VPN Lab

Various VPN Lab scenarios are discussed below:

Policy Based VPN

 * Steps Required:
 * 1) Set Gateway
 * 2) Set Autokey IKE
 * 3) Set Policies with Action = Tunnel & select the tunnel name from drop-down.


 * Lab:

Packet Capture:

Route Based VPN

 * Steps Required for Route Based VPN in ScreenOS:
 * 1) Create unnumbered tunnel interface
 * 2) Set Gateway
 * 3) Set Autokey IKE
 * 4) Set Proxy-ID(Tunnel interface will come up now)
 * 5) Set Policies
 * 6) Create static route pointing to the tunnel


 * Lab

SRX Site to Site VPN

 * Route based VPN
 * Policy based VPN

Dialup VPN

 * Steps Required:
 * 1) Create Dial User Account
 * 2) Create Dial Up VPN Group
 * 3) Create the Phase 1 IKE Negotiation
 * 4) Select Dialup User Group
 * 5) Choose Mode (Initiator): Aggressive
 * 6) Enable NAT Traversal
 * 7) Create the Phase 2 IKE Negotiation
 * 8) Create Dial Up VPN Policy from Untrust to Trust with Source Address = Dial-Up VPN
 * 9) Place policy Position at Top


 * NCP-e Client configuration steps:
 * 1) NCP Secure Entry Client Configuration
 * 2) Click on “Configuration” > “Add Profile” > “Link to Corporate Network Using IPSec”
 * 3) Enter Profile Name
 * 4) Choose “LAN (Over IP)”
 * 5) Give the “Gateway” IP and “XAuth” Username and Password
 * 6) XAuth can be unchecked as well depending on the XAuth Settings on the Firewall.
 * 7) Select the Mode as “Aggressive” and select the PFS Group
 * 8) Enter “Pre Shared Key” and the IKE identity. If you are using Email as the identity then select “Fully Qualified Username”
 * 9) Specify the IP that will be used as the Source IP by the Client. (If an IPPool is chosen in the XAuth on the firewall, an IP from the IPPool is taken). Otherwise, you can define it Manually on the client using the dropdown. If you choose “Local IP Address”, and no IP Pool is defined on the Firewall XAuth settings, then the PC’s IP is taken as the Source IP. The profile is now created.
 * 10) By default the NCP client takes the Remote side private IPs as 0.0.0.0/0 which means all traffic from the client will go to the firewall.
 * 11) Changing it affects the Untrust to Trust policy that we will have to configure at the firewall. If we have to define specific subnets to which we have to reach, we have to define split tunneling.
 * 12) Click on Edit on the profile and go to “Split Tunneling” & Add a Network
 * 13) The Proposals can be chosen/modified in the “IPSec General Settings” when we edit the profile.
 * 14) Click on “Policy Editor” Edit the IKE (Phase 1) and IPSec (Phase 2) proposals. One can also make new proposals.


 * Lab:



Dialup VPN with Xauth IP Pool

 * Steps Required:


 * NCP-e Client configuration steps:


 * Lab:



Dialup VPN with Xauth User

 * Steps Required:


 * NCP-e Client configuration steps:


 * Lab:



Cisco VPN Configuration

 * Cisco Remote Access Tunnel VPN config
 * Cisco LAN-to-LAN IPSec VPNs config

NAT-Traversal
Source:m00nie.com

GNS3 was used to replicate this scenario.


 * Scenario:

ip 10.1.1.2 10.1.1.1 24
 * PC1:

ip 20.1.1.2 20.1.1.1 24
 * PC2:

crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key SuperS3cure address 1.1.1.2 crypto isakmp keepalive 10 periodic
 * R1:

crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac

crypto map LEFTY 10 ipsec-isakmp set peer 1.1.1.2 set transform-set MYTSETNAME match address 101

interface Ethernet0/0 ip address 192.168.1.2 255.255.255.0 crypto map LEFTY

interface Ethernet0/3 ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.1

access-list 101 permit ip 10.1.1.0 0.0.0.255 20.1.1.0 0.0.0.255

interface Ethernet0/0 ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly
 * R2:

interface Ethernet0/1 ip address 1.1.1.1 255.255.255.0 ip nat outside ip virtual-reassembly

ip route 10.1.1.0 255.255.255.0 192.168.1.2 ip route 20.1.1.0 255.255.255.0 1.1.1.2

