topic Re: Tunnel flow in General Topics

Tunnel flow

infotech — Fri, 30 May 2014 19:25:33 GMT

How do you check to see if there is bidrectional flow on a vpn tunnel?

Re: Tunnel flow

HULK — Fri, 30 May 2014 20:25:49 GMT

Hello Infotech,

The SPI (security parameter Index) value will be same for a specific Proxy-ID. Hence there will be a pair of keys for encryption and decryption. You will be able to see encap/decap or incoming byte/outgoing bytes from tunnel point of view.

> show vpn flow tunnel-id XX ---

Thanks

Re: Tunnel flow

infotech — Fri, 30 May 2014 20:33:17 GMT

So this is showing flow in and out tunnel7 - so why isn't there communication between my two site connected by this tunnel working?

tunnel DR_IPSec_Tunnel7

id: 130

type: IPSec

gateway id: 7

local ip: 66.94.196.107

peer ip: 66.94.208.114

inner interface: tunnel.7

outer interface: ethernet1/3

state: active

session: 4635

tunnel mtu: 1428

lifetime remain: 1201 sec

latest rekey: 2399 seconds ago

monitor: off

monitor packets seen: 0

monitor packets reply: 0

en/decap context: 170

local spi: 9AC6CEDC

remote spi: DF67E405

key type: auto key

protocol: ESP

auth algorithm: SHA1

enc algorithm: AES256

proxy-id local ip: 0.0.0.0/0

proxy-id remote ip: 0.0.0.0/0

proxy-id protocol: 0

proxy-id local port: 0

proxy-id remote port: 0

anti replay check: yes

copy tos: no

authentication errors: 0

decryption errors: 0

inner packet warnings: 0

replay packets: 0

packets received

when lifetime expired:0

when lifesize expired:0

sending sequence: 734

receive sequence: 600

encap packets: 734

decap packets: 600

encap bytes: 86352

decap bytes: 72000

key acquire requests: 0

Re: Tunnel flow

HULK — Fri, 30 May 2014 20:54:51 GMT

Hello Infotech,

As i mentioned before, there will be only a pair of keys for encryption and decryption.

local spi: 9AC6CEDC >>>>>>>>>>>> It will be used for encrypting traffic going into the tunnel.

remote spi: DF67E405 >>>>>>>>>>> It will be used for decrypting traffic coming through the tunnel from other end FW

So, there is no specific way to track bidirectional flow through the VPN (0.0.0.0/0 proxy ID---- eventually it will pass all traffic through tunnel) .

But, if you configure a specific PROXY-ID, for example SRC-1.1.1.1/32 and DST-2.2.2.2/32 and then you may monitor the encap packets/decap packets counter to know whether PAN is receiving or sending as well . ( Bidirectional flow).

Thanks