VPN Packet Tracking (bcstats)
You can run these commands to monitor the IPSEC packet flow.
To see:
|
Run:
|
Source and destination IP addresses
|
|
Which SGM encrypted packets are forwarded to
|
bcstats vpn -v
|
Which SGM holds the outbound SA
|
g_fw tab -t outbound_SPI -f
Search for MSPI in the output. MSPI is the Meta SA, and shows which SGM holds the outbound SA.
|
Example - g_fw tab
# fw tab —t outbound_sPI —f
using cptfmt
Formatting table’s data — this might take a while...
local host:
Date: Nov 14, 2011
12:37:15 172.16.6.171 > : (+)====================================(÷); Table_Name: outbound_sPi; : (÷); Attributes: dynamic, id 285,
attributes: keep, sync, kbuf 6 7, expires 3600, limit 20400, hashsize 32768; product: VPN—1 & Firewall—1;
12:37:15 1172.16.6.171 >1 : (+); peer: 172.16.6.189; ,sPi: fs9baoec; CPTFMT_sep: sPI: 1; Ic00MB1: c5364f5e6414aad9; ,cookieR:
95a478b10f9544a6; Expires: 3540/3610; product: VPN—1 & Firewall—1;
The output can include Security Associations (SAs) with an MSPI of 0. These are dummy SAs and can safely be ignored.
|
