IPsec monitor
The IPsec monitor displays all connected Site to Site VPN, Dial-up VPNs, and ADVPN shortcut tunnel information. You can use the monitor to bring a phase 2 tunnel up or down or disconnect dial-up users. A notification appears in the monitor when users have not enabled two-factor authentication.
To view the IPsec monitor in the GUI:
- Go to Dashboard > Network.
- Hover over the IPsec widget, and click Expand to Full Screen. A warning appears when an unauthenticated user is detected.
To filter or configure a column in the table, hover over the column heading and click Filter/Configure Column.
- Hover over a record in the table. A tooltip displays the Phase 1 and Phase 2 interfaces. A warning appears next to a user who has not enabled two-factor authentication.
To reset statistics:
- Select a tunnel in the table.
- In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm dialog is displayed.
- Click OK.
To bring a tunnel up:
- Select a tunnel in the table.
- Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm dialog is displayed.
- Click OK.
To bring a tunnel down:
- Select a tunnel in the table.
- Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm dialog is displayed.
- Click OK.
To locate a tunnel on the VPN Map:
- Select a tunnel in the table.
- Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. The VPN Location Map is displayed.
To view the IPsec monitor in the CLI:
# diagnose vpn tunnel list
Sample output:
list all ipsec tunnel in vd 0
------------------------------------------------------
name=fct-dialup ver=1 serial=4 10.100.67.5:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=0 refcnt=12 ilast=5545 olast=5545 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
------------------------------------------------------
name=To-HQ-MPLS ver=2 serial=3 192.168.0.14:0->192.168.0.1:0 dst_mtu=1500
bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=/0
stat: rxp=66693 txp=29183 rxb=33487128 txb=1908427
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=To-HQ-MPLS proto=0 sa=1 ref=6 serial=1 adr
src: 0:0.0.0.0/0.0.0.0:0
dst: 0:0.0.0.0/0.0.0.0:0
SA: ref=3 options=32203 type=00 soft=0 mtu=1438 expire=266/0B replaywin=2048
seqno=2c5e esn=0 replaywin_lastseq=00002ea3 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=1773/1800
dec: spi=700c9198 esp=aes key=16 ebd04605de6148c8a92ced48b30930fa
ah=sha1 key=20 5f0201f67d7c714a046025a1df41d40376437f6a
enc: spi=5aaccc20 esp=aes key=16 13d5d4b46e5e9c42eef509f2d9879188
ah=sha1 key=20 2dde67ef7a2a78b622d9a7ec6d75ad3c55d241e1
dec:pkts/bytes=11938/5226964, enc:pkts/bytes=11357/1312184