The ipsec command report heading

Heading example:

Line
1)  CS V2R1 ipsec  Stack Name: TCPCS4  Fri Nov 25 06:53:45 2011
2)  Primary:  Filter          Function: Display            Format:   Short
3)  Source:   Stack Policy    Scope:    Current            TotAvail: 164

4)  Logging:  On              Predecap: Off                DVIPSec:  Yes
5)  NatKeepAlive:  20         FIPS140:  No 
6)  Defensive Mode: Inactive 
7)  Exclusion Address: 9.1.1.1

The first heading line shows the following fields:

Stack Name

The stack name that the command is associated with. If global defensive filters are being displayed (-F dis -G) the command is not associated with a stack. The Stack Name value is *ALL*.

NSS Client Name

The name that is associated with the NSS client's stack.

<timestamp>

The date and time of the report.

The second heading line shows:

Primary

The primary option as indicated by the request. The possible values are Filter, Defensive Filt, IKE tunnel, Dynamic tunnel, Manual tunnel, Interface, IP Traffic Test, NATT Port Trans, NSS Server, or Stack NSS.

Function

The function option for any report is display. If the request is for IKE tunnels with cascade (-k dis -e), then the function field displays display (cascade). If the request is for shadow dynamic tunnels (-y dis -s), then the function field displays display (shadows). If the request is for global defensive filters (-F dis -G), then the function field shows as display (global).

Format

The report format as indicated by the request. The possible values are detail, short, or wide.

The third heading line shows:

Source

The source of the data in the report.

Data sources are:

• Stack: Data is from the IP stack.
• IKED: Data is from the IKE daemon.
• DMD: Data is from the Defense Manager daemon.

For the Filter (-f) and IP traffic test (-t) primary options, the source is one of the following value:

• Stack Profile: Data is from the default IP security filter policy that is specified in the IP stack's profile.
• Stack Policy: Data is from the IP security filter policy that is specified by the Policy Agent.

For the defensive filter (-F) primary option, the source is one of the following value:

• Stack: Data is from the IP stack.
• DMD: Data is from the Defense Manager daemon.

For the Network security server (-x) primary option, the source is the server (data is from the NSS server).

Scope

The scope as indicated by the request.

• For the Filter (-f) primary option, the value is either current, policy, or profile (see IP filter (-f) primary option for a discussion of the difference between policy and profile).
• For the IKE tunnel (-k) primary option, the value is current or all.
• For the Dynamic tunnel (-y) primary option, the value is current or all.
• For all other reports, the value is n/a.

TotAvail

The total number of items (filters or tunnel data) that are available from the stack. Depending on the selection criteria that is specified on the request, the report might not include all available entries. For example, a dynamic tunnel display for all tunnels (using the default Scope value of current) might format three tunnel entries, but the TotAvail field indicates the value 8. Reissuing the command with the Scope value all displays all eight tunnel entries and reveals that older, refreshed tunnels were not shown in the original display. For displays that are not stack oriented (Source is IKED), the value is n/a.

For the Filter (-f) and Defensive Filter (-F) primary options, the fourth heading line shows:

Logging

Indicates whether packet filter logging is in use globally for IP security filters.

• If the Source value is Stack Profile, the Logging value indicates the setting of the LOGENABLE or LOGDISABLE keyword of the IPSEC statement.
• If the Source value is Stack Policy, the Loggingvalue is the same as the FilterLogging setting on the IpFilterPolicy statement.
• If the Source value is Stack, the value is n/a.
• If the Source value is DMD, the value is n/a.

Tip: Packet filter logging is always in use for defensive filters at a global level. Each defensive filter indicates whether packet filtering is in use for that filter.

Predecap

Indicates whether decapsulated packets are first filtered at the stack.

• If the Source value is Stack Profile, the Predecap value is Off.
• If the Source value is Stack Policy, the value indicates the PreDecap setting of the IpFilterPolicy statement.
• If the Source value is Stack, the value is n/a.
• If the Source value is DMD, the value is n/a.

DVIPSec

Indicates whether the filters for IP security tunnels that are associated with dynamic VIPA addresses can be distributed or moved during VIPA takeover or giveback. The value indicates the setting of the DVIPSEC keyword of the IPSEC statement in the TCPIP profile. This value applies to the treatment of both Stack Profile filters and Stack Policy filters. If the Source value is Stack or DMD, the value is n/a.

For the IP traffic test (-t) primary option, the fourth heading line shows:

TestData

Shows the test data as indicated from the request. The first and second positional fields are the source and destination IP address, respectively. The third positional field is the specified protocol. If the protocol is TCP or UDP, then the fourth and fifth positional fields are the source and destination port numbers, respectively.

For the IKE network security (-w) primary option the fourth heading line shows:

System Name

The name of the system on which the IKE daemon is running.

For the Network security server (-x) primary option the fourth heading line shows:

System Name

The name of the system on which the NSS server is running.

For the Filter (-f) and Defensive Filter (-F) primary options, the fifth heading line shows:

NatKeepAlive

The NAT keep alive interval in seconds that was defined with the NatKeepAliveInterval parameter on the KeyExchangePolicy statement. The value can be 0 (indicating that NAT keep alive messages should never be sent), or in the range 20 – 999 (indicating the number of seconds of inactivity that will trigger the sending of a NAT keep alive message). The default is 20 seconds. If the Source value is DMD, the value is n/a.

FIPS140

Specifies whether the stack is performing cryptographic operations using cryptographic algorithms and modules that are designed to meet the Federal Information Processing Standard (FIPS 140) security requirements. Possible values are:

Yes

All cryptographic operations performed by the stack are designed to meet the FIPS 140 security requirements.

No

The cryptographic operations performed by the stack are not designed to meet the FIPS 140 security requirements.

n/a

On the -F display, the FIPS140 field contains the value of n/a.

For the Filter (-f) and Defensive Filter (-F) and IP traffic test (-t) primary options, subsequent heading lines show the following information:

Defensive Mode

Indicates the defensive filtering mode for the stack. The value is the same as the Mode setting on the DmStackConfig statement in the Defense Manager daemon (DMD) configuration file. The value is Active, Simulate, or Inactive. The value is Inactive if the Mode setting on the DmStackConfig statement is Inactive or if there is no DmStackConfig statement for this stack. If the Source value is DMD, the value is n/a.

Exclusion Address

If defensive filter processing is being used, you can specify an exclusion list of up to ten IP addresses or subnets in the DMD configuration file. This is intended to allow administrative access to the TCP/IP stack that could be inadvertently blocked by defensive filters. Inbound packets that originate from an IP address that is in the exclusion list are excluded from defensive filter processing. Outbound packets that are destined to an IP address that is in the exclusion list are excluded from defensive filter processing. Zero to ten Exclusion Address lines are included in the report heading.