IPSec Statistics reports the usages and states of your configured IPSec Security Associations (See “IPSec”). Go to Statistics > IPSec, a select bar and two statistics tables are displayed.
Select the combination of Mode and Phase 1 here, and then the statistics of related IPSec SAs are reported.
|Mode||Select the mode, Tunnel mode or Transport mode, of the security associations that you ask for.|
|Phase 1 Name||All the configured Phase 1 names of the mode you selected above are list in the drop-down menu. Select a Phase 1 name (ISAKMP SA) to display the statistics of the associated IPSec SAs (Phase 2).|
|Refresh||Click to refresh the statistics page.|
Statistics of the IPSec SAs associated to the ISAKMP SA you selected is displayed in two tables, Security Association Database and Security Policy Database.
Security Association Database
List information of each IPSec SA including local and remote IP addresses, negotiated encryption and authentication algorithms, timing and the states.
|Local IP||The local IP address of the IPSec SA.|
|Remote IP||The remote IP address of the IPSec SA.|
|Encryption||The encryption algorithm that the IPSec SA employs.|
|Authentication||The authentication algorithm that the IPSec SA employs.|
|Used time (s)||The past time since the IPSec SA is established.|
|Life time (s)||The time interval (in seconds) that the secret key of the IPSec SA is valid during. For the expiration of a key, IKE Phase 2 is performed automatically to establish a new IPSec SA (a new key is negotiated). The value here is equal to value of Keylife of the correspondent Phase 2 configuration.|
|Change time (s)||The time point that system starts to establish a new IPSec SA for replacing the current IPSec SA which is going to expire. New IPSec SA will be prepared in advance so that it takes over the expired IPSec SA in time. This value is related to Life time and determined by system.|
|Status||States of the IPSec SA:|
|l||larval: an IKE Phase 2 is in progress to establish an IPSec SA|
|l||mature: the IPSec SA is established and still within validity|
|l||dying: the IPSec SA is about to expire, and another IKE Phase 2 is in progress for taking over|
|l||dead: the connectivity between two endpoints communicating through the IPSec SA is down; the peer is unavailable.|
Traffic Statistics for Tunnel Routing and IPSec
Security Policy Database
List information of Quick Mode selector of each IPSec SA and the related time stamps.
|Name||The unique name of the IPSec SA (the name configured to the Phase 2)|
|Source[port]||For IPSec in Tunnel mode, this is the Source and Source Port of the Quick Mode selector of the IPSec SA (the Source and Port configured to the Phase 2).
For IPSec in Transport mode, this is the source IP address of the
Tunnel Routing packets (GRE encapsulated), which is equal to the Local IP of the IPSec SA (the Local IP configured to the Phase 1).
Port information will not be list for this case.
|Destination[port]||For IPSec in Tunnel mode, this is the Destination and Destination Port of the Quick Mode selector of the IPSec SA (the Destination and Port configured to the Phase 2).
For IPSec in Transport mode, this is the destination IP address of the Tunnel Routing packets (GRE encapsulated), which is equal to the Remote IP of the IPSec SA (the Remote IP configured to the Phase 1). Port information will not be list for this case.
|Protocol||For IPSec in Tunnel mode, this is the Protocol of the Quick Mode selector of the IPSec SA (the Protocol configured to the Phase 2).
For IPSec in Transport mode, this is always “gre”.
|Created time||The time that the IPSec SA is established.|
|Last used time||The time that the IPSec SA is applied last to a data packet.|
For the details of parameters of IPSec, see “IPSec VPN in the Web UI”.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!