ip nat inside source static 192.168.1.2 1.1.1.10

crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 lifetime 3600 crypto isakmp key SuperS3cure address 1.1.1.10 crypto isakmp keepalive 10 periodic
 * R3:

crypto ipsec transform-set MYTSETNAME esp-aes 256 esp-sha-hmac

crypto map LEFTY 10 ipsec-isakmp set peer 1.1.1.10 set transform-set MYTSETNAME match address 101

interface Ethernet0/1 ip address 1.1.1.2 255.255.255.0 crypto map LEFTY

interface Ethernet0/3 ip address 20.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 1.1.1.1

access-list 101 permit ip 20.1.1.0 0.0.0.255 10.1.1.0 0.0.0.255

R3#sh crypto engine connections active
 * Verify

ID Interface           IP-Address      State  Algorithm           Encrypt  Decrypt 1 Ethernet0/1         1.1.1.2         set    HMAC_SHA+AES_256_C        0        0 2001 Ethernet0/1         1.1.1.2         set    AES256+SHA                0       10 2002 Ethernet0/1         1.1.1.2         set    AES256+SHA                9        0

Debug: NAT Traversal

PCAP: [[Media:Nat Traversal.pcap|Nat Traversal PCAP]]

Policy based Hub and Spoke VPN
Source


 * Steps:

set interface "ethernet0/2" zone "Untrust" set interface "ethernet0/1" zone "Trust" set interface ethernet0/2 ip 1.1.1.1/28 set interface ethernet0/2 route set interface ethernet0/1 ip 192.168.1.1/24 set interface ethernet0/1 nat set ike gateway "To_Spoke1" address 2.2.2.1 Main outgoing-interface "ethernet0/2" preshare "fjSqyy68N8azlRs6agCvZZSAnQnu7+kfxA==" sec-level standard set ike gateway "To_Spoke2" address 3.3.3.1 Main outgoing-interface "ethernet0/2" preshare "rQBrqF8+NHPrEgsq/6Cwv/a1W6nR0fi1xw==" sec-level standard set vpn "To_Spoke1" gateway "To_Spoke1" no-replay tunnel idletime 0 sec-level standard set vpn "To_Spoke2" gateway "To_Spoke2" no-replay tunnel idletime 0 sec-level standard set route 192.168.2.1/24 interface ethernet0/2 gateway 1.1.1.2 set route 192.168.3.1/24 interface ethernet0/2 gateway 1.1.1.2
 * On the HUB:

set policy id 16 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke2" log set policy id 12 from "Trust" to "Untrust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke1" log
 * For SPOKE2 to SPOKE1 connectivity:

set policy id 13 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke1" log set policy id 17 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke2" log
 * For SPOKE1 to SPOKE2 connectivity:

set policy id 7 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_Spoke1" log set policy id 8 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_Spoke1" log
 * For SPOKE1 to HUB connectivity:


 * For SPOKE2 to HUB connectivity:

set policy id 9 from "Trust" to "Untrust" "192.168.1.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_Spoke1" log set policy id 10 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_Spoke1" log

set interface "ethernet0/2" zone "Untrust" set interface ethernet0/2 ip 2.2.2.1/28 set interface "ethernet0/1" zone "Trust" set interface ethernet0/1 ip 192.168.2.1/24 set interface ethernet0/1 nat set ike gateway "To_HUB" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "/FCeHmVxND/MOpsvdjCDfCkvxxnloaaWcA==" sec-level standard set vpn "To_HUB" gateway "To_HUB" no-replay tunnel idletime 0 sec-level standard set route 192.168.1.0/24 interface ethernet0/2 gateway 2.2.2.2 set route 192.168.3.0/24 interface ethernet0/2 gateway 2.2.2.2 set policy id 3 from "Untrust" to "Trust" "192.168.3.0/24" "192.168.2.0/24" "ANY" tunnel vpn "To_HUB" id 0x4 pair-policy 4 log set policy id 1 from "Trust" to "Untrust" "192.168.2.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_HUB" id 0x2 pair-policy 2 log
 * On SPOKE1:

