For this scenario, I reconfigured the FTD G0/0 Outside Interface under Device > Interface > click Enabled.
Under G0/0 Outside > hover under Actions > Edit (pencil icon).
Select Type: Static
Type the IP address and Subnet Mask (200.1.1.1/24) > click OK.
Notice the G0/0 Outside "Static" IP address was displayed
You'll also need to configure routing to reach the remote subnet. To configure a static route in FTD, go to Device > Routing > Create the first static route.
Click the Add (plus icon on the right).
Leave the default Protocol: IPv4 > Gateway > Create New Network.
Type a Name (R1-VPN-PEER) > leave the default Type: Host > type the Host IP (200.1.1.2) > click OK.
Select the newly created Network Object (R1-VPN-PEER).
Under Interface > select outside.
Leave the default Metric: 1 > under Networks > click Add (plus icon) > Create New Network.
Type a Name (R1-LAN) > leave the default Type: Network > type Network: 192.168.2.0/24 > click OK.
Select the newly created Network Object > click OK.
Click OK again to exit.
To configure Site-to-Site VPN on FTD, go to Device > Site to Site VPN > View Configuration.
Click Create Site-to-Site Connection and this will run a setup wizard.
The first step is to Define Endpoints > type a Connection Profile Name (R1-S2S-VPN).
Under Local VPN Access Interface > select outside > type Remote IP Address: 200.1.1.2 > under Local Network > click Add (plus icon) > INSIDE-NET > click OK > under Remote Network > click Add (plus icon) > R1-LAN > click OK.
Click Next.
The second step is to configure Privacy Configuration.
Under IPSec Proposal > click Edit > click Add (plus icon).
Type a Pre-Shared Key > skip NAT Exempt and Diffie-Hellman Group (for PFS) > click Next.
Step 3 is a Site-to-Site VPN configuration Summary.
Click Finish.
Click Deployment > Deploy Now.
These are the IKE (Version 1) Phase 1 and Phase 2 policies configured on my Cisco 1921 lab router.
Under Device, notice a 1 connection under Site to Site VPN. Click View Configuration.
Hover under Actions > Edit.
Notice the Site-to-Site VPN Connectivity from Local Network to Remote Network is established/green.
You can alternatively use FTD CLI commands to view Site-to-Site VPN SA and traffic statistics.
> show running-config crypto
crypto ipsec ikev1 transform-set ESP_SHA_HMAC-ESP_DES-TUNNEL esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|b203ce56-b98a-11e9-bfd1-438d602ea8c6
crypto map s2sCryptoMap 1 set peer 200.1.1.2
crypto map s2sCryptoMap 1 set ikev1 transform-set ESP_SHA_HMAC-ESP_DES-TUNNEL
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 100
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 160
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
> show isakmp
| Output modifiers
sa Show ISAKMP sas
stats Show IKEv1 and IKEv2 statistics
<cr>
> show isakmp
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 500
Cookie Challenge Threshold: 250
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
> show isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
> show ipsec
df-bit Show IPsec DF policy
fragmentation Show IPsec fragmentation policy
policy Show IPSec SS-API security policies
sa Show IPsec SAs
stats Show IPsec global statistics
> show ipsec sa
There are no ipsec sas
> show ipsec sa
interface: outside
Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 200.1.1.1
access-list |s2sAcl|b203ce56-b98a-11e9-bfd1-438d602ea8c6 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 200.1.1.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.1.1.1/0, remote crypto endpt.: 200.1.1.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 381B7529
current inbound spi : CD70796A
inbound esp sas:
spi: 0xCD70796A (3446700394)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (3914999/3581)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x381B7529 (941323561)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (3915000/3581)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
> show isakmp stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
Bytes: 400
Decompressed bytes: 400
Packets: 4
Dropped packets: 0
Replay failures: 0
Authentications: 4
Authentication failures: 0
Decryptions: 4
Decryption failures: 0
TFC Packets: 0
Decapsulated fragments needing reassembly: 0
Valid ICMP Errors rcvd: 0
Invalid ICMP Errors rcvd: 0
Outbound
Bytes: 0
Uncompressed bytes: 0
Packets: 0
Dropped packets: 0
Authentications: 0
Authentication failures: 0
Encryptions: 0
Encryption failures: 0
TFC Packets: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
Inbound SA delete requests: 0
Outbound SA delete requests: 0
Inbound SA destroy calls: 0
Outbound SA destroy calls: 0
> show ipsec stats
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 0
In Octets: 936
In Packets: 6
In Drop Packets: 0
In Notifys: 1
In P2 Exchanges: 1
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 852
Out Packets: 5
Out Drop Packets: 0
Out Notifys: 2
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 1
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 500
Cookie Challenge Threshold: 250
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Under G0/0 Outside > hover under Actions > Edit (pencil icon).
Select Type: Static
Type the IP address and Subnet Mask (200.1.1.1/24) > click OK.
Notice the G0/0 Outside "Static" IP address was displayed
You'll also need to configure routing to reach the remote subnet. To configure a static route in FTD, go to Device > Routing > Create the first static route.
