Command introduced in Release
8.5 of JUNOS software; fpc, pic, and kmd-instance options added in Release 9.3 of JUNOS software.
Description
Display information about Internet Key Exchange
(IKE) security associations (SAs).
This command is supported on J-series and SRX-series devices.
Options
none—Display standard information
about existing IKE SAs, including index numbers.
peer-address—(Optional)
Display details about a particular SA, based on the IP address of
the destination peer. This option and index provide the same
level of output.
brief—(Optional) Display standard information
about all existing IKE SAs. (Default)
detail—(Optional) Display detailed information
about all existing IKE SAs.
fpc slot-number—Specific
to SRX-series services gateway. Display information about existing
IKE SAs in this particular Flexible PIC Concentrator (FPC) slot. This
option is used to filter the output.
index SA-index-number—(Optional)
Display information for a particular SA based on the index number
of the SA. To obtain the index number for a particular SA, display
the list of existing SAs by using the command with no options. This
option and peer-address provide the
same level of output.
kmd-instance —Specific to SRX-series services
gateway. Display information about existing IKE SAs in the key management
process (daemon) (KMD) identified by the FPC slot-number and PIC slot-number.
This option is used to filter the output.
all—All KMD instances running on the Services
Processing Unit (SPU).
kmd-instance-name—Name
of the KMD instance running on the SPU.
pic slot-number—Specific
to SRX-series services gateway. Display information about existing
IKE SAs in this particular PIC slot. This option is used to filter
the output.
Table 78 lists the output fields
for the show security ike security-associations command.
Output fields are listed in the approximate order in which they appear.
Table 78: show security ike security-associations Output Fields
Field Name
Field Description
IKE Peer or Remote Address
IP address of the destination peer with which the local
peer communicates.
Index
Index number of an SA. This number is an internally generated
number you can use to display information about a single SA.
Location
FPC—Flexible PIC Concentrator (FPC) slot
number.
PIC—PIC slot number.
KMD-Instance—The name of the kmd-instance
running on the SPU, identified by the FPC slot-number and PIC slot-number.
Currently, 4 kmd-instances running on each SPU and any particular
IKE negotiation is carried out by a single kmd-instance.
Role
Part played in the IKE session. The device triggering
the IKE negotiation is the initiator, and the device accepting the
first IKE exchange packets is the responder.
State
State of the IKE security associations:
DOWN—SA has not been negotiated with the
peer.
UP—SA has been negotiated with the peer.
Initiator cookie
Random number, called a cookie, which is sent to the
remote node when the IKE negotiation is triggered.
Responder cookie
Random number generated by the remote node and sent back
to the initiator as a verification that the packets were received.
A cookie is aimed at protecting the computing resources from
attack without spending excessive CPU resources to determine the cookie's
authenticity.
Mode or Exchange type
Negotiation method agreed on by the two IPsec endpoints,
or peers, used to exchange information between themselves. Each exchange
type determines the number of messages and the payload types that
are contained in each message. The modes, or exchange types, are
main—The exchange is done with six messages.
This mode or exchange type encrypts the payload, protecting the identity
of the neighbor. The authentication method used is displayed: preshared
keys or certificate.
aggressive—The exchange is done with three
messages. This mode or exchange type does not encrypt the payload,
leaving the identity of the neighbor unprotected.
Local
Address of the local peer.
Remote
Address of the remote peer.
Lifetime
Number of seconds remaining until the IKE SA expires.
Algorithms
Internet Key Exchange (IKE) algorithms used to encrypt
and secure exchanges between the peers during the IPsec Phase 2 process:
Authentication—Type of authentication algorithm
used.
aes-256-cbc—Advanced Encryption Standard
(AES) 256-bit encryption.
aes-192-cbc— AES192-bit encryption
aes-128-cbc—AES 128-bit encryption.
3des-cbc—3 Data Encryption Standard (DES)
encryption.
des-cbc—DES encryption.
Traffic statistics
Input bytes—Number of bytes received.
Output bytes—Number of bytes transmitted.
Input packets—Number of packets received.
Output packets—Number of packets transmitted.
Flags
Notification to the key management process of the status
of the IKE negotiation:
caller notification sent—Caller program
notified about the completion of the IKE negotiation.
waiting for done—Negotiation is done. The
library is waiting for the remote end retransmission timers to expire.
waiting for remove—Negotiation has failed.
The library is waiting for the remote end retransmission timers to
expire before removing this negotiation.
waiting for policy manager—Negotiation
is waiting for a response from the policy manager.
IPSec security associations
number created: The number
of SAs created.
number deleted: The number
of SAs deleted.
Phase 2 negotiations in progress
Number of phase 2 IKE negotiations in progress and status
information:
Negotiation type—Type of phase 2 negotiation.
The JUNOS software currently supports quick mode.
Message ID—Unique identifier for a phase
2 negotiation.
Local identity—Identity of the local phase
2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len]
= iddata-presentation)
Remote identity—Identity of the remote
phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len]
= iddata-presentation)
Flags—Notification to the key management
process of the status of the IKE negotiation:
caller notification sent—Caller program
notified about the completion of the IKE negotiation.
waiting for done—Negotiation is done. The
library is waiting for the remote end retransmission timers to expire.
waiting for remove—Negotiation has failed.
The library is waiting for the remote end retransmission timers to
expire before removing this negotiation.
waiting for policy manager—Negotiation
is waiting for a response from the policy manager.
Sample Output
show security ike security-associations
user@host> show security ike security-associations
Index Remote Address State Initiator cookie Responder cookie Mode
8 1.1.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main
Index Remote Address State Initiator cookie Responder cookie Mode
9 1.2.1.3 UP 5ba96hfa9f65067 1 70890755b65b80b d Main
Sample Output
show security ike security-associations detail
user@host> show security ike security-associations
detail
IKE peer 1.1.1.2, Index 8,
Role: Responder, State: UP
Initiator cookie: 3a895f8a9f620198, Responder cookie: 9040753e66d700bb
Exchange type: Main, Authentication method: Pre-shared keys
Local: 1.1.1.1: 500, Remote: 1.1.1.2:500
Lifetime: Expired in 381 seconds
Algorithms:
Authentication : md5
Encryption: 3des-cbc
Pseudo random function hmac-md5
Traffic statistics:
Input bytes: 11268
Output bytes: 6940
Input packets: 57
Output packets 57
Flags: Caller notification sent
IPsec security associations: 0 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 1765792815
Local: 1.1.1.1:500, Remote: 1.1.1.2:500
Local identity: No Id
Remote identity: No Id
Flags: Caller notification sent, Waiting for remove
Sample Output
show security ike security-associations detail (SRX-series
devices)
user@host> show security ike security-associations
detaill
