This function allows you to view the IPSec tunnels that have been set up or being set up to facilitate troubleshooting.
Parameter |
Description |
|---|---|
Policy Name |
Name of the IPSec policy group that applies to the tunnel interface |
IKE User Description |
Tunnel description information in the IKE user information list |
Slot Num/CPU Num |
Slot ID and CPU number of the SPU where the tunnel interface resides |
Virtual System |
Name of the virtual system where the tunnel interface resides public indicates that the tunnel is established by the root system. |
Status |
Status of the IKE negotiation and IPSec negotiation |
Local Address |
IP address of the local tunnel interface |
Peer Address |
IP address of the remote tunnel interface |
Peer ID Type |
ID type of the peer |
Peer ID Content |
ID value of the peer. For example, if the peer ID type is IP address, the value can be 192.168.0.1. |
Algorithm |
Encryption and authentication algorithm used during tunnel negotiation |
Negotiated Data Flow |
Basic information on the encrypted data flow The basic information includes the source address/port number, destination address/port number, and protocol type. |
Duration (second) |
Duration of the tunnel |
Sending/Receiving Rate (kbit/s) |
Number of sent/received packets within a specific period over the tunnel |
Last Setup Time |
Latest time a tunnel is established |
Last Teardown Time |
Latest time a tunnel is torn down |
Teardown Reason |
Reason of the last tunnel teardown |
Teardowns Today |
Number of tunnel teardowns on the current day |
Initiating Negotiations Proactively
This method is applicable only when the local end can initiate negotiations and the peer device has a fixed IP address or domain name.
Click Diagnose. The local end sends negotiation packets to the peer device, records the negotiation packets transmitted in between, and displays them in the diagnosis result. When a fault is detected, the cause and solution are available in the diagnosis result.
Listening to Negotiation Packets from the Peer Device
This method is applicable only when the local end can respond to the negotiations initiated by the peer device. Therefore, it can be used in both the scenarios of site-to-site VPN or site-to-multisite VPN. Using this method, the local end listens in on the negotiation packets initiated by the peer device and monitors the entire process of establishing the IPSec tunnel.
For the IPSec policy in terms of site-to-site VPN, the IP address of the peer device is fixed, and therefore specifying the address of the peer device to be listened in on is unnecessary. For the IPSec policies in site-to-multisite VPN, multiple peer devices exist and their addresses are variable. Therefore, specify the address of the peer device to be listened in on in Peer IP Address.
Click Diagnose. The local end starts to wait for the negotiation packets from the specified peer device. If no negotiation packets arrive, the route between the local end and the specified peer device is unavailable. If the route in between is available and the peer device initiates negotiations, the local end listens in on the negotiation packets and displays them in the diagnosis result. When a fault is detected, the cause and solution are available in the diagnosis result.