IPSec

IPSec provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination.

Use the IPSec VPN screen to assess the tunnel status between networked peers.

To view IPSec VPN status for tunneled peers:

  1. Select the Statistics menu from the Web UI.
  2. Expand the System node from the navigation pane (on the left-hand side of the screen). The System node expands to display the RF Domains created within the managed network.
  3. Expand the RF Domain node.
  4. Select a Wireless Controller.
  5. Expand the VPN menu.
  6. Select IPSec.
    The Statistics > Controller > VPN > IPsec screen displays in the right-hand pane.
    Click to expand in new window
    GUID-EFAFE288-2B6E-4B97-A2AA-825A879129B5-low.png
    Review the following VPN peer security association statistics:
    Peer

    Lists IP addresses for peers sharing SAs for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination.

    Local IP Address

    Displays each listed peer's local tunnel end point IP address. This address represents an alternative to an interface IP address.

    Protocol

    Lists the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH.

    State

    Lists the state of each listed peer's security association.

    SPI In

    Lists SPI (stateful packet inspection) status for incoming IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid.

    SPI Out

    Lists SPI status for outgoing IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid.

    Mode

    Displays the IKE mode as either Main or Aggressive. IPSec has two modes in IKEv1 for key exchanges. The Aggressive mode requires three messages be exchanged between the IPSEC peers to setup the SA. The Main mode requires six messages.

  7. Select Clear All to clear each peer of its current status and begin a new data collection.
  8. Select Refresh to update the screen's statistics counters to their latest values.