set interface "ethernet0/2" zone "Untrust" set interface ethernet0/2 ip 3.3.3.1/28 set interface "ethernet0/1" zone "Trust" set interface ethernet0/1 ip 192.168.3.1/24 set interface ethernet0/1 nat set ike gateway "To_HUB" address 1.1.1.1 Main outgoing-interface "ethernet0/2" preshare "/FCeHmVxND/MOpsvdjCDfCkvxxnloaaWcA==" sec-level standard set vpn "To_HUB" gateway "To_HUB" no-replay tunnel idletime 0 sec-level standard set route 192.168.1.0/24 interface ethernet0/2 gateway 3.3.3.2 set route 192.168.2.0/24 interface ethernet0/2 gateway 3.3.3.2 set policy id 3 from "Untrust" to "Trust" "192.168.2.0/24" "192.168.3.0/24" "ANY" tunnel vpn "To_HUB" id 0x4 pair-policy 4 log set policy id 1 from "Trust" to "Untrust" "192.168.3.0/24" "192.168.1.0/24" "ANY" tunnel vpn "To_HUB" id 0x2 pair-policy 2 log
 * On SPOKE2:

Route based Hub and Spoke VPN

 * Steps
 * 1) Create the tunnel interface
 * 2) Define the IKE Gateway
 * 3) Define the VPN Tunnel
 * 4) Add Routes
 * 5) Configure policy to allow traffic between spokes


 * Configuration:



set zone name vpn set interface tunnel.1 zone vpn set interface tunnel.1 ip unnumbered interface ethernet0/2 set interface tunnel.2 zone vpn set interface tunnel.2 ip unnumbered interface ethernet0/2 set ike gateway to-spoke1 address 1.1.1.2 main outgoing-interface ethernet0/2 preshare netscreen sec-level standard set ike gateway to-spoke2 address 1.1.1.3 main outgoing-interface ethernet0/2 preshare netscreen sec-level standard set vpn vpn-spoke1 gateway to-spoke1 sec-level standard set vpn vpn-spoke1 bind interface tunnel.1 set vpn vpn-spoke2 gateway to-spoke2 sec-level standard set vpn vpn-spoke2 bind interface tunnel.2 set route 172.16.2.0/24 interface tunnel.1 set route 172.16.3.0/24 interface tunnel.2 set policy from vpn to vpn "172.16.2.0/24" "172.16.3.0/24" any permit set policy from vpn to vpn "172.16.3.0/24" "172.16.2.0/24" any permit
 * Hub firewall


 * Spoke1

set zone name vpn set interface tunnel1.zone vpn set interface tunnel.1 ip unnumbered interface ethernet0/0 set ike gateway to-hub address 1.1.1.1 main outgoing-interface ethernet0/0 preshare netscreen sec-level stand set vpn vpn-spoke1 gateway to-hub sec-level standard set vpn vpn-spoke1 bind interface tunnel.1 set route 172.16.1.0/24 interface tunnel.1 set route 172.16.3.0/24 interface tunnel.1 set policy from trust to vpn "172.16.2.0/24" "172.16.3.0/24" any permit set policy from vpn to trust "172.16.3.0/24" "172.16.2.0/24" any permit

set zone name vpn set interface tunnel1.zone vpn set interface tunnel.1 ip unnumbered interface ethernet0/0 set ike gateway to-hub address 1.1.1.1 main outgoing-interface ethernet0/0 preshare netscreen sec-level stand set vpn vpn-spoke2 gateway to-hub sec-level standard set vpn vpn-spoke2 bind interface tunnel.1 set route 172.16.1.0/24 interface tunnel.1 set route 172.16.2.0/24 interface tunnel.1 set policy from trust to vpn "172.16.2.0/24" "172.16.3.0/24" any permit set policy from vpn to trust "172.16.3.0/24" "172.16.2.0/24" any permit
 * Spoke2

Redundant VPN

 * General configuration steps

One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example. One Phase 2 definition for each Phase 1 configuration. One static route for each IPsec interface, with different distance values to prioritize the routes. Two Accept security policies per IPsec interface, one for each direction of traffic. Dead peer detection enabled in each Phase 1 definition.
 * A redundant configuration at each VPN peer includes:


 * The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer.


