot Tunnel DstIp Cipher HardTime ------------------------------------------------------------------------ 0 0 MATURE C4DCB36E 192.168.006.002 MD5 INFINITE ESP YES 192.168.006.001 3DES INFINITE ------------------------------------------------------------------------ 1 1 MATURE 1969FC22 192.168.006.001 MD5 INFINITE ESP YES 192.168.006.002 3DES INFINITE ------------------------------------------------------------------------
To display the statistics of the IPSEC resource the following commands are used:
Shows the IPSEC resource statistics such as the total number of IP frames received/sent by IPSEC resource from/to IP, the total number of characters received/sent by IPSEC port from/to IP, the total number of bypassed incoming/outgoing IKE packets, etc..
Shows the IPSEC resource statistics and the IPsec Security Associations statistics (the total number of incoming/outgoing characters processed by Security Association, the total number of incoming/outgoing IP frames processed by Security Association, etc..).
[11:42:10] ABILIS_CPX:d s ipsecRES:IpSec --------------------------------------------------------------------- IP_Security_Protocol --- Cleared 2 days 19:33:50 ago, on 05/06/2015 at 14:04:00 ------------- -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---| FRM | 262693| 264196|CHR | 10964752| 14449533| FRM-OK | 0| 0|CHR-OK | 0| 0| FRM-DROP | 0| 0|CHR-DROP | 0| 0| FRM-BYPASS | 262693| 264196|CHR-BYPASS | 10964752| 14449533| ------------------------------------------------------------------------ FRM-IKE | 0| 0|NATT-KA | 0| 0| NO-POLICY | 0| 264196|LONG | 0| 0| BAD-SA | 0| 0|NO-SA | 0| 0| BAD-FMT | 0| 0|AUTH-FAIL | 0| | BAD-CBLK | 0| |BAD-CHK | 0| | REP-CHK | 0| 0|BAD-ECN | 0| | ------------------------------------------------------------------------
[11:42:10] ABILIS_CPX:d se ipsecRES:IpSec --------------------------------------------------------------------- IP_Security_Protocol --- Cleared 2 days 19:33:50 ago, on 05/06/2015 at 14:04:00 ------------- -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---| FRM | 262693| 264196|CHR | 10964752| 14449533| FRM-OK | 0| 0|CHR-OK | 0| 0| FRM-DROP | 0| 0|CHR-DROP | 0| 0| FRM-BYPASS | 262693| 264196|CHR-BYPASS | 10964752| 14449533| ------------------------------------------------------------------------ FRM-IKE | 0| 0|NATT-KA | 0| 0| NO-POLICY | 0| 264196|LONG | 0| 0| BAD-SA | 0| 0|NO-SA | 0| 0| BAD-FMT | 0| 0|AUTH-FAIL | 0| | BAD-CBLK | 0| |BAD-CHK | 0| | REP-CHK | 0| 0|BAD-ECN | 0| | ------------------------------------------------------------------------ - Security Associations statistics: ------------------------------------ SA:3 CHR:0 AUTH-FAIL:0 BAD-CBLK:0 FRM:0 REPLAY-CHK:0 BAD-ECN:0 ------------------------------------------------------------------------ SA:2 CHR:560 AUTH-FAIL:0 BAD-CBLK:0 FRM:2 REPLAY-CHK:0 BAD-ECN:0 ------------------------------------------------------------------------
To display the diagnostics of the IKE resource the following commands are used:
Shows diagnostic information such as the current state of the IKE resource and the IPSEC resource, the current number of ISAKMP and IPSEC Security Associations, the local and remote IP address-port, etc...
[11:42:10] ABILIS_CPX:d d ikeRES:Ike ----------------------------------------------------------------------- Internet_Keys_Exchange_Protocol IKE-STATE:ACTIVE IPSEC-STATE:ACTIVE CUR-MAX-HOSTS:16 CUR-HOSTS:2 ISAKMP-SA:0 ISAKMP-SA-EST:0 IPSEC-SA:0 IPSEC-SA-EST:0 - Security Associations diagnostics: ----------------------------------- SerialNo Name Type Side LocIp-LocPort LocNet/LocMask State ReplaceTime RemIp-RemPort RemNet/RemMask Pending ExpiryTime ------------------------------------------------------------------------ 1 IPsec RESPONDER 192.168.006.001/500 192.168.006.001/32 QUICK-R2 3422 192.168.006.002/500 192.168.006.002/32 0 3542 ------------------------------------------------------------------------ 2 ISAKMP RESPONDER 192.168.006.001/500 000.000.000.000/00 MAIN-R3 3420 192.168.006.002/500 000.000.000.000/00 0 3540 ------------------------------------------------------------------------
To display the statistics of the IKE resource the following commands are used:
Shows statistic information such as the total number of characters received/sent by IKE resource from/to UDP, the total number of UDP datagrams received/sent by IKE port from/to UDP, the total number of lost incoming UDP datagrams because buffer is full, etc..
[11:42:10] ABILIS_CPX:d se ikeRES:Ike ----------------------------------------------------------------------- Internet_Keys_Exchange_Protocol --- Cleared 2 days 19:35:56 ago, on 05/06/2015 at 14:04:00 ------------- -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---| CHR | 0| 0|LONG | 0| 0| FRM | 0| 0|BAD-FMT | 0| | FRM-LOST | 0| |DUPLICATED | 0| | ------------------------------------------------------------------------ -----------|--ISAKMP---|---IPSEC---| SA-R | 0| 0| SA-I | 0| 0| SA-EST-R | 0| 0| SA-EST-I | 0| 0| AUTH-FAIL | 0| 0| NO-PROP | 0| 0| ------------------------------------------------------------------------
| |  | |
| 40.3. IKE Resource |  | 40.5. Example of IPSEC configuration |