show security ipsec security-associations
Sintaxe
show security ipsec security-associations <brief | detail> <family (inet | inet6)> <fpc slot-number pic slot-number> <index SA-index-number> <kmd-instance (all | kmd-instance-name)> <pic slot-number fpc slot-number> <sa-type shortcut> <traffic-selector traffic-selector-name> <srg-id id-number> <vpn-name vpn-name> <ha-link-encryption>
Descrição
Exibir informações sobre as associações de segurança IPsec (SAs).
Nos lançamentos do Junos OS 20.1R2, 20.2R2, 20.3R2, 20.3R1 e posteriores, quando você executa o show security ipsec security-associations detail comando, um novo campo IKE SA Index de saída correspondente a cada SA IPsec dentro de um túnel é exibido sob cada informação de SA IPsec. Veja mostrar detalhes das associações de segurança ipsec (SRX5400, SRX5600, SRX5800).
Opções
| none |
Exibir informações sobre todos os SAs. |
brief | detail |
(Opcional) Exibir o nível de saída especificado. O padrão é |
family |
(Opcional) Exibir SAs por família. Essa opção é usada para filtrar a saída.
|
fpc slot-numberpic
slot-number |
(Opcional) Exibir informações sobre as SAs IPsec existentes no slot flexível de concentrador PIC (FPC) especificado e no slot PIC. Em um cluster de chassi, quando você executa o comando |
index SA-index-number |
(Opcional) Exibir informações detalhadas sobre a SA especificada identificada por este número de índice. Para obter uma lista de todos os SAs que incluam seus números de índice, use o comando sem opções. |
kmd-instance |
(Opcional) Exibir informações sobre os SAs IPsec existentes no processo de gerenciamento chave (neste caso, é KMD) identificado pelo FPC slot-number e PIC slot-number.
|
pic slot-numberfpc
slot-number |
(Opcional) Exibir informações sobre os SAs IPsec existentes no slot PIC e slot FPC especificados. |
sa-type |
(Opcional para ADVPN) Exibir informações para o tipo de SA especificado. |
traffic-selector traffic-selector-name |
(Opcional) Exibir informações sobre o seletor de tráfego especificado. |
vpn-name vpn-name |
(Opcional) Exibir informações sobre a VPN especificada. |
| ha-link-encryption |
(Opcional) Exibir informações relacionadas apenas ao túnel de enlace interchassis. Veja ipsec (alta disponibilidade), mostrar segurança ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)e mostrar segurança ipsec sa detalhar a criptografia ha-link (SRX5400, SRX5600, SRX5800). |
| srg-id |
(Opcional) Exibir informações relacionadas a um grupo de redundância de serviços específico (SRG) em uma configuração multinode de alta disponibilidade. |
Nível de privilégio necessário
Ver
Campos de saída
Tabela 1 lista os campos de saída para o show security ipsec security-associations comando, Tabela 2 lista os campos de saída para o show security ipsec sa comando e Tabela 3. lista os campos de saída para o show security ipsec sa detail. Os campos de saída estão listados na ordem aproximada em que aparecem.
