50.4. IPSEC and IKE diagnostics and statistics

50.4. IPSEC and IKE diagnostics and statistics
	Chapter 50. IPSEC - Internet Protocol SECurity

50.4.1. IPSEC diagnostics

This command reports the current situation of the IPSEC resource:

[11:42:10] ABILIS_CPX:d d ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       STATE:ACTIVE         MODE:IKE         IN-CHK:YES         
       POLICY-IN :2         SA-IN :2         SA-BND-IN :2         
       POLICY-OUT:2         SA-OUT:2         SA-BND-OUT:2         
       - Security Associations diagnostics: -----------------------------------
       SA     Bundle State   SPI      SrcIp           Auth    SoftTime
              Prot   Tunnel           DstIp           Cipher  HardTime
       ------------------------------------------------------------------------
       1      1      MATURE  0AD000E8 188.138.185.166 MD5      INFINITE
              ESP    YES              078.081.162.041 3DES     INFINITE
       ------------------------------------------------------------------------
       3      3      MATURE  40B7CB29 188.138.185.166 SHA1     INFINITE
              ESP    YES              092.115.190.246 AES256   INFINITE
       ------------------------------------------------------------------------
       0      0      MATURE  19C0574E 078.081.162.041 MD5      INFINITE
              ESP    YES              188.138.185.166 3DES     INFINITE
       ------------------------------------------------------------------------
       2      2      MATURE  8EC173B6 092.115.190.246 SHA1     INFINITE
              ESP    YES              188.138.185.166 AES256   INFINITE
       -----------------------------------------------------------------------

The meaning:

STATE

IPSEC port state:

INACTIVE - configuration parameter ACT:NO.
ACTIVE - the driver is fully ready to work.

MODE

Mode of IPSEC:

MANUAL - the IPSEC port is in manual mode. Manual manipulates manually-keyed IPSEC connections.
IKE - the IPSEC is in automatic IKE mode. Auto manipulates automatically-keyed IPSEC connections.

IN-CHK

IPSEC port inbound policy check flag:

NO - Inbound policy check is disabled.
YES - Inbound policy check is enabled.

POLICY-IN/POLICY-OUT

Number of inbound/outbound security policies in the policy table.

SA-IN/SA-OUT

Number of inbound/outbound Security Associations (SA) in the SA table.

SA-BND-IN/SA-BND-OUT

Number of inbound/outbound Security Association (SA) bundles in the SA table.

SA

ID of Security Association record from SA table.

Bundle

Number of SA bundle group of Security Association record.

State

State of Security Association:

LARVAL - Security Association is one that was created by IKE, but is not working yet. Displayed in IKE mode only.
MATURE - Security Association is in working mode. In MANUAL mode Security Association always is in this state.
DYING - Security Association is one whose soft lifetime has expired. Displayed in IKE mode only.
DEAD - Security Association is one whose hard lifetime has expired, but hasn't been reaped by system garbage collection. Incoming and outgoing IP packets will be dropped. Displayed in IKE mode only.

SPI

Security Parameters Index which identifies this Security Association IPSEC SA SPI parameter.

SrcIp

Source IP address.

Auth

Authentication algorithm for the IPSEC protocol (AH or ESP):

NONE - No algorithm.
MD5 - Message Digest Algorithm MD5.
SHA-1 - Message Digest Algorithm SHA-1.

SoftTime

Time in seconds when soft timer will be expired and SA will go to the DYING state.

Prot

IPSEC protocol:

AH - Authentication Header protocol.
ESP - Encapsulating Security Payload protocol.

Tunnel

Transport or tunnel mode of IPSEC protocol:

NO - Transport mode of IPSEC protocol.
YES - Tunnel mode of IPSEC protocol.

DstIp

Destination IP address.

Cipher

Encryption algorithm for the IPSEC ESP protocol:

NONE - No algorithm.
DES - DES algorithm in CBC mode.
3DES - Triple DES algorithm in CBC mode.
IDEA - IDEA algorithm in CBC mode.
CAST - CAST algorithm in CBC mode.
BLOWFISH - BLOWFISH algorithm in CBC mode.