 * Configuring the VPN peers - route-based VPN

Ensure that the interfaces used in the VPN have static IP addresses. Create a Phase 1 configuration for each of the paths between the peers. Enable dead peer detection so that one of the other paths is activated if this path fails.
 * VPN peers are configured using Interface Mode for redundant tunnels.
 * Configure each VPN peer as follows:

Route based



 * Configuration Steps:


 * 1) Internal LAN interface for both sites will be ethernet0/0 in zone “trust” and will have private IP 192.168.10.1/24.
 * 2) Internet interface for both sites will be ethernet0/3 in zone “untrust” and will each have a unique public IP.
 * 3) Tunnel interface tunnel.1 will be in zone “vpn” on both sites to allow for configuring unique policies specifically for tunnel (encrypted) traffic while maintaining unique policies for clear (non-encrypted) traffic.
 * 4) The address range to reach Remote side hosts from Corporate side is 10.1.20.0/24.
 * 5) The address range to reach Corporate side hosts from Remote side is 10.1.10.0/24
 * 6) All traffic between the Corporate and Remote LANs are to be permitted, and traffic may be initiated from either side.
 * 7) Basic non-VPN settings such as system settings, user login, and default security settings are already pre-configured on both devices.


 * Basic Steps to Configure


 * 1) Configure the “vpn” security zone. “Trust” and “Untrust” zones are predefined.
 * 2) Configure IP addresses for interfaces ethernet0/0 and ethernet0/3. Bind the interfaces the “Trust” and “Untrust” zones respectively.
 * 3) Create tunnel.1 interface and bind to “vpn” zone.
 * 4) Configure MIP for the tunnel interface.
 * 5) Configure default route to Internet next-hop and also a static route for the Remote site LAN. Optionally you can use a dynamic routing protocol such as OSPF instead but that is beyond the scope of this application note.
 * 6) Configure address book entries for “Trust” and “vpn” zones. This will be necessary for the security policies.
 * 7) Configure phase-1 (IKE) and phase-2 (VPN) proposals.
 * 8) Configure IKE gateway profile referencing the phase-1 proposal from step 7.
 * 9) Configure VPN profile referencing IKE gateway from step 8 and phase-2 proposal from step 7. Then bind interface tunnel.1 to the VPN.
 * 10) Configure security policy to permit Corporate site LAN to Remote site LAN using the address book entries created in step 6.
 * 11) Configure security policy to permit Remote site LAN traffic to Corporate site LAN using address book entry from step 6 with destination address as the MIP.
 * 12) Configure outgoing “Trust” to “Untrust” permit all policy with interface source NAT for Internet traffic.
 * 13) Configure tcp-mss for IPSec traffic to eliminate the possibility of fragmented TCP traffic. This will lessen the resource utilization on the device.


 * Corporate Site:

set zone name "vpn" vrouter “trust-vr” set interface ethernet0/0 zone "Trust" set interface ethernet0/0 ip 192.168.10.1/24 set interface ethernet0/0 nat set interface ethernet0/3 zone "Untrust" set interface ethernet0/3 ip 1.1.1.2/30 set interface ethernet0/3 route set interface tunnel.1 zone "vpn" set interface tunnel.1 ip 10.1.10.1/24 set interface tunnel.1 mip 10.1.10.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr” set route 0.0.0.0/0 interface ethernet0/3 gateway 1.1.1.1 set route 10.1.20.0/24 interface tunnel.1 set address "Trust" "local-net" 192.168.10.0 255.255.255.0 set address "vpn" "remote-net" 10.1.20.0 255.255.255.0 set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1 set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1 set ike gateway "remote-ike" address 2.2.2.2 Main outgoing-interface ethernet0/3 preshare "secretkey" proposal "ike-proposal1" set vpn "remote-vpn" gateway "remote-ike" proposal "vpn-proposal1" set vpn "remote-vpn" bind interface tunnel.1 set policy from "Trust" to "vpn" "local-net" "remote-net" "ANY" permit set policy from "vpn" to "Trust" "remote-net" "MIP(10.1.10.1/24)" "ANY" permit set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit set flow tcp-mss 1350

