All display reports from the ipsec command begin
with several heading lines, which give general information related
to the request. The first three heading lines and the final line,
which include a selection count, exist in every report. Some reports
might also have additional heading lines that contain information
specific to the primary option.
Tip: When the -z option
or the -x option is specified on the command,
the stack name on the first line of the report is changed from Stack
Name to NSS Client Name.
Heading example:
Line
1) CS V2R1 ipsec Stack Name: TCPCS4 Fri Nov 25 06:53:45 2011
2) Primary: Filter Function: Display Format: Short
3) Source: Stack Policy Scope: Current TotAvail: 164
4) Logging: On Predecap: Off DVIPSec: Yes
5) NatKeepAlive: 20 FIPS140: No
6) Defensive Mode: Inactive
7) Exclusion Address: 9.1.1.1
The first heading line shows the following fields:
- Stack Name
- The stack name that the command is associated with. If global
defensive filters are being displayed (-F dis -G) the command
is not associated with a stack. The Stack Name value is *ALL*.
- NSS Client Name
- The name that is associated with the NSS client's stack.
- <timestamp>
- The date and time of the report.
The second heading line shows:
- Primary
- The primary option as indicated by the request. The possible
values are Filter, Defensive Filt, IKE
tunnel, Dynamic tunnel, Manual tunnel, Interface, IP
Traffic Test, NATT Port Trans, NSS
Server, or Stack NSS.
- Function
- The function option for any report is display.
If the request is for IKE tunnels with cascade (-k
dis -e), then the function field displays display (cascade).
If the request is for shadow dynamic tunnels (-y dis -s),
then the function field displays display (shadows).
If the request is for global defensive filters (-F dis -G),
then the function field shows as display (global).
- Format
- The report format as indicated by the request. The possible values
are detail, short, or wide.
The third heading line shows:
- Source
- The source of the data in the report.
Data sources are:
- Stack: Data is from the IP stack.
- IKED: Data is from the IKE daemon.
- DMD: Data is from the Defense Manager daemon.
For the Filter (
-f) and IP traffic
test (
-t) primary options, the source is
one of the following value:
- Stack Profile: Data is from the default IP security filter policy
that is specified in the IP stack's profile.
- Stack Policy: Data is from the IP security filter policy that
is specified by the Policy Agent.
For the defensive filter (
-F)
primary option, the source is one of the following value:
- Stack: Data is from the IP stack.
- DMD: Data is from the Defense Manager daemon.
For the Network security server (-x)
primary option, the source is the server (data is from the NSS server).
- Scope
- The scope as indicated by the request.
- For the Filter (-f) primary option,
the value is either current, policy, or profile (see IP filter (-f) primary option for a discussion of the difference
between policy and profile).
- For the IKE tunnel (-k) primary option,
the value is current or all.
- For the Dynamic tunnel (-y) primary
option, the value is current or all.
- For all other reports, the value is n/a.
- TotAvail
- The total number of items (filters or tunnel data) that are available
from the stack. Depending on the selection criteria that is specified
on the request, the report might not include all available entries.
For example, a dynamic tunnel display for all tunnels (using the
default Scope value of current) might format three
tunnel entries, but the TotAvail field indicates the value 8. Reissuing
the command with the Scope value all displays all
eight tunnel entries and reveals that older, refreshed tunnels were
not shown in the original display. For displays that are not stack
oriented (Source is IKED), the value is n/a.
For the Filter (
-f) and Defensive
Filter (
-F) primary options, the fourth
heading line shows:
- Logging
- Indicates whether packet filter logging is in use globally for
IP security filters.
- If the Source value is Stack Profile, the Logging
value indicates the setting of the LOGENABLE or LOGDISABLE keyword
of the IPSEC statement.
- If the Source value is Stack Policy, the Loggingvalue
is the same as the FilterLogging setting on the IpFilterPolicy statement.
- If the Source value is Stack, the value is n/a.
- If the Source value is DMD, the value is n/a.
Tip: Packet
filter logging is always in use for defensive filters at a global
level. Each defensive filter indicates whether packet filtering is
in use for that filter.
- Predecap
- Indicates whether decapsulated packets are first filtered at the
stack.
- If the Source value is Stack Profile, the Predecap
value is Off.
- If the Source value is Stack Policy, the value
indicates the PreDecap setting of the IpFilterPolicy statement.
- If the Source value is Stack, the value is n/a.
- If the Source value is DMD, the value is n/a.
- DVIPSec
- Indicates whether the filters for IP security tunnels that are
associated with dynamic VIPA addresses can be distributed or moved
during VIPA takeover or giveback. The value indicates the setting
of the DVIPSEC keyword of the IPSEC statement in the TCPIP profile.
This value applies to the treatment of both Stack Profile filters
and Stack Policy filters. If the Source value is Stack or DMD, the
value is n/a.
For the IP traffic test (
-t)
primary option, the fourth heading line shows:
- TestData
- Shows the test data as indicated from the request. The first
and second positional fields are the source and destination IP address,
respectively. The third positional field is the specified protocol.
If the protocol is TCP or UDP, then the fourth and fifth positional
fields are the source and destination port numbers, respectively.
For the IKE network security (
-w)
primary option the fourth heading line shows:
- System Name
- The name of the system on which the IKE daemon is running.
For the Network security server (
-x)
primary option the fourth heading line shows:
- System Name
- The name of the system on which the NSS server is running.
For all other primary options, there is no fourth heading
line.
For the Filter (
-f) and Defensive
Filter (
-F) primary options, the fifth heading
line shows:
- NatKeepAlive
- The NAT keep alive interval in seconds that was defined with the
NatKeepAliveInterval parameter on the KeyExchangePolicy statement.
The value can be 0 (indicating that NAT keep alive messages should
never be sent), or in the range 20 – 999 (indicating
the number of seconds of inactivity that will trigger the sending
of a NAT keep alive message). The default is 20 seconds. If the Source
value is DMD, the value is n/a.
- FIPS140
- Specifies whether the stack is performing cryptographic operations
using cryptographic algorithms and modules that are designed to meet
the Federal Information Processing Standard (FIPS 140) security requirements.
Possible values are:
- Yes
- All cryptographic operations performed by the stack are designed
to meet the FIPS 140 security requirements.
- No
- The cryptographic operations performed by the stack are not designed
to meet the FIPS 140 security requirements.
- n/a
- On the -F display, the FIPS140 field contains the value of n/a.
For the Filter (
-f) and Defensive
Filter (
-F) and IP traffic test (
-t)
primary options, subsequent heading lines show the following information:
- Defensive Mode
- Indicates the defensive filtering mode for the stack. The value
is the same as the Mode setting on the DmStackConfig statement in
the Defense Manager daemon (DMD) configuration file. The value is
Active, Simulate, or Inactive. The value is Inactive if the Mode
setting on the DmStackConfig statement is Inactive or if there is
no DmStackConfig statement for this stack. If the Source value is
DMD, the value is n/a.
- Exclusion Address
- If defensive filter processing is being used, you can specify
an exclusion list of up to ten IP addresses or subnets in the DMD
configuration file. This is intended to allow administrative access
to the TCP/IP stack that could be inadvertently blocked by defensive
filters. Inbound packets that originate from an IP address that is
in the exclusion list are excluded from defensive filter processing.
Outbound packets that are destined to an IP address that is in the
exclusion list are excluded from defensive filter processing. Zero
to ten Exclusion Address lines are included in the report heading.
The final line of any display report shows how many entries
were actually listed in the report. Depending on the selection criteria
that was specified on the request, the count of entries in the report
might be less than the entire set.