HardTime

Time in seconds when hard timer will be expired and SA will go to the DEAD state.

50.4.2. Statistics of the IPSEC resource

This command can help to understand what is happening, in case of troubles:

d s ipsec: Shows the IPSEC resource statistics such as the total number of IP frames received/sent by IPSEC resource from/to the IP, the total number of characters received/sent by the IPSEC port from/to the IP, the total number of bypassed incoming/outgoing IKE packets, etc.
d se ipsec: Shows the IPSEC resource statistics and the IPsec Security Associations statistics (the total number of incoming/outgoing characters processed by Security Association, the total number of incoming/outgoing IP frames processed by Security Association, etc.).

[11:42:10] ABILIS_CPX:d s ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       --- Cleared 0 days 19:43:58 ago, on 05/12/2017 at 19:32:03 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       FRM        |   15547708|   13350951|CHR        |   97364895| 1351603212|
       FRM-OK     |         99|         81|CHR-OK     |      17176|      40362|
       FRM-DROP   |          0|          0|CHR-DROP   |          0|          0|
       FRM-BYPASS |   15547609|   13350870|CHR-BYPASS |   97347719| 1351562850|
       ------------------------------------------------------------------------
       FRM-IKE    |         96|         96|NATT-KA    |          0|          0|
       NO-POLICY  |          0|   13350817|LONG       |          0|          0|
       BAD-SA     |          0|          0|NO-SA      |          0|          0|
       BAD-FMT    |          0|          0|AUTH-FAIL  |          0|           |
       BAD-CBLK   |          0|           |BAD-CHK    |          0|           |
       REP-CHK    |          0|          0|BAD-ECN    |          0|           |
       ------------------------------------------------------------------------

[11:42:10] ABILIS_CPX:d se ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       --- Cleared 0 days 19:44:00 ago, on 05/12/2017 at 19:32:02 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       FRM        |   15548082|   13351218|CHR        |   97849852| 1351637231|
       FRM-OK     |         99|         81|CHR-OK     |      17176|      40362|
       FRM-DROP   |          0|          0|CHR-DROP   |          0|          0|
       FRM-BYPASS |   15547983|   13351137|CHR-BYPASS |   97832676| 1351596869|
       ------------------------------------------------------------------------
       FRM-IKE    |         96|         96|NATT-KA    |          0|          0|
       NO-POLICY  |          0|   13351084|LONG       |          0|          0|
       BAD-SA     |          0|          0|NO-SA      |          0|          0|
       BAD-FMT    |          0|          0|AUTH-FAIL  |          0|           |
       BAD-CBLK   |          0|           |BAD-CHK    |          0|           |
       REP-CHK    |          0|          0|BAD-ECN    |          0|           |
       ------------------------------------------------------------------------
       - Security Associations statistics: ------------------------------------
       SA:1      CHR:9784        AUTH-FAIL:0            BAD-CBLK:0           
                 FRM:17          REP-CHK:0              BAD-ECN:0           
       ------------------------------------------------------------------------
       SA:0      CHR:3216        AUTH-FAIL:0            BAD-CBLK:0           
                 FRM:21          REP-CHK:0              BAD-ECN:0           
       ------------------------------------------------------------------------

With reference to the shown interval of time («Cleared 0 days 19:44:00 ago») these counters show the number of:

`FRM`	Incoming/outgoing (depended on SA's direction) packets from/to IP.
`CHR`	Incoming/outgoing (depended on SA's direction) characters from/to IP.
`FRM-OK`	Incoming/outgoing packets successful processed.
`FRM-DROP`	Dropped incoming/outgoing packets
`FRM-BYPASS`	Bypassed incoming/outgoing packets.
`CHR-OK`	Incoming/outgoing characters from IP before IPSEC successful processed.
`CHR-DROP`	Dropped incoming/outgoing characters.
`CHR-BYPASS`	Bypassed incoming/outgoing characters.
`FRM-IKE`	Bypassed incoming/outgoing IKE packets.
`NATT-KA`	Dropped incoming/outgoing NAT-T keep alive packets.
`NO-POLICY`	Dropped incoming/outgoing packets. Inbound/outbound policy is not found.
`LONG`	Incoming/outgoing too long packets.
`BAD-SA`	Dropped incoming/outgoing packets. Inbound/outbound SA is in bad state. The counter is incremented every time when inbound SA is in bad state (`LARVAL` or `DEAD`).
`NO-SA`	Dropped incoming/outgoing packets. Inbound/outbound SA is not found.
`BAD-FMT`	Incoming/outgoing packets with bad IPSEC format.
`AUTH-FAIL`	Dropped incoming packets. Authentication is failed.
`BAD-CBLK`	Dropped incoming packets. Bad cipher block.
`BAD-CHK`	Dropped incoming packets. Inbound policy check error.
`REP-CHK`	Dropped incoming packets. Replay window check error.
`BAD-ECN`	Dropped outgoing packets. Replay window check error.

50.4.3. IKE diagnostics

This command reports the current situation of the IKE resource:

[11:42:10] ABILIS_CPX:d d ike

RES:Ike -----------------------------------------------------------------------
       Internet_Keys_Exchange_Protocol                                         
       IKE-STATE:ACTIVE    CUR-MAX-HOSTS:8   ISAKMP-SA:2       IPSEC-SA:2
       IPSEC-STATE:ACTIVE  CUR-HOSTS:2       ISAKMP-SA-EST:2   IPSEC-SA-EST:2
    - Security Associations diagnostics ---------------------------------------
      Host Name                             Lifetime Dpd     DH        NATT
           LocIp-Port              Type     Expiry   Action  Hash      Side
        SN RemIp-Port              State    Replace  Pending Cipher
           --------------------------------------------------------------------
      Host Name                             Lifetime Passive Esp       Ah
       Cli LocNet/LocMask          Type     Expiry   Perm    EspAuth   AhAuth
        SN RemNet/RemMask          State    Replace  Tunnel  EspCipher Pfs
    ---------------------------------------------------------------------------
         0 Agent_HOST1                      28800    YES     1024      AUTO
           188.138.185.166-4500    ISAKMP   28536    STOP    SHA1      INSIDE
        55 092.115.190.246-31313   MAIN-R3  0        0       AES256
           --------------------------------------------------------------------
         0 Agent_Cli1                       3600     YES     YES       NO
         0 192.168.020.000/24      IPSEC    3343     YES     SHA1      SHA1
        56 192.168.010.007/32      QUICK-R2 0        YES     AES256    YES
    ---------------------------------------------------------------------------
         8 Shrew_Ubuntu                     28800    NO      1024      AUTO
           188.138.185.166-500     ISAKMP   10160    STOP    MD5       INSIDE
        48 078.081.162.041-500     MAIN-R3  0        0       3DES
           --------------------------------------------------------------------
         8 Shrew_Ubuntu                     3600     YES     YES       NO
         8 000.000.000.000/00      IPSEC    2962     YES     MD5       MD5
        54 172.031.101.002/32      QUICK-R2 0        YES     3DES      YES

The meaning:

IKE-STATE

IKE port state:

DOWN - state set when registration to lower UDP port fail (UDP service is not possible).
INACTIVE - configuration parameter ACT:NO.
ACTIVE - the driver is fully ready to work.
INIT - IKE port is in init state.

IPSEC-STATE

IPSec port state:

INACTIVE - IPSec port is not "ready" to work with IKE.
ACTIVE - IPSec port is fully ready to work.

CUR-MAX-HOSTS

Maximum hosts configured.

CUR-HOSTS

Current hosts used.

ISAKMP-SA

Current number of ISAKMP SAs.

ISAKMP-SA-EST

Current number of established ISAKMP SAs.

IPSEC-SA

Current number of IPSEC SAs.

IPSEC-SA-EST

Current number of established IPSEC SAs.

The meaning of Security Associations diagnostics:

SN

Serial number of SA structure.

