VPN Tunnel Statistics
(2015-10-19)
In my case I wanted details about the tunnel MTU which is listed in this output. The MTU is dynamically calculated:
Source, page 17)
Problem
I want details about a VPN tunnel.Solution
# diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN_NAME ver=1 serial=1 x.x.x.x:0->y.y.y.y:0 lgwy=static tun=intf mode=auto bound_if=5
proxyid_num=2 child_num=0 refcnt=110 ilast=0 olast=0
stat: rxp=11722317 txp=20120683 rxb=1762965855 txb=920217447
dpd: mode=off on=0 idle=5000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=PHASE2_NAME proto=0 sa=1 ref=2 serial=1
src: 0:a.a.a.a/255.255.254.0:0
dst: 0:b.b.b.b/255.255.255.0:0
SA: ref=73 options=0000000e type=00 soft=0 mtu=1446 expire=3303/0B replaywin=1024 seqno=d1a80
life: type=01 bytes=0/0 timeout=3548/3600
dec: spi=9822756d esp=3des key=24 b926cf43d384361bc1b4f67f43c05e94d626a4a6eae470b5
ah=md5 key=16 7885e747cf224b55aaf30012b26b4bc7
enc: spi=de81092c esp=3des key=24 03a53fee5fe142934cdcda753204993f3ae4645a389961dd
ah=md5 key=16 cd2e8d8a2ffdb17209a3741a1de83d21
dec:pkts/bytes=580097/90305200959, enc:pkts/bytes=859220/632576927854
npu_flag=03 npu_rgwy=207.107.149.1 npu_lgwy=72.1.196.82 npu_selid=0
proxyid=SSLVPN-to-GridWay proto=0 sa=0 ref=1 serial=3
src: 0:c.c.c.c/255.255.255.0:0
dst: 0:b.b.b.b/255.255.255.0:0The FortiGate sets an IPsec tunnel Maximum Transmission Unit (MTU) of 1436 for 3DES/SHA1 and an MTU of 1412 for AES128/SHA1, as seen with diag vpn tunnel list . This indicates that the FortiGate allocates 64 bytes of overhead for 3DES/SHA1 and 88 bytes for AES128/SHA1, which is the difference if you subtract this MTU from a typical ethernet MTU of 1500 bytes.During the encryption process, AES/DES operates using a specific size of data which is block size. If data is smaller than that, it will be padded for the operation. MD5/SHA-1 HMAC also operates using a specific block size.(
Source, page 17)
no comments |
post comment
Virtual Dave Megaplex:
- Home Page
- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.