Scribd
Upload
163 views7 pages

Check Status, Clear, Restore, and Monitor An IPSEC VPN Tunnel Trên Palo Alto

The document provides instructions for testing and checking the status of IKE and IPSec tunnels using CLI and GUI. It details how to initiate IKE and IPSec Security Associations (SAs), check their status, and monitor encryption and decryption across the tunnel. Additionally, it includes commands to clear the VPN tunnel if needed.

Uploaded by

Huy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
163 views7 pages

Check Status, Clear, Restore, and Monitor An IPSEC VPN Tunnel Trên Palo Alto

The document provides instructions for testing and checking the status of IKE and IPSec tunnels using CLI and GUI. It details how to initiate IKE and IPSec Security Associations (SAs), check their status, and monitor encryption and decryption across the tunnel. Additionally, it includes commands to clear the VPN tunnel if needed.

Uploaded by

Huy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 7

Details

1/ Tạo IKE không có lưu lượng truy cập để test bằng CLI

> test vpn ike-sa

Start time: Dec.04 00:03:37

Initiate 1 POWER SA.

> test vpn ipsec-sa

Start time: Dec.04 00:03:41

Initiate 1 IPSec SA.

2. Check ike phase1 status (in case of ikev1)

GUI:
Navigate to Network->IPSec Tunnels

GREEN indicates up

RED indicates down

You can click on the IKE info to get the details of the Phase1 SA.
ike phase1 sa up:
If ike phase1 sa is down, the ike info would be empty.

CLI:
ike phase1 sa up:

power phase1 sa down:


For ikev2
GUI:

3. To check if phase 2 ipsec tunnel is up:

GUI:

Navigate to Network->IPSec Tunnels

GREEN indicates up
RED indicates down

You can click on the Tunnel info to get the details of the Phase2 SA.

CLI:

4. Check Encryption and Decryption (encap/decap) across tunnel

Trong ví dụ - tunnel id is 139

> show vpn flow tunnel-id 139

tunnel ipsec-tunnel:lab-proxyid1

id: 139

type: IPSec
gateway id: 38

local ip: 198.51.100.100

peer ip: 203.0.113.100

inner interface: tunnel.1

outer interface: ethernet1/1

state: active

session: 568665

tunnel man: 1432

soft lifetime: 3579

hard lifetime: 3600

lifetime remain: 2154 sec

lifesize remain: N/A

latest rekey: 1446 seconds ago

monitor: off

monitor packets seen: 0

monitor packets reply:0

en/decap context: 736

local spi: F2B7CEF0

remote spi: F248D17B

key type: auto key


protocol: ESP

auth algorithm: SHA512

enc algorithm: AES256GCM16

proxy-id:

local ip: 10.133.133.0/24

remote ip: 10.134.134.0/24

protocol: 0

local port: 0

remote port: 0

anti replay check: yes

copy tos: no

enable gre encap: no

authentication errors: 0

decryption errors: 0

inner packet warnings: 0

replay packets: 0

packets received

when lifetime expired:0

when lifesize expired:0

sending sequence: 4280


receive sequence: 4280

encap packets: 8153

decap packets: 8153

encap bytes: 717464

decap bytes: 717464

key acquire requests: 90

owner state: 0

owner cpuid: s1dp0

ownership: 1

5. Clear The following commands will tear down the VPN tunnel:

>clear vpn ike-sa gateway <gw-name>

Delete IKEv1 IKE SA: Total 1 gateways found.

> clear vpn ipsec-sa tunnel <tunnel-name>

Delete IKEv1 IPSec SA: Total 1 tunnels found.

You might also like