FortiWAN IPSec

IPSec

IPSec Statistics reports the usages and states of your configured IPSec Security Associations (See “IPSec”). Go to Statistics > IPSec, a select bar and two statistics tables are displayed.

Selector

Select the combination of Mode and Phase 1 here, and then the statistics of related IPSec SAs are reported.

IPSec

Mode Select the mode, Tunnel mode or Transport mode, of the security associations that you ask for.
Phase 1 Name All the configured Phase 1 names of the mode you selected above are list in the drop-down menu. Select a Phase 1 name (ISAKMP SA) to display the statistics of the associated IPSec SAs (Phase 2).
Refresh Click to refresh the statistics page.

Statistics of the IPSec SAs associated to the ISAKMP SA you selected is displayed in two tables, Security Association Database and Security Policy Database.

Security Association Database

List information of each IPSec SA including local and remote IP addresses, negotiated encryption and authentication algorithms, timing and the states.

Local IP The local IP address of the IPSec SA.
Remote IP The remote IP address of the IPSec SA.
Encryption The encryption algorithm that the IPSec SA employs.
Authentication The authentication algorithm that the IPSec SA employs.
Used time (s) The past time since the IPSec SA is established.
Life time (s) The time interval (in seconds) that the secret key of the IPSec SA is valid during. For the expiration of a key, IKE Phase 2 is performed automatically to establish a new IPSec SA (a new key is negotiated). The value here is equal to value of Keylife of the correspondent Phase 2 configuration.
Change time (s) The time point that system starts to establish a new IPSec SA for replacing the current IPSec SA which is going to expire. New IPSec SA will be prepared in advance so that it takes over the expired IPSec SA in time. This value is related to Life time and determined by system.
Status States of the IPSec SA:
l larval: an IKE Phase 2 is in progress to establish an IPSec SA
l mature: the IPSec SA is established and still within validity
l dying: the IPSec SA is about to expire, and another IKE Phase 2 is in progress for taking over
l dead: the connectivity between two endpoints communicating through the IPSec SA is down; the peer is unavailable.

Traffic Statistics for Tunnel Routing and IPSec

Security Policy Database

List information of Quick Mode selector of each IPSec SA and the related time stamps.

Name The unique name of the IPSec SA (the name configured to the Phase 2)
Source[port] For IPSec in Tunnel mode, this is the Source and Source Port of the Quick Mode selector of the IPSec SA (the Source and Port configured to the Phase 2).

For IPSec in Transport mode, this is the source IP address of the

Tunnel Routing packets (GRE encapsulated), which is equal to the Local IP of the IPSec SA (the Local IP configured to the Phase 1).

Port information will not be list for this case.

Destination[port] For IPSec in Tunnel mode, this is the Destination and Destination Port of the Quick Mode selector of the IPSec SA (the Destination and Port configured to the Phase 2).

For IPSec in Transport mode, this is the destination IP address of the Tunnel Routing packets (GRE encapsulated), which is equal to the Remote IP of the IPSec SA (the Remote IP configured to the Phase 1). Port information will not be list for this case.

Protocol For IPSec in Tunnel mode, this is the Protocol of the Quick Mode selector of the IPSec SA (the Protocol configured to the Phase 2).

For IPSec in Transport mode, this is always “gre”.

Created time The time that the IPSec SA is established.
Last used time The time that the IPSec SA is applied last to a data packet.

For the details of parameters of IPSec, see “IPSec VPN in the Web UI”.

This entry was posted in Administration Guides, Fortinet GURU, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.