View Traffic Selector¶

This page describes how to view an IPsec traffic selector.

For more information on the output, please refer to Traffic Selector Config Explained

TL;DR¶

The tmsh show net ipsec traffic-selector traffic command shows if the selector is in use (up) and if traffic is matching that selector and going in or out of the tunnel. If a traffic selector is up, there is a related IPsec-SA up for it.

View Traffic Selectors¶

The method to view the selector state is the same regardless of whether IKEv1 or IKEv2 is in use.

The web UI provides the most user friendly method to filter and observe the state of selectors.

Network ›› IPsec : IPsec Diagnostics

In the Diagnostics tab search based on the criteria of the tunnel being investigated.

From there, select the traffic selector and a panel with two tabs will render underneath. That panel has two tabs “Traffic Selector Statistics” and “Security Association Details”.

The “Traffic Selector Statistics” are much the same as the related tmsh command:

tmsh show net ipsec traffic-selector

Example:

# tmsh show net ipsec traffic-selector 

------------------------------------------------------
Net::IPSec::Traffic Selector : second-selector
------------------------------------------------------
Security Policy Entry   
  Source : 192.168.70.1/32 Destination : 172.16.0.0/24
  Direction    : in   
  Policy ID    : 17129  
  Tunnel State : down   
  
  Traffic   
    Packets    : 39   
    Bytes      : 5.3K   

------------------------------------------------------
Net::IPSec::Traffic Selector : second-selector
------------------------------------------------------
Security Policy Entry  
  Source : 172.16.0.0/24 Destination : 192.168.70.1/32
  Direction    : out   
  Policy ID    : 17130 
  Tunnel State : down  
   
  Traffic  
    Packets    : 0   
    Bytes      : 0   

In the above output both the “in” and “out” direction is down. That means no IPsec-SA currently exists to handle those networks.

At some point the tunnel was up and handled 39 inbound packets, but no packets went out. Possible reasons for that are:

the incoming packets did not reach the final destination or
the final destination did not reply.

For a traffic selector to handle packets, there must be a related IPsec security association (IPsec-SA) up. Accordingly, the traffic selector will also report itself up.

For more information on configuring a traffic selector, refer to Traffic Selector Config Explained.

Top | Flowchart | Contents

Previous Next