48.4. IPSEC and IKE diagnostics and statistics

48.4.1. IPSEC diagnostics

This command reports the current situation of the IPSEC resource:

[11:42:10] ABILIS_CPX:d d ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol
       STATE:ACTIVE         MODE:IKE         IN-CHK:YES
       POLICY-IN :1         SA-IN :1         SA-BND-IN :1
       POLICY-OUT:1         SA-OUT:1         SA-BND-OUT:1
       - Security Associations diagnostics: -----------------------------------
       SA  Bundle State   SPI      SrcIp           Auth     SoftTime
           Prot   Tunnel           DstIp           Cipher   HardTime
       ------------------------------------------------------------------------
       0   0      MATURE  C4DCB36E 192.168.006.002 MD5      INFINITE
           ESP    YES              192.168.006.001 3DES     INFINITE
       ------------------------------------------------------------------------
       1   1      MATURE  1969FC22 192.168.006.001 MD5      INFINITE
           ESP    YES              192.168.006.002 3DES     INFINITE
       ------------------------------------------------------------------------

The meaning:

STATE

IPSEC port state:

  • INACTIVE - configuration parameter ACT:NO.

  • ACTIVE - the driver is fully ready to work.

MODE

Mode of IPSEC:

  • MANUAL - the IPSEC port is in manual mode. Manual manipulates manually-keyed IPSEC connections.

  • IKE - the IPSEC is in automatic IKE mode. Auto manipulates automatically-keyed IPSEC connections.

IN-CHK

IPSEC port inbound policy check flag:

  • NO - Inbound policy check is disabled.

  • YES - Inbound policy check is enabled.

POLICY-IN/POLICY-OUT

Number of inbound/outbound security policies in the policy table.

SA-IN/SA-OUT

Number of inbound/outbound Security Associations (SA) in the SA table.

SA-BND-IN/SA-BND-OUT

Number of inbound/outbound Security Association (SA) bundles in the SA table.

SA

ID of Security Association record from SA table.

Bundle

Number of SA bundle group of Security Association record.

State

State of Security Association:

  • LARVAL - Security Association is one that was created by IKE, but is not working yet. Displayed in IKE mode only.

  • MATURE - Security Association is in working mode. In MANUAL mode Security Association always is in this state.

  • DYING - Security Association is one whose soft lifetime has expired. Displayed in IKE mode only.

  • DEAD - Security Association is one whose hard lifetime has expired, but hasn't been reaped by system garbage collection. Incoming and outgoing IP packets will be dropped. Displayed in IKE mode only.

SPI

Security Parameters Index which identifies this Security Association IPSEC SA SPI parameter.

SrcIp

Source IP address.

Auth

Authentication algorithm for the IPSEC protocol (AH or ESP):

  • NONE - No algorithm.

  • MD5 - Message Digest Algorithm MD5.

  • SHA-1 - Message Digest Algorithm SHA-1.

SoftTime

Time in seconds when soft timer will be expired and SA will go to the DYING state.

Prot

IPSEC protocol:

  • AH - Authentication Header protocol.

  • ESP - Encapsulating Security Payload protocol.

Tunnel

Transport or tunnel mode of IPSEC protocol:

  • NO - Transport mode of IPSEC protocol.

  • YES - Tunnel mode of IPSEC protocol.

DstIp

Destination IP address.

Cipher

Encryption algorithm for the IPSEC ESP protocol:

  • NONE - No algorithm.

  • DES - DES algorithm in CBC mode.

  • 3DES - Triple DES algorithm in CBC mode.

  • IDEA - IDEA algorithm in CBC mode.

  • CAST - CAST algorithm in CBC mode.

  • BLOWFISH - BLOWFISH algorithm in CBC mode.

HardTime

Time in seconds when hard timer will be expired and SA will go to the DEAD state.

48.4.2. Statistics of the IPSEC resource

This command can help to understand what is happening, in case of troubles:

d s ipsec

Shows the IPSEC resource statistics such as the total number of IP frames received/sent by IPSEC resource from/to the IP, the total number of characters received/sent by the IPSEC port from/to the IP, the total number of bypassed incoming/outgoing IKE packets, etc.

d se ipsec

Shows the IPSEC resource statistics and the IPsec Security Associations statistics (the total number of incoming/outgoing characters processed by Security Association, the total number of incoming/outgoing IP frames processed by Security Association, etc.).