Click the Add (plus icon on the right).
Leave the default Protocol: IPv4 > Gateway > Create New Network.
Type a Name (R1-VPN-PEER) > leave the default Type: Host > type the Host IP (200.1.1.2) > click OK.
Select the newly created Network Object (R1-VPN-PEER).
Under Interface > select outside.
Leave the default Metric: 1 > under Networks > click Add (plus icon) > Create New Network.
Type a Name (R1-LAN) > leave the default Type: Network > type Network: 192.168.2.0/24 > click OK.
Select the newly created Network Object > click OK.
Click OK again to exit.
To configure Site-to-Site VPN on FTD, go to Device > Site to Site VPN > View Configuration.
Click Create Site-to-Site Connection and this will run a setup wizard.
The first step is to Define Endpoints > type a Connection Profile Name (R1-S2S-VPN).
Under Local VPN Access Interface > select outside > type Remote IP Address: 200.1.1.2 > under Local Network > click Add (plus icon) > INSIDE-NET > click OK > under Remote Network > click Add (plus icon) > R1-LAN > click OK.
Click Next.
The second step is to configure Privacy Configuration.
In this
case I disabled IKE Version 2 (click/toggle to gray) and enabled IKE Version 1
(click/toggle to blue) > under IKE Policy > Globally applied > click
Edit.
Only the SHA-DES-GROUP5-PRE_SHARE is available in FTD Eval
mode while stronger encryption such as SHA-AES-GROUP5-PRE_SHARE, SHA-AES192-GROUP5-PRE_SHARE and SHA-AES256-GROUP5-PRE_SHARE are available in Full license mode.
I tried
enabling one of the SHA-AES IKEv1 Policy
but encountered the error: Usable cryptography
types are currently restricted by the licensing status of the device.
Under IPSec Proposal > click Edit > click Add (plus icon).
Notice
the ESP_SHA_HMAC_ESP_DES-TUNNEL is used
in the Default Set > select ESP_SHA_HMAC_ESP_DES-TUNNEL
> click OK.
DES is
already considered a weak encryption and it's only useful in a lab scenario. It's
recommended to use stronger encryption algorithm such AES in a production
environment.
Type a Pre-Shared Key > skip NAT Exempt and Diffie-Hellman Group (for PFS) > click Next.
Step 3 is a Site-to-Site VPN configuration Summary.
Click Finish.
Click Deployment > Deploy Now.
These are the IKE (Version 1) Phase 1 and Phase 2 policies configured on my Cisco 1921 lab router.
There are
no options in the FTD GUI for monitoring IPSec VPN Security Association (SA) in FTD 6.2.3 as of this writing.
This is the Event Connection that triggered the Site-to-Site VPN interesting traffic defined in the crypto ACL.
Under Device, notice a 1 connection under Site to Site VPN. Click View Configuration.
Hover under Actions > Edit.
Notice the Site-to-Site VPN Connectivity from Local Network to Remote Network is established/green.
You can alternatively use FTD CLI commands to view Site-to-Site VPN SA and traffic statistics.
> show running-config crypto
crypto ipsec ikev1 transform-set ESP_SHA_HMAC-ESP_DES-TUNNEL esp-des esp-sha-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map s2sCryptoMap 1 match address |s2sAcl|b203ce56-b98a-11e9-bfd1-438d602ea8c6
crypto map s2sCryptoMap 1 set peer 200.1.1.2
crypto map s2sCryptoMap 1 set ikev1 transform-set ESP_SHA_HMAC-ESP_DES-TUNNEL
crypto map s2sCryptoMap interface outside
crypto ca trustpool policy
crypto ikev2 policy 100
encryption des
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 160
authentication pre-share
encryption des
hash sha
group 5
lifetime 86400
> show isakmp
| Output modifiers
sa Show ISAKMP sas
stats Show IKEv1 and IKEv2 statistics
<cr>
> show isakmp
There are no IKEv1 SAs
There are no IKEv2 SAs
Global IKEv1 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Notifys: 0
In P2 Exchanges: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Notifys: 0
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 0
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 500
Cookie Challenge Threshold: 250
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
Global IKEv1 IPSec over TCP Statistics
--------------------------------
Embryonic connections: 0
Active connections: 0
Previous connections: 0
Inbound packets: 0
Inbound dropped packets: 0
Outbound packets: 0
Outbound dropped packets: 0
RST packets: 0
Recevied ACK heart-beat packets: 0
Bad headers: 0
Bad trailers: 0
Timer failures: 0
Checksum errors: 0
Internal errors: 0
> show isakmp sa
There are no IKEv1 SAs
There are no IKEv2 SAs
> show ipsec
df-bit Show IPsec DF policy
fragmentation Show IPsec fragmentation policy
policy Show IPSec SS-API security policies