|
Nome de campo |
Descrição do campo |
Nível de saída |
|---|---|---|
|
|
Número total de túneis IPsec ativos. |
|
|
|
Número de índice da SA. Você pode usar este número para obter informações adicionais sobre a SA. |
Todos os níveis |
|
|
A criptografia usada para proteger trocas entre pares durante as negociações do IKE inclui:
|
|
|
|
Identificador de índice de parâmetro de segurança (SPI). Um SA é identificado com exclusividade por um SPI. Cada entrada inclui o nome da VPN, o endereço de gateway remoto, as SPIs para cada direção, os algoritmos de criptografia e autenticação e chaves. Cada um dos gateways peer tem dois SAs, um resultante de cada uma das duas fases de negociação: IKE e IPsec. |
|
|
|
A vida útil da SA, após a qual expira, expressa em segundos ou kilobytes. |
|
|
|
O campo Mon refere-se ao status de monitoramento de VPN. Se o monitoramento de VPN for ativado, esse campo será exibido |
|
|
|
O sistema raiz. |
|
|
|
Se a tradução de endereços de rede (NAT) for usada, esse valor será de 4500. Caso contrário, é a porta IKE padrão, 500. |
Todos os níveis |
|
|
Endereço IP do gateway remoto. |
|
|
|
Nome do sistema lógico. |
|
|
|
Nome IPsec para VPN. |
|
|
|
O estado tem duas opções,
|
|
|
|
Endereço de gateway do sistema local. |
|
|
|
Endereço de gateway do sistema remoto. |
|
|
|
Nome do seletor de tráfego. |
|
|
|
Identidade do peer local para que seu gateway de destino de parceiros possa se comunicar com ele. O valor é especificado como um endereço IP, nome de domínio totalmente qualificado, endereço de e-mail ou nome distinto (DN). |
|
|
|
Endereço IP do gateway peer de destino. |
|
|
|
Define a faixa IP local, alcance ip remoto, alcance de porta de origem, alcance de porta de destino e protocolo. |
|
|
|
Faixa de porta de origem configurada para um termo. |
|
|
|
Faixa de porta de destino configurada para um termo. |
|
|
|
Versão IKE, ou |
|
|
|
Estado da parte de não fragmentar: |
|
|
|
|
|
|
|
Evento de túnel e o número de vezes que o evento ocorreu. Veja eventos de túnel para obter descrições de eventos de túnel e a ação que você pode tomar. |
|
|
|
ID de fio âncora para a SA (para dispositivos da Série SRX4600 com a opção |
|
|
|
Direção da SA; pode ser de entrada ou saída. |
|
|
|
Valor do índice de parâmetros de segurança auxiliar (SPI).
|
|
|
|
Modo de SA:
|
|
|
|
Tipo de SA:
|
|
|
|
Estado da SA:
|
|
|
|
Suporte ao protocolo.
|
|
|
|
Tipo de autenticação usada. |
|
|
|
Tipo de criptografia usada. A partir do Junos OS Release 19.4R2, quando você configura |
|
|
|
A vida útil suave informa ao sistema de gerenciamento de chaves IPsec que a SA está prestes a expirar. Cada vida útil de uma SA tem duas opções de display, duras e macias, uma das quais deve estar presente para uma SA dinâmica. Isso permite que o sistema de gerenciamento chave negocie uma nova SA antes que a dura vida útil expire.
|
|
|
|
A dura vida útil especifica a vida útil da SA.
|
|
|
|
O restante do tamanho de vida especifica os limites de uso em kilobytes. Se não houver um tamanho vital especificado, ele mostrará ilimitado.
|
|
|
|
Estado do serviço que impede que pacotes sejam reproduzidos. Pode ser |
|
|
|
Tamanho da janela de serviço antireplay, que é de 64 bits. |
|
|
|
A interface do túnel à qual a VPN baseada em rotas está vinculada. |
|
|
|
Indica se o sistema copia o valor externo do DSCP do cabeçalho IP para o cabeçalho IP interno. |
|
|
|
Indica como o IKE é ativado. |
|
|
|
Indica a lista de associações de segurança IKE dos pais. |
|
|
Nome de campo |
Descrição do campo |
|---|---|
|
|
Número total de túneis IPsec ativos. |
|
