IPsec

Question 1

List IPsec Tunnels Command and show tunnel details

Answer 1

diagnose vpn tunnel list

get vpn ipsec tunnel details | summary

get ipsec tunnel list

get vpn ipsec stats tunnel

Question 2

Ike Gateway commands

Answer 2

diagnose vpn ike gateway list

gateway clear (name): closes phase 1 selector. Can leave name blank to clear ALL phase 1s in the VDOM

Question 3

IKE Real-Time Debug

Answer 3

diagnose debug application ike (bitmask)
diagnose debug enable

Bitmask:
most common is -1 to enable all outputs.

should also enable timestamp:
diagnose debug console timestamp enable

Question 4

T or F: For IPsec, offloading is enabled by default

Answer 4

True

NPU

Question 5

NPU Offloading flags for IPsec

Answer 5

npu_flag=

00 - Both IPsec SAs loaded to the Kernel
01 - Outbound offloaded
02 - Inbound offloaded
03 - both in/out are offloaded
20 - Unsupported, cannot be offloaded

Question 6

What is traffic called when it has to travel through an IPsec tunnel?

Answer 6

Interesting

This is what triggers the VPN negotiation

Question 7

Capturing IKE Traffic

Answer 7

No NAT:
IKE - UDP port 500
ESP - IP protocol 50

With NAT:
initially UDP port 500 and then UDP 4500 once NAT is detected
ESP is encapsulated in UDP port 4500

configurable port via CLI
config system settings
set ike-port (1024-65535)
end

Question 8

Common IPsec Problems and tactics

Answer 8

Tunnel not coming up? Real Time debug

Tunnel unstable? DPD packets

Tunnel is up but traffic not passing through? Debug flow