sa Show IPsec SAs
stats Show IPsec global statistics
> show ipsec sa
There are no ipsec sas
> show
isakmp sa
IKEv1
SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active
and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 200.1.1.2
Type
: L2L Role : responder
Rekey
: no State : MM_ACTIVE
There are no IKEv2 SAs
> show ipsec sa
interface: outside
Crypto map tag: s2sCryptoMap, seq num: 1, local addr: 200.1.1.1
access-list |s2sAcl|b203ce56-b98a-11e9-bfd1-438d602ea8c6 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 200.1.1.2
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 200.1.1.1/0, remote crypto endpt.: 200.1.1.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: 381B7529
current inbound spi : CD70796A
inbound esp sas:
spi: 0xCD70796A (3446700394)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (3914999/3581)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000001F
outbound esp sas:
spi: 0x381B7529 (941323561)
SA State: active
transform: esp-des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 1, crypto-map: s2sCryptoMap
sa timing: remaining key lifetime (kB/sec): (3915000/3581)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
> show isakmp stats
IPsec Global Statistics
-----------------------
Active tunnels: 1
Previous tunnels: 1
Inbound
Bytes: 400
Decompressed bytes: 400
Packets: 4
Dropped packets: 0
Replay failures: 0
Authentications: 4
Authentication failures: 0
Decryptions: 4
Decryption failures: 0
TFC Packets: 0
Decapsulated fragments needing reassembly: 0
Valid ICMP Errors rcvd: 0
Invalid ICMP Errors rcvd: 0
Outbound
Bytes: 0
Uncompressed bytes: 0
Packets: 0
Dropped packets: 0
Authentications: 0
Authentication failures: 0
Encryptions: 0
Encryption failures: 0
TFC Packets: 0
Fragmentation successes: 0
Pre-fragmentation successses: 0
Post-fragmentation successes: 0
Fragmentation failures: 0
Pre-fragmentation failures: 0
Post-fragmentation failures: 0
Fragments created: 0
PMTUs sent: 0
PMTUs rcvd: 0
Protocol failures: 0
Missing SA failures: 0
System capacity failures: 0
Inbound SA delete requests: 0
Outbound SA delete requests: 0
Inbound SA destroy calls: 0
Outbound SA destroy calls: 0
> show ipsec stats
Global IKEv1 Statistics
Active Tunnels: 1
Previous Tunnels: 0
In Octets: 936
In Packets: 6
In Drop Packets: 0
In Notifys: 1
In P2 Exchanges: 1
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In P2 Sa Delete Requests: 0
Out Octets: 852
Out Packets: 5
Out Drop Packets: 0
Out Notifys: 2
Out P2 Exchanges: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out P2 Sa Delete Requests: 0
Initiator Tunnels: 0
Initiator Fails: 0
Responder Fails: 0
System Capacity Fails: 0
Auth Fails: 0
Decrypt Fails: 0
Hash Valid Fails: 0
No Sa Fails: 0
IKEV1 Call Admission Statistics
Max In-Negotiation SAs: 50
In-Negotiation SAs: 0
In-Negotiation SAs Highwater: 1
In-Negotiation SAs Rejected: 0
Global IKEv2 Statistics
Active Tunnels: 0
Previous Tunnels: 0
In Octets: 0
In Packets: 0
In Drop Packets: 0
In Drop Fragments: 0
In Notifys: 0
In P2 Exchange: 0
In P2 Exchange Invalids: 0
In P2 Exchange Rejects: 0
In IPSEC Delete: 0
In IKE Delete: 0
Out Octets: 0
Out Packets: 0
Out Drop Packets: 0
Out Drop Fragments: 0
Out Notifys: 0
Out P2 Exchange: 0
Out P2 Exchange Invalids: 0
Out P2 Exchange Rejects: 0
Out IPSEC Delete: 0
Out IKE Delete: 0
SAs Locally Initiated: 0
SAs Locally Initiated Failed: 0
SAs Remotely Initiated: 0
SAs Remotely Initiated Failed: 0
System Capacity Failures: 0
Authentication Failures: 0
Decrypt Failures: 0
Hash Failures: 0
Invalid SPI: 0
In Configs: 0
Out Configs: 0
In Configs Rejects: 0
Out Configs Rejects: 0
Previous Tunnels: 0
Previous Tunnels Wraps: 0
In DPD Messages: 0
Out DPD Messages: 0
Out NAT Keepalives: 0
IKE Rekey Locally Initiated: 0
IKE Rekey Remotely Initiated: 0
Locally Initiated IKE Rekey Rejected: 0
Remotely Initiated IKE Rekey Rejected: 0
CHILD Rekey Locally Initiated: 0
CHILD Rekey Remotely Initiated: 0
IKEV2 Call Admission Statistics
Max Active SAs: No Limit
Max In-Negotiation SAs: 500
Cookie Challenge Threshold: 250
Active SAs: 0
In-Negotiation SAs: 0
Incoming Requests: 0
Incoming Requests Accepted: 0
Incoming Requests Rejected: 0
Outgoing Requests: 0
Outgoing Requests Accepted: 0
Outgoing Requests Rejected: 0
Rejected Requests: 0
Rejected Over Max SA limit: 0
Rejected Low Resources: 0
Rejected Reboot In Progress: 0
Cookie Challenges: 0
Cookie Challenges Passed: 0
Cookie Challenges Failed: 0
No comments:
Post a Comment