|
Número de índice da SA. Você pode usar este número para obter informações adicionais sobre a SA. |
|
|
A criptografia usada para proteger trocas entre pares durante as negociações da Fase 2 do IKE inclui:
|
|
|
Identificador de índice de parâmetro de segurança (SPI). Um SA é identificado com exclusividade por um SPI. Cada entrada inclui o nome da VPN, o endereço de gateway remoto, as SPIs para cada direção, os algoritmos de criptografia e autenticação e chaves. Cada um dos gateways peer tem dois SAs, um resultante de cada uma das duas fases de negociação: Fase 1 e Fase 2. |
|
|
A vida útil da SA, após a qual expira, expressa em segundos ou kilobytes. |
|
|
O campo Mon refere-se ao status de monitoramento de VPN. Se o monitoramento de VPN for ativado, esse campo exibirá U (para cima) ou D (para baixo). Um hífen (-) significa que o monitoramento de VPN não está habilitado para esta SA. Um V significa que a verificação do datapath IPSec está em andamento. |
|
|
O sistema raiz. |
|
|
Se a tradução de endereços de rede (NAT) for usada, esse valor será de 4500. Caso contrário, é a porta IKE padrão, 500. |
|
|
Endereço de gateway do sistema. |
|
Nome de campo |
Descrição do campo |
|---|---|
|
|
Número de índice da SA. Você pode usar este número para obter informações adicionais sobre a SA. |
|
|
O nome do sistema virtual. |
|
|
Nome IPSec para VPN. |
|
|
Endereço de gateway do sistema local. |
|
|
Endereço de gateway do sistema remoto. |
|
|
Identidade do peer local para que seu gateway de destino de parceiros possa se comunicar com ele. O valor é especificado como um endereço IP, nome de domínio totalmente qualificado, endereço de e-mail ou nome distinto (DN). |
|
|
Endereço IP do gateway peer de destino. |
|
|
Versão IKE. Por exemplo, IKEv1, IKEv2. |
|
|
Tunelamento IPsec de pacotes malformados; habilitado se definido ou desativado, se não definido. |
|
|
Estado da parte de não fragmentar: |
|
|
A interface do túnel à qual a VPN baseada em rotas está vinculada. |
| Eventos de túnel | |
|
|
Direção da SA; pode ser de entrada ou saída. |
|
|
Valor do índice de parâmetros de segurança auxiliar (SPI).
|
|
|
Se o monitoramento de VPN for ativado, então o |
|
|
A dura vida útil especifica a vida útil da SA.
|
|
|
O restante do tamanho de vida especifica os limites de uso em kilobytes. Se não houver um tamanho vital especificado, ele mostrará ilimitado. |
|
|
A vida útil suave informa ao sistema de gerenciamento de chaves IPsec que a SA está prestes a expirar. Cada vida útil de uma SA tem duas opções de display, duras e macias, uma das quais deve estar presente para uma SA dinâmica. Isso permite que o sistema de gerenciamento chave negocie uma nova SA antes que a dura vida útil expire.
|
|
|
Modo de SA:
|
|
|
Tipo de SA:
|
|
|
Estado da SA:
Para o modo de transporte, o valor do Estado está sempre instalado. |
|
|
Suporte ao protocolo.
|
|
|
Estado do serviço que impede que pacotes sejam reproduzidos. Pode ser |
|
|
Tamanho configurado da janela de serviços antireplay. Pode ser de 32 ou 64 pacotes. Se o tamanho da janela de repetição for 0, o serviço antireplay será desativado. O tamanho da janela antireplay protege o receptor contra ataques de repetição, rejeitando pacotes antigos ou duplicados. |
|
Túnel de ligação interchassis |
|
|
Modo de criptografia de enlace HA |
Modo de alta disponibilidade suportado. |
Saída de amostra
Para a brevidade, as saídas de comando do show não exibem todos os valores da configuração. Apenas um subconjunto da configuração é exibido. O restante da configuração no sistema foi substituído por elipses (...).
