For When You Can't Have The Real Thing
[ start | index | login ]
start > FortiOS > 5.2 > VPN Tunnel Statistics

VPN Tunnel Statistics

Created by dave. Last edited by dave, 3 years and 54 days ago. Viewed 1,402 times. #1
[edit] [rdf]
labels
attachments
(2015-10-19)

Problem

I want details about a VPN tunnel.

Solution

# diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_NAME ver=1 serial=1 x.x.x.x:0->y.y.y.y:0 lgwy=static tun=intf mode=auto bound_if=5
proxyid_num=2 child_num=0 refcnt=110 ilast=0 olast=0
stat: rxp=11722317 txp=20120683 rxb=1762965855 txb=920217447
dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=PHASE2_NAME proto=0 sa=1 ref=2 serial=1
  src: 0:a.a.a.a/255.255.254.0:0
  dst: 0:b.b.b.b/255.255.255.0:0
  SA: ref=73 options=0000000e type=00 soft=0 mtu=1446 expire=3303/0B replaywin=1024 seqno=d1a80
  life: type=01 bytes=0/0 timeout=3548/3600
  dec: spi=9822756d esp=3des key=24 b926cf43d384361bc1b4f67f43c05e94d626a4a6eae470b5
       ah=md5 key=16 7885e747cf224b55aaf30012b26b4bc7
  enc: spi=de81092c esp=3des key=24 03a53fee5fe142934cdcda753204993f3ae4645a389961dd
       ah=md5 key=16 cd2e8d8a2ffdb17209a3741a1de83d21
  dec:pkts/bytes=580097/90305200959, enc:pkts/bytes=859220/632576927854
  npu_flag=03 npu_rgwy=207.107.149.1 npu_lgwy=72.1.196.82 npu_selid=0
proxyid=SSLVPN-to-GridWay proto=0 sa=0 ref=1 serial=3
  src: 0:c.c.c.c/255.255.255.0:0
  dst: 0:b.b.b.b/255.255.255.0:0

In my case I wanted details about the tunnel MTU which is listed in this output. The MTU is dynamically calculated:

The FortiGate sets an IPsec tunnel Maximum Transmission Unit (MTU) of 1436 for 3DES/SHA1 and an MTU of 1412 for AES128/SHA1, as seen with diag vpn tunnel list . This indicates that the FortiGate allocates 64 bytes of overhead for 3DES/SHA1 and 88 bytes for AES128/SHA1, which is the difference if you subtract this MTU from a typical ethernet MTU of 1500 bytes.

During the encryption process, AES/DES operates using a specific size of data which is block size. If data is smaller than that, it will be padded for the operation. MD5/SHA-1 HMAC also operates using a specific block size.

(>>Source, page 17)

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt