VPN Tunnel Details
(2015-10-19)
Problem
I want details about a VPN tunnel.
Solution
# diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_NAME ver=1 serial=1 x.x.x.x:0->y.y.y.y:0 lgwy=static tun=intf mode=auto bound_if=5
proxyid_num=2 child_num=0 refcnt=110 ilast=0 olast=0
stat: rxp=11722317 txp=20120683 rxb=1762965855 txb=920217447
dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=PHASE2_NAME proto=0 sa=1 ref=2 serial=1
src: 0:a.a.a.a/255.255.254.0:0
dst: 0:b.b.b.b/255.255.255.0:0
SA: ref=73 options=0000000e type=00 soft=0 mtu=1446 expire=3303/0B replaywin=1024 seqno=d1a80
life: type=01 bytes=0/0 timeout=3548/3600
dec: spi=9822756d esp=3des key=24 b926cf43d384361bc1b4f67f43c05e94d626a4a6eae470b5
ah=md5 key=16 7885e747cf224b55aaf30012b26b4bc7
enc: spi=de81092c esp=3des key=24 03a53fee5fe142934cdcda753204993f3ae4645a389961dd
ah=md5 key=16 cd2e8d8a2ffdb17209a3741a1de83d21
dec:pkts/bytes=580097/90305200959, enc:pkts/bytes=859220/632576927854
npu_flag=03 npu_rgwy=207.107.149.1 npu_lgwy=72.1.196.82 npu_selid=0
proxyid=SSLVPN-to-GridWay proto=0 sa=0 ref=1 serial=3
src: 0:c.c.c.c/255.255.255.0:0
dst: 0:b.b.b.b/255.255.255.0:0
In my case I wanted details about the tunnel MTU which is listed in this output. The MTU is dynamically calculated:
The FortiGate sets an IPsec tunnel Maximum Transmission Unit (MTU) of 1436 for 3DES/SHA1 and an MTU of 1412 for AES128/SHA1, as seen with diag vpn tunnel list . This indicates that the FortiGate allocates 64 bytes of overhead for 3DES/SHA1 and 88 bytes for AES128/SHA1, which is the difference if you subtract this MTU from a typical ethernet MTU of 1500 bytes.
During the encryption process, AES/DES operates using a specific size of data which is block size. If data is smaller than that, it will be padded for the operation. MD5/SHA-1 HMAC also operates using a specific block size.
(Source on page 17)