[11:42:10] ABILIS_CPX:d s ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       --- Cleared 0 days 19:43:58 ago, on 05/12/2017 at 19:32:03 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       FRM        |   15547708|   13350951|CHR        |   97364895| 1351603212|
       FRM-OK     |         99|         81|CHR-OK     |      17176|      40362|
       FRM-DROP   |          0|          0|CHR-DROP   |          0|          0|
       FRM-BYPASS |   15547609|   13350870|CHR-BYPASS |   97347719| 1351562850|
       ------------------------------------------------------------------------
       FRM-IKE    |         96|         96|NATT-KA    |          0|          0|
       NO-POLICY  |          0|   13350817|LONG       |          0|          0|
       BAD-SA     |          0|          0|NO-SA      |          0|          0|
       BAD-FMT    |          0|          0|AUTH-FAIL  |          0|           |
       BAD-CBLK   |          0|           |BAD-CHK    |          0|           |
       REP-CHK    |          0|          0|BAD-ECN    |          0|           |
       ------------------------------------------------------------------------
[11:42:10] ABILIS_CPX:d se ipsec

RES:IpSec ---------------------------------------------------------------------
       IP_Security_Protocol                                                    
       --- Cleared 0 days 19:44:00 ago, on 05/12/2017 at 19:32:02 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       FRM        |   15548082|   13351218|CHR        |   97849852| 1351637231|
       FRM-OK     |         99|         81|CHR-OK     |      17176|      40362|
       FRM-DROP   |          0|          0|CHR-DROP   |          0|          0|
       FRM-BYPASS |   15547983|   13351137|CHR-BYPASS |   97832676| 1351596869|
       ------------------------------------------------------------------------
       FRM-IKE    |         96|         96|NATT-KA    |          0|          0|
       NO-POLICY  |          0|   13351084|LONG       |          0|          0|
       BAD-SA     |          0|          0|NO-SA      |          0|          0|
       BAD-FMT    |          0|          0|AUTH-FAIL  |          0|           |
       BAD-CBLK   |          0|           |BAD-CHK    |          0|           |
       REP-CHK    |          0|          0|BAD-ECN    |          0|           |
       ------------------------------------------------------------------------
       - Security Associations statistics: ------------------------------------
       SA:1      CHR:9784        AUTH-FAIL:0            BAD-CBLK:0           
                 FRM:17          REP-CHK:0              BAD-ECN:0           
       ------------------------------------------------------------------------
       SA:0      CHR:3216        AUTH-FAIL:0            BAD-CBLK:0           
                 FRM:21          REP-CHK:0              BAD-ECN:0           
       ------------------------------------------------------------------------

With reference to the shown interval of time («Cleared 0 days 19:44:00 ago») these counters show the number of:

FRMIncoming/outgoing (depended on SA's direction) packets from/to IP.
CHRIncoming/outgoing (depended on SA's direction) characters from/to IP.
FRM-OKIncoming/outgoing packets successful processed.
FRM-DROPDropped incoming/outgoing packets
FRM-BYPASSBypassed incoming/outgoing packets.
CHR-OKIncoming/outgoing characters from IP before IPSEC successful processed.
CHR-DROPDropped incoming/outgoing characters.
CHR-BYPASSBypassed incoming/outgoing characters.
FRM-IKEBypassed incoming/outgoing IKE packets.
NATT-KADropped incoming/outgoing NAT-T keep alive packets.
NO-POLICYDropped incoming/outgoing packets. Inbound/outbound policy is not found.
LONGIncoming/outgoing too long packets.
BAD-SADropped incoming/outgoing packets. Inbound/outbound SA is in bad state. The counter is incremented every time when inbound SA is in bad state (LARVAL or DEAD).
NO-SADropped incoming/outgoing packets. Inbound/outbound SA is not found.
BAD-FMTIncoming/outgoing packets with bad IPSEC format.
AUTH-FAILDropped incoming packets. Authentication is failed.
BAD-CBLKDropped incoming packets. Bad cipher block.
BAD-CHKDropped incoming packets. Inbound policy check error.
REP-CHKDropped incoming packets. Replay window check error.
BAD-ECNDropped outgoing packets. Replay window check error.

48.4.3. IKE diagnostics

This command reports the current situation of the IKE resource:

[11:42:10] ABILIS_CPX:d d ike

RES:Ike -----------------------------------------------------------------------
       Internet_Keys_Exchange_Protocol
       IKE-STATE:ACTIVE      IPSEC-STATE:ACTIVE
       CUR-MAX-HOSTS:16   CUR-HOSTS:2
       ISAKMP-SA:1        ISAKMP-SA-EST:1     IPSEC-SA:1     IPSEC-SA-EST:1
       - Security Associations diagnostics: -----------------------------------
       SerialNo   Name                                     Type     Side
                  LocIp-LocPort         LocNet/LocMask     State    ReplaceTime
                  RemIp-RemPort         RemNet/RemMask     Pending  ExpiryTime
       ------------------------------------------------------------------------
       1                                                   IPsec    RESPONDER
                  192.168.006.001-500   192.168.006.001/32 QUICK-R2 3422
                  192.168.006.002-500   192.168.006.002/32 0        3542
       ------------------------------------------------------------------------
       2                                                   ISAKMP   RESPONDER
                  192.168.006.001-500   000.000.000.000/00 MAIN-R3  3420
                  192.168.006.002-500   000.000.000.000/00 0        3540
       ------------------------------------------------------------------------

The meaning:

IKE-STATE

IKE port state:

  • DOWN - state set when registration to lower UDP port fail (UDP service is not possible).

