Information About Ip Security Vpn Monitoring - Cisco IOS XR Configuration Manual

Implementing Internet Key Exchange Security Protocol on Cisco IOS XR Software

Information About IP Security VPN Monitoring

The IP Security (IPSec) VPN Monitoring feature provides VPN session monitoring enhancements that
allow you to troubleshoot the Virtual Private Network (VPN) and monitor the end-user interface. Session
monitoring includes the following enhancements:
•
•
•
•
To implement IPSec VPN monitoring, you must understand the following concepts:
•
•
•
•
Crypto Sessions Background
A crypto session is a set of IPSec connections (flows) between two crypto endpoints. If the two crypto
endpoints use IKE as the keying protocol, they are IKE peers to each other. Typically, a crypto session
consists of one IKE security association (for control traffic) and at least two IPSec security associations
(for data traffic—one per each direction). There may be duplicated IKE security associations (SAs) and
IPSec SAs or duplicated IKE SAs or IPSec SAs for the same session in the duration of rekeying or
because of simultaneous setup requests from both sides.
Per-IKE Peer Description
The Per-IKE Peer Description function allows you to enter a description of your choice for an IKE peer.
The unique peer description, which includes up to 80 characters, is used whenever you are referencing
that particular IKE peer. To add the peer description, use the description (ISAKMP peer) command.
The primary application of this description field is for monitoring purposes (for example, when using
show commands or for logging [syslog messages]). The description field is purely informational.
Summary Listing of Crypto Session Status
You can obtain a list of status information for active crypto sessions by using the show crypto session
command. The listing includes the following summary status of the crypto session:
•
•
•
Multiple IKE or IPSec SAs can be established for the same peer (for the same session), in which case
IKE peer descriptions are repeated with different values for the IKE SAs that are associated with the peer
and for the IPSec SAs that are serving the flows of the session.
Information About Implementing IKE Security Protocol Configurations for IPSec Networks
Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file.
Summary listing of crypto session status.
Ability to clear both IKE and IP Security (IPSec) security associations (SAs) using one
command-line interface (CLI).
Ability to expend the filtering mechanism by using the options from the show crypto session
command.
Crypto Sessions Background, page SC-31
Per-IKE Peer Description, page SC-31
Summary Listing of Crypto Session Status, page SC-31
IKE and IPSec Security Exchange Clear Command, page SC-32
Interface
IKE SAs that are associated with the peer by whom the IPSec SAs are created
IPSec SAs serving the flows of a session
Cisco IOS XR System Security Configuration Guide
SC-31