IPsec Testing and Functionality Verification

Print version

9. IPsec Testing and Functionality Verification

The most important and basic functionality overview can be displayed in the Web interface in the VPN / IPsec menu. Click on the “Refresh status” to see current IPsec tunnels’ states.

RipEX8-remote Settings

Fig. 9.1: RipEX8-remote Settings

Possible states:

  • Green (“Up”): The corresponding IKE SA and all corresponding CHILD SAs are created.

  • Red (“Down”): The IKE SA is not created and the tunnel is not established.

  • Yellow (“Unknown”): The IKE SA status is not available.

  • Gray: The individual CHILD SA line can be gray if:

    • it is not marked as Active, or

    • its configuration was not accepted.

A quick overview can be also checked via CLI command “cli_status_ipsec_show”. This command prints the IKE SA states identified by the Peer IDs.

CLI(admin):~$ cli_status_ipsec_show
Status of active IPsec associations:
Peer ID: RipEX1-remote Status: up
Peer ID: RipEX8-remote Status: up

Another option is to check the packets in the Monitoring menu. IKE uses UDP packets on ports 500 or 4500. ESP is the IP protocol 50. A filter can be specified as UDP and “Other”. An example of received ESP packet:

RipEX-Base IPsec Monitoring on the Radio channel

Fig. 9.2: RipEX-Base IPsec Monitoring on the Radio channel