set zone name "vpn" vrouter “trust-vr” set interface ethernet0/0 zone "Trust" set interface ethernet0/0 ip 192.168.10.1/24 set interface ethernet0/0 nat set interface ethernet0/3 zone "Untrust" set interface ethernet0/3 ip 2.2.2.2/30 set interface ethernet0/3 route set interface tunnel.1 zone "vpn" set interface tunnel.1 ip 10.1.20.1/24 set interface tunnel.1 mip 10.1.20.1 host 192.168.10.1 netmask 255.255.255.0 vrouter “trust-vr” set route 0.0.0.0/0 interface ethernet0/3 gateway 2.2.2.1 set route 10.1.10.0/24 interface tunnel.1 set address "Trust" "local-net" 192.168.10.0 255.255.255.0 set address "vpn" "corporate-net" 10.1.10.0 255.255.255.0 set ike p1-proposal "ike-proposal1" preshare group2 esp 3des sha-1 set ike p2-proposal "vpn-proposal1" group2 esp 3des sha-1 set ike gateway "corporate-ike" address 1.1.1.2 Main outgoing-interface ethernet0/3 preshare "secretkey" proposal "ike-proposal1" set vpn "corporate-vpn" gateway "remote-ike" proposal "vpn-proposal1" set vpn "corporate-vpn" bind interface tunnel.1 set policy from "Trust" to "vpn" "local-net" "corporate-net" "ANY" permit set policy from "vpn" to "Trust" "corporate-net" "MIP(10.1.20.1/24)" "ANY" permit set policy from "Trust" to "Untrust" "Any" "Any" "ANY" permit set flow tcp-mss 1350
 * Remote Site Configuration:

Manual Key VPN


Packet Capture:


 * Configuration Steps:


 * SSG-001 Configuration:

set interface ethernet0/0 ip 192.168.1.1/24 set interface ethernet0/3 ip 10.200.20.25/24 set interface ethernet0/3 manage-ip 10.200.20.21 set vpn "Test1" id 0x1 manual 1000 2000 gateway 10.200.20.26 outgoing-interface "ethernet0/3" esp 3des password 123 auth md5 password 123 set vpn "Test1" id 0x0 bind interface tunnel.1 set policy id 1 name "anyany" from "Trust" to "Untrust" "Any" "Any" "ANY" permit set policy id 2 name "anyany-untrust" from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set route 192.168.2.1/32 interface tunnel.1 gateway 10.200.20.26


 * SSG-002 Configuration:

set interface ethernet0/0 ip 192.168.2.1/24 set interface ethernet0/3 ip 10.200.20.26/24 set interface loopback.1 ip 2.2.2.2/24 set interface ethernet0/3 manage-ip 10.200.20.22 set interface "ethernet0/0" mip 192.168.1.10 host 2.2.2.1 netmask 255.255.255.255 vr "trust-vr" set vpn "test2" id 0x4 manual 2000 1000 gateway 10.200.20.25 outgoing-interface "ethernet0/3" esp 3des password 123 auth md5 password 123 set vpn "test2" id 0x0 bind interface tunnel.1 set policy id 1 name "anyany" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log set policy id 2 name "anyany-untrust" from "Untrust" to "Trust" "Any" "Any" "ANY" permit log set route 192.168.1.1/32 interface tunnel.1 gateway 10.200.20.25


 * Testing on SSG-002:

Before adding Tunnel Route: LAB-SSG-002-> ping 192.168.1.1 from eth0/0 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds from ethernet0/0 ip 192.168.1.1 is unreachable in vr trust-vr

Success Rate is 0 percent.

After adding Tunnel Route: LAB-SSG-002-> ping 192.168.1.1 from eth0/0 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 1 seconds from ethernet0/0 !!!!! Success Rate is 100 percent (5/5), round-trip time min/avg/max=1/1/1 ms


 * Verifying:

LAB-SSG-001-> get sa total configured sa: 1 HEX ID   Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys 00000001<   10.200.20.26  500 esp:3des/md5  00001000   n/a   n/a M/-    -1 0 00000001>   10.200.20.26  500 esp:3des/md5  00002000   n/a   n/a M/-    -1 0
 * SSG-001:

LAB-SSG-001-> get sa id 0x01 index 0, name Test1, peer gateway ip 10.200.20.26. vsys manual key. base node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 1, peer id -1, NSRP Local. site-to-site. Local interface is ethernet0/3 <10.200.20.25>. esp, group 0, 3des encryption, md5 authentication manual key monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x3 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0/0 ike activity timestamp: 0 DSCP-mark : disabled nat-traversal map not available incoming: SPI 00001000, flag 00004000, tunnel info 40000001, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 497 seconds next pak sequence number: 0x0 bytes/paks:1280/10; sw bytes/paks:1280/10 outgoing: SPI 00002000, flag 00000000, tunnel info 40000001, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 497 seconds next pak sequence number: 0xa bytes/paks:1280/10; sw bytes/paks:1280/10

