show security ike security-associations node0: -------------------------------------------------------------------------- Index Remote Address State Initiator cookie Responder cookie Mode 7898558 88.XXX.XXX.XXX UP 0d7e74c4d0f69bff 8f7b7603b555f360 Aggressive show security ike security-associations detail node0: IKE peer 88.XXX.XXX.XXX, Index 7898558, Role: Initiator, State: UP Initiator cookie: 0d7e74c4d0f69bff, Responder cookie: 8f7b7603b555f360 Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 213.XXX.XXX.XXX:500, Remote: 88.XXX.XXX.XXX:500 Lifetime: Expires in 25486 seconds Peer ike-id: 88.XXX.XXX.XXX Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Traffic statistics: Input bytes : 1076 Output bytes : 1424 Input packets: 5 Output packets: 6 Flags: Caller notification sent IPSec security associations: 2 created, 2 deleted Phase 2 negotiations in progress: 0 show security ipsec security-associations index 131078 node0: -------------------------------------------------------------------------- Virtual-system: root Local Gateway: 213.XXX.XXX.XXX, Remote Gateway: 88.XXX.XXX.XXX Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 323a1ede, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3213 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2612 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: c221808b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3213 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2612 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 show security ipsec statistics index 131078 node0: -------------------------------------------------------------------------- ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 934668 Encrypted packets: 0 Decrypted packets: 11127 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 node1: -------------------------------------------------------------------------- ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 0 Encrypted packets: 0 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 show interfaces st0.0 detail Logical interface st0.0 (Index 80) (SNMP ifIndex 540) (Generation 147) Flags: No-Multicast SNMP-Traps Encapsulation: Secure-Tunnel Traffic statistics: Input bytes : 4183107929 Output bytes : 3821561081 Input packets: 18165651 Output packets: 13742549 Local statistics: Input bytes : 56911517 Output bytes : 108651415 Input packets: 1043326 Output packets: 1061262 Transit statistics: Input bytes : 4126196412 0 bps Output bytes : 3712909666 0 bps Input packets: 17122325 0 pps Output packets: 12681287 0 pps Security: Zone: vpn Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf pgm pim rip router-discovery rsvp sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip r2cp Flow Statistics : Flow Input statistics : Self packets : 1060186 ICMP packets : 294902 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 3952025529 Connections established : 759936 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 3130439487 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 170 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 6 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 3 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 9192, Generation: 158, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 10.16.251/24, Local: 10.16.251.1, Broadcast: Unspecified, Generation: 149 show configuration security ike inactive: traceoptions { file ike-trace; flag all; } } policy MIT-PaloAlto-AT { mode aggressive; proposal-set standard; pre-shared-key ascii-text "XXX"; ## SECRET-DATA } } gateway MIT-PaloAlto-AT { ike-policy MIT-PaloAlto-AT; address 88.XXX.XXX.XXX; dead-peer-detection { always-send; interval 10; } local-identity inet 213.XXX.XXX.XXX; external-interface reth0.0; } show configuration security ipsec inactive: traceoptions { flag all; } policy MIT-FXXX-650 { perfect-forward-secrecy { keys group2; } proposal-set standard; } } vpn MIT-PaloAlto-AT { bind-interface st0.0; ike { gateway MIT-PaloAlto-AT; ipsec-policy MIT-FXXX-650; } establish-tunnels immediately; }