Fortinet white logo
Fortinet white logo

Administration Guide

IPsec monitor

IPsec monitor

The IPsec monitor displays all connected Site to Site VPN, Dial-up VPNs, and ADVPN shortcut tunnel information. You can use the monitor to bring a phase 2 tunnel up or down or disconnect dial-up users. A notification appears in the monitor when users have not enabled two-factor authentication.

To view the IPsec monitor in the GUI:
  1. Go to Dashboard > Network.
  2. Hover over the IPsec widget, and click Expand to Full Screen. A warning appears when an unauthenticated user is detected.

    Tooltip

    To filter or configure a column in the table, hover over the column heading and click Filter/Configure Column.

  3. Hover over a record in the table. A tooltip displays the Phase 1 and Phase 2 interfaces. A warning appears next to a user who has not enabled two-factor authentication.
To reset statistics:
  1. Select a tunnel in the table.
  2. In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm dialog is displayed.
  3. Click OK.
To bring a tunnel up:
  1. Select a tunnel in the table.
  2. Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm dialog is displayed.
  3. Click OK.
To bring a tunnel down:
  1. Select a tunnel in the table.
  2. Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm dialog is displayed.
  3. Click OK.
To locate a tunnel on the VPN Map:
  1. Select a tunnel in the table.
  2. Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. The VPN Location Map is displayed.
To view the IPsec monitor in the CLI:

# diagnose vpn tunnel list

Sample output:

list all ipsec tunnel in vd 0

------------------------------------------------------

name=fct-dialup ver=1 serial=4 10.100.67.5:0->0.0.0.0:0 tun_id=0.0.0.0 dst_mtu=0

bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=0 refcnt=12 ilast=5545 olast=5545 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

run_tally=0

------------------------------------------------------

name=To-HQ-MPLS ver=2 serial=3 192.168.0.14:0->192.168.0.1:0 tun_id=19.168.0.1 dst_mtu=1500

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=/0

stat: rxp=66693 txp=29183 rxb=33487128 txb=1908427

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=To-HQ-MPLS proto=0 sa=1 ref=6 serial=1 adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=32203 type=00 soft=0 mtu=1438 expire=266/0B replaywin=2048

seqno=2c5e esn=0 replaywin_lastseq=00002ea3 itn=0 qat=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=1773/1800

dec: spi=700c9198 esp=aes key=16 ebd04605de6148c8a92ced48b30930fa

ah=sha1 key=20 5f0201f67d7c714a046025a1df41d40376437f6a

enc: spi=5aaccc20 esp=aes key=16 13d5d4b46e5e9c42eef509f2d9879188

ah=sha1 key=20 2dde67ef7a2a78b622d9a7ec6d75ad3c55d241e1

dec:pkts/bytes=11938/5226964, enc:pkts/bytes=11357/1312184

IPsec monitor

IPsec monitor

The IPsec monitor displays all connected Site to Site VPN, Dial-up VPNs, and ADVPN shortcut tunnel information. You can use the monitor to bring a phase 2 tunnel up or down or disconnect dial-up users. A notification appears in the monitor when users have not enabled two-factor authentication.

To view the IPsec monitor in the GUI:
  1. Go to Dashboard > Network.
  2. Hover over the IPsec widget, and click Expand to Full Screen. A warning appears when an unauthenticated user is detected.

    Tooltip

    To filter or configure a column in the table, hover over the column heading and click Filter/Configure Column.

  3. Hover over a record in the table. A tooltip displays the Phase 1 and Phase 2 interfaces. A warning appears next to a user who has not enabled two-factor authentication.
To reset statistics:
  1. Select a tunnel in the table.
  2. In the toolbar, click Reset Statistics or right-click the tunnel, and click Reset Statistics. The Confirm dialog is displayed.
  3. Click OK.
To bring a tunnel up:
  1. Select a tunnel in the table.
  2. Click Bring Up, or right-click the tunnel, and click Bring Up. The Confirm dialog is displayed.
  3. Click OK.
To bring a tunnel down:
  1. Select a tunnel in the table.
  2. Click Bring Down, or right-click the tunnel, and click Bring Down. The Confirm dialog is displayed.
  3. Click OK.
To locate a tunnel on the VPN Map:
  1. Select a tunnel in the table.
  2. Click Locate on VPN Map, or right-click the tunnel, and click Locate on VPN Map. The VPN Location Map is displayed.
To view the IPsec monitor in the CLI:

# diagnose vpn tunnel list

Sample output:

list all ipsec tunnel in vd 0

------------------------------------------------------

name=fct-dialup ver=1 serial=4 10.100.67.5:0->0.0.0.0:0 tun_id=0.0.0.0 dst_mtu=0

bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=0 refcnt=12 ilast=5545 olast=5545 ad=/0

stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

run_tally=0

------------------------------------------------------

name=To-HQ-MPLS ver=2 serial=3 192.168.0.14:0->192.168.0.1:0 tun_id=19.168.0.1 dst_mtu=1500

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=22 ilast=0 olast=0 ad=/0

stat: rxp=66693 txp=29183 rxb=33487128 txb=1908427

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=To-HQ-MPLS proto=0 sa=1 ref=6 serial=1 adr

src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=32203 type=00 soft=0 mtu=1438 expire=266/0B replaywin=2048

seqno=2c5e esn=0 replaywin_lastseq=00002ea3 itn=0 qat=0 hash_search_len=1

life: type=01 bytes=0/0 timeout=1773/1800

dec: spi=700c9198 esp=aes key=16 ebd04605de6148c8a92ced48b30930fa

ah=sha1 key=20 5f0201f67d7c714a046025a1df41d40376437f6a

enc: spi=5aaccc20 esp=aes key=16 13d5d4b46e5e9c42eef509f2d9879188

ah=sha1 key=20 2dde67ef7a2a78b622d9a7ec6d75ad3c55d241e1

dec:pkts/bytes=11938/5226964, enc:pkts/bytes=11357/1312184