LAB-SSG-001-> get ike cookie

IKEv1 SA -- Active: 0, Dead: 0, Total 0

IKEv2 SA -- Active: 0, Dead: 0, Total 0

LAB-SSG-001-> get sa total configured sa: 1 HEX ID   Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys 00000001<   10.200.20.26  500 esp:3des/md5  00001000   n/a   n/a M/-    -1 0 00000001>   10.200.20.26  500 esp:3des/md5  00002000   n/a   n/a M/-    -1 0

LAB-SSG-001-> get route

IPv4 Dest-Routes for  (5 entries) --        ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys --
 * 3    10.200.20.0/24         eth0/3         0.0.0.0   C    0      0     Root
 * 2    192.168.1.1/32         eth0/0         0.0.0.0   H    0      0     Root
 * 11    192.168.2.1/32          tun.1    10.200.20.26   S   20      1     Root
 * 1    192.168.1.0/24         eth0/0         0.0.0.0   C    0      0     Root
 * 4   10.200.20.25/32         eth0/3         0.0.0.0   H    0      0     Root

LAB-SSG-001-> get vpn Name           Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface --- --- -  --- --- ---  Total Auto VPN: 0 Total Pure Transport Mode IPSEC VPN: 0

Name      Gateway         Interface       Lcl SPI  Rmt SPI  Algorithm        Monitor Tunnel ID -- --- ---    --- -- Test1     10.200.20.26    eth0/3          00001000 00002000 esp:  3des/  md5     off 0x00000001 Total Manual VPN 1


 * SSG-002:

LAB-SSG-002-> get ike cookie

IKEv1 SA -- Active: 0, Dead: 0, Total 0

IKEv2 SA -- Active: 0, Dead: 0, Total 0

LAB-SSG-002-> get sa total configured sa: 1 HEX ID   Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys 00000004<   10.200.20.25  500 esp:3des/md5  00002000   n/a   n/a M/-    -1 0 00000004>   10.200.20.25  500 esp:3des/md5  00001000   n/a   n/a M/-    -1 0 LAB-SSG-002-> get sa id 0x4 index 1, name test2, peer gateway ip 10.200.20.25. vsys manual key. base node, tunnel mode, policy id in:<-1> out:<-1> vpngrp:<-1>. sa_list_nxt:<-1>. tunnel id 4, peer id -1, NSRP Local. site-to-site. Local interface is ethernet0/3 <10.200.20.26>. esp, group 0, 3des encryption, md5 authentication manual key monitor<0>, latency: 0, availability: 0 DF bit: clear app_sa_flags: 0x3 proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0 ike activity timestamp: 0 DSCP-mark : disabled nat-traversal map not available incoming: SPI 00002000, flag 00004000, tunnel info 40000004, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 721 seconds next pak sequence number: 0x0 bytes/paks:1280/10; sw bytes/paks:1280/10 outgoing: SPI 00001000, flag 00000000, tunnel info 40000004, pipeline life 0 sec, expired, 0 kb, 0 bytes remain anti-replay off, idle timeout value <0>, idled 721 seconds next pak sequence number: 0xa bytes/paks:1280/10; sw bytes/paks:1280/10

LAB-SSG-002-> get vpn Name           Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface --- --- -  --- --- ---  Total Auto VPN: 0

Name      Gateway         Interface       Lcl SPI  Rmt SPI  Algorithm        Monitor Tunnel ID -- --- ---    --- -- test2     10.200.20.25    eth0/3          00002000 00001000 esp:  3des/  md5     off 0x00000004 Total Manual VPN 1

LAB-SSG-002-> get route

IPv4 Dest-Routes for  (6 entries) --        ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys --
 * 5    10.200.20.0/24         eth0/3         0.0.0.0   C    0      0     Root
 * 22    192.168.1.1/32          tun.1    10.200.20.25   S   20      1     Root
 * 19    192.168.2.1/32         eth0/0         0.0.0.0   H    0      0     Root
 * 18    192.168.2.0/24         eth0/0         0.0.0.0   C    0      0     Root
 * 6   10.200.20.26/32         eth0/3         0.0.0.0   H    0      0     Root
 * 16        2.2.2.0/24     loopback.1         0.0.0.0   C    0      0     Root

LAB-SSG-002-> get session alloc 2/max 128064, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 128062 Total 0 sessions shown


 * References: