But it doesn’t necessarily work across vendors. VPN monitoring is a bit like Dead Peer Detection – it tries to determine if the other end is still there periodically. This isn’t the default so must have been enabled by someone. While looking at the above output I noticed that it said VPN monitoring was on. Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbcĪnti-replay service: counter-based enabled, Replay window size: 64ĭirection: outbound, SPI: 9ddc18ae, AUX-SPI: Mode: Tunnel(10 10), Type: dynamic, State: installed Local Gateway: x.x.x.x, Remote Gateway: y.y.y.y ID: 12 Virtual-system: root, VPN Name: VPN-1 If you specify the index number you get more detail as can be seen below: show security ipsec sa index 12 You can see this by issuing the command “show security ipsec sa” and looking at the fourth column to see the lifetime remaining. In this case however, the SA never dropped much below 1400 seconds remaining before being renegotiated. It is set in the configuration to 1800 seconds and counts down – when it gets near zero, the SA is re-negotiated. You could tell because of the lifetime of the IPSec security association. I noticed that these two VPNs didn’t appear to be staying up. I’ve no idea what versions or models these are because they’re not under the customer’s control. One of these is some kind of Huawei device, and the other a Vyatta router. Just making a note here because this will probably trip me up again in the future: I have a customer with a VPN running from an SRX650 on 11.4R9.4 to a variety of other devices.
0 Comments
Leave a Reply. |