Name

Name of IKE Security Associations (SA).

Type

Type of IKE Security Associations (SA):

ISAKMP - ISAKMP Security Association (main mode of IKE).
IPsec - IPsec Security Association (quick mode of IKE).

LocIp-Port

Local IP address - Local IKE UDP port.

RemIp-Port

Remote IP address - Remote IKE UDP port.

LocNet/LocMask

Local client network/Local client network mask. For IPsec SA only.

RemNet/RemMask

Remote client network/Remote client network mask. For IPsec SA only.

State

State of IKE Security Associations (SA):

IDLE - SA is in idle state.
MAIN-R0, MAIN-R1 - SA is in main IKE mode. 1 IKE message is received from peer (responder side).
MAIN-R2 - SA is in main IKE mode. 2 IKE message is received from peer (responder side).
MAIN-R3 - SA is in main IKE mode. 3 IKE message is received from peer (responder side). ISAKMP SA is established.
MAIN-I1 - SA is in main IKE mode. 1 IKE message is sent to peer (initiator side).
MAIN-I2 - SA is in main IKE mode. 2 IKE message is sent to peer (initiator side).
MAIN-I3 - SA is in main IKE mode. 3 IKE message is sent to peer (initiator side).
MAIN-I4 - SA is in main IKE mode. 3 IKE message is received from peer (initiator side). ISAKMP SA is established.
QUICK-R0, QUICK-R1 - SA is in quick IKE mode. 1 IKE message is received from peer (responder side).
QUICK-R2 - SA is in quick IKE mode. 2 IKE message is received from peer (responder side). IPSEC SA is established.
QUICK-I1 - SA is in quick IKE mode. 1 IKE message is sent to peer (initiator side).
QUICK-I2 - SA is in quick IKE mode. 2 IKE message is sent to peer (initiator side). IPSEC SA is established.

Pending

Number of pending IPSEC connections. For ISAKMP SA only.

ReplaceTime

Remaining time (in seconds) to begin replace SA.

ExpiryTime

Remaining time (in seconds) to expire SA.

50.4.4. Statistics of the IKE resource

This command can help to understand what is happening, in case of troubles:

[11:42:10] ABILIS_CPX:d s ike

RES:Ike -----------------------------------------------------------------------
       Internet_Keys_Exchange_Protocol                                         
       --- Cleared 5 days 20:18:18 ago, on 05/12/2017 at 19:31:34 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CHR        |      71632|      35892|LONG       |          0|          0|
       FRM        |        615|        250|BAD-FMT    |          4|           |
       FRM-LOST   |          0|           |DUPLICATED |          0|           |
       ------------------------------------------------------------------------
       -----------|--ISAKMP---|---IPSEC---|
       SA-R       |         76|         14|
       SA-I       |          6|          0|
       SA-EST-R   |         10|         13|
       SA-EST-I   |          4|          0|
       AUTH-FAIL  |          0|          0|
       NO-PROP    |          0|          0|
       ------------------------------------------------------------------------

With reference to the shown interval of time («Cleared 5 days 20:18:18 ago») these counters show the number of:

`CHR`	Incoming/outgoing characters from/to IP.
`FRM`	Incoming/outgoing frames from/to IP.
`FRM-LOST`	Lost incoming packets: buffer is full.
`LONG`	Incoming/outgoing too long packets from/to UDP.
`BAD-FMT`	Incoming packets with bad IKE format.
`DUPLICATED`	Incoming duplicated packets.
`SA-R`	ISAKMP/IPSEC negotiation attempts (responder side).
`SA-I`	ISAKMP/IPSEC negotiation attempts (initiator side).
`SA-EST-R`	ISAKMP/IPSEC successful established negotiations (responder side).
`SA-EST-I`	ISAKMP/IPSEC successful established negotiations (initiator side).
`AUTH-FAIL`	ISAKMP/IPSEC failed authentications.
`NO-PROP`	Not chosen ISAKMP/IPSEC proposal.


50.3. IKE Resource		50.5. MAIN Mode: Example of IPSEC configuration