  • INACTIVE - configuration parameter ACT:NO.

  • ACTIVE - the driver is fully ready to work.

  • INIT - IKE port is in init state.

IPSEC-STATE

IPSec port state:

  • INACTIVE - IPSec port is not "ready" to work with IKE.

  • ACTIVE - IPSec port is fully ready to work.

CUR-MAX-HOSTS

Maximum hosts configured.

CUR-HOSTS

Current hosts used.

ISAKMP-SA

Current number of ISAKMP SAs.

ISAKMP-SA-EST

Current number of established ISAKMP SAs.

IPSEC-SA

Current number of IPSEC SAs.

IPSEC-SA-EST

Current number of established IPSEC SAs.

The meaning of Security Associations diagnostics:

SerialNo

Serial number of SA structure.

Name

Name of IKE Security Associations (SA).

Type

Type of IKE Security Associations (SA):

  • ISAKMP - ISAKMP Security Association (main mode of IKE).

  • IPsec - IPsec Security Association (quick mode of IKE).

Side

Side of IKE Security Associations (SA):

  • INITIATOR - Security Association is created by local side.

  • RESPONDER - Security Association is created by remote side.

LocIp-LocPort

Local IP address - Local IKE UDP port.

RemIp-RemPort

Remote IP address - Remote IKE UDP port.

LocNet/LocMask

Local client network/Local client network mask. For IPsec SA only.

RemNet/RemMask

Remote client network/Remote client network mask. For IPsec SA only.

State

State of IKE Security Associations (SA):

  • IDLE - SA is in idle state.

  • MAIN-R0, MAIN-R1 - SA is in main IKE mode. 1 IKE message is received from peer (responder side).

  • MAIN-R2 - SA is in main IKE mode. 2 IKE message is received from peer (responder side).

  • MAIN-R3 - SA is in main IKE mode. 3 IKE message is received from peer (responder side). ISAKMP SA is established.

  • MAIN-I1 - SA is in main IKE mode. 1 IKE message is sent to peer (initiator side).

  • MAIN-I2 - SA is in main IKE mode. 2 IKE message is sent to peer (initiator side).

  • MAIN-I3 - SA is in main IKE mode. 3 IKE message is sent to peer (initiator side).

  • MAIN-I4 - SA is in main IKE mode. 3 IKE message is received from peer (initiator side). ISAKMP SA is established.

  • QUICK-R0, QUICK-R1 - SA is in quick IKE mode. 1 IKE message is received from peer (responder side).

  • QUICK-R2 - SA is in quick IKE mode. 2 IKE message is received from peer (responder side). IPSEC SA is established.

  • QUICK-I1 - SA is in quick IKE mode. 1 IKE message is sent to peer (initiator side).

  • QUICK-I2 - SA is in quick IKE mode. 2 IKE message is sent to peer (initiator side). IPSEC SA is established.

Pending

Number of pending IPSEC connections. For ISAKMP SA only.

ReplaceTime

Remaining time (in seconds) to begin replace SA.

ExpiryTime

Remaining time (in seconds) to expire SA.

48.4.4. Statistics of the IKE resource

This command can help to understand what is happening, in case of troubles:

[11:42:10] ABILIS_CPX:d s ike

RES:Ike -----------------------------------------------------------------------
       Internet_Keys_Exchange_Protocol                                         
       --- Cleared 5 days 20:18:18 ago, on 05/12/2017 at 19:31:34 -------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       CHR        |      71632|      35892|LONG       |          0|          0|
       FRM        |        615|        250|BAD-FMT    |          4|           |
       FRM-LOST   |          0|           |DUPLICATED |          0|           |
       ------------------------------------------------------------------------
       -----------|--ISAKMP---|---IPSEC---|
       SA-R       |         76|         14|
       SA-I       |          6|          0|
       SA-EST-R   |         10|         13|
       SA-EST-I   |          4|          0|
       AUTH-FAIL  |          0|          0|
       NO-PROP    |          0|          0|
       ------------------------------------------------------------------------

With reference to the shown interval of time («Cleared 5 days 20:18:18 ago») these counters show the number of:

CHRIncoming/outgoing characters from/to IP.
FRMIncoming/outgoing frames from/to IP.
FRM-LOSTLost incoming packets: buffer is full.
LONGIncoming/outgoing too long packets from/to UDP.
BAD-FMTIncoming packets with bad IKE format.
DUPLICATEDIncoming duplicated packets.
SA-RISAKMP/IPSEC negotiation attempts (responder side).
SA-IISAKMP/IPSEC negotiation attempts (initiator side).
SA-EST-RISAKMP/IPSEC successful established negotiations (responder side).
SA-EST-IISAKMP/IPSEC successful established negotiations (initiator side).
AUTH-FAILISAKMP/IPSEC failed authentications.
NO-PROPNot chosen ISAKMP/IPSEC proposal.