Router User Manual
2 IPSec and IKE troubleshooting
Nortel Secure Router 8000 Series
Troubleshooting - VAS
2-58 Nortel Networks Inc. Issue 01.01 (30 March 2009)
nat traversal: disable
The preceding configuration displays the status of NAT: enable or disable.
You can use the nat traversal command to modify the configuration.
display ike sa
<RouterA> display ike sa
connection-id peer VPN flag phase doi
---------------------------------------------------------------------
15 202.38.162.1 0 RD|ST 2 IPSEC
14 202.38.162.1 0 RD|ST 1 IPSEC
flag meaning:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT
The following section explains each field in the display lines:
connection-id
This indicates the SA ID automatically generated in IKE negotiation.
peer
This indicates the IP address of the peer .
Flag
This indicates the present SA status:
z
RD (READY): SA setup succeeds.
z
ST (STAYALIVE): The present end is the SA negotiation initiator.
z
RL (REPLACED): The present SA is replaced with a new SA and should be removed
immediately.
z
FD (FADING): The SA has still been used after the soft timeout. Remove the SA before
the hard timeout.
z
TO (TIMEOUT): The SA has not received the Keep Alive packet after the last keep-alive
timeout. If it will receive no Keep Alive packets after the next time keep-alive timeout,
remove this SA.
The present SA can display a combined status. For example, RD|ST indicates that the SA
negotiation is initiated by the local end and is set up.
phase
This indicates the SA phases:
z
Phase 1: indicates ISAKMP SA.
z
Phase 2: indicates IPSec SA.
doi
This indicates the Domain of Interpretation (DOI) of the SA. Nortel Secure Router 8000
Series supports IPSec DOI.
display ipsec statistics
<RouterA> display ipsec statistics
the security packet statistics:
input/output security packets: 56/56