- mostrar associações de segurança ipsec (IPv4)
- mostrar associações de segurança ipsec (IPv6)
- mostrar índice de associações de segurança ipsec 511672
- mostrar índice de associações de segurança ipsec 131073 detalhes
- mostrar segurança ipsec sa
- mostrar segurança ipsec sa detalhe
- mostrar detalhes de segurança ipsec sa (MX-SPC3)
- mostrar detalhes de segurança ipsec sa (MX-SPC3) com tunelamento de modo passivo
- mostrar segurança ipsec security-association
- mostrar resumo das associações de segurança ipsec de segurança
- mostrar detalhes das associações de segurança ipsec de segurança
- mostrar segurança ipsec associações de segurança família inet6
- mostrar segurança ipsec security-associations fpc 6 pic 1 kmd-instance all (Dispositivos da Série SRX)
- mostrar detalhes das associações de segurança ipsec (ADVPN Suggester, Túnel Estático)
- mostrar detalhes das associações de segurança ipsec (Parceiro ADVPN, Túnel Estático)
- mostrar segurança ipsec security-associations sa-type shortcut (ADVPN)
- mostrar segurança ipsec security-associations sa-type shortcut detail (ADVPN)
- mostrar segurança ipsec de segurança associações de segurança família detalhe
- mostrar detalhes das associações de segurança ipsec (SRX4600)
- mostrar detalhes das associações de segurança ipsec (SRX5400, SRX5600, SRX5800)
- mostrar segurança ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
- mostrar segurança ipsec sa detalhar a criptografia ha-link (SRX5400, SRX5600, SRX5800)
mostrar associações de segurança ipsec (IPv4)
user@host> show security ipsec security-associations Total active tunnels: 14743 Total Ipsec sas: 14743 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <511672 ESP:aes-cbc-128/sha1 0x071b8cd2 - root 500 10.21.45.152 >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 10.21.12.255 <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 10.21.12.255 >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 10.21.50.96 <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 10.21.50.96 >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 10.21.54.57 <513881 ESP:aes-cbc-128/sha1 0x0a57860c 1696/ unlim - root 500 10.21.54.57 >505835 ESP:aes-cbc-128/sha1 0xf827b5c6 1598/ unlim - root 500 10.21.22.204 <505835 ESP:aes-cbc-128/sha1 0x0f43bf3f 1598/ unlim - root 500 10.21.22.204 >506531 ESP:aes-cbc-128/sha1 0x01694572 1602/ unlim - root 500 10.21.25.131 <506531 ESP:aes-cbc-128/sha1 0x0a578143 1602/ unlim - root 500 10.21.25.131 >512802 ESP:aes-cbc-128/sha1 0xdc292de4 1668/ unlim - root 500 10.21.50.1 <512802 ESP:aes-cbc-128/sha1 0x0a578558 1668/ unlim - root 500 10.21.50.1 >512413 ESP:aes-cbc-128/sha1 0xbe2c52d5 1660/ unlim - root 500 10.21.48.125 <512413 ESP:aes-cbc-128/sha1 0x1129580c 1660/ unlim - root 500 10.21.48.125 >505075 ESP:aes-cbc-128/sha1 0x2aae6647 1593/ unlim - root 500 10.21.19.213 <505075 ESP:aes-cbc-128/sha1 0x02dc5c50 1593/ unlim - root 500 10.21.19.213 >514055 ESP:aes-cbc-128/sha1 0x2b8adfcb 1704/ unlim - root 500 10.21.54.238 <514055 ESP:aes-cbc-128/sha1 0x0f43c49a 1704/ unlim - root 500 10.21.54.238 >508898 ESP:aes-cbc-128/sha1 0xbcced4d6 1619/ unlim - root 500 10.21.34.194 <508898 ESP:aes-cbc-128/sha1 0x1492035a 1619/ unlim - root 500 10.21.34.194 >505328 ESP:aes-cbc-128/sha1 0x2a8d2b36 1594/ unlim - root 500 10.21.20.208 <505328 ESP:aes-cbc-128/sha1 0x14920107 1594/ unlim - root 500 10.21.20.208 >500815 ESP:aes-cbc-128/sha1 0xdd86c89a 1573/ unlim - root 500 10.21.3.47 <500815 ESP:aes-cbc-128/sha1 0x1129507f 1573/ unlim - root 500 10.21.3.47 >503758 ESP:aes-cbc-128/sha1 0x64cc490e 1586/ unlim - root 500 10.21.14.172 <503758 ESP:aes-cbc-128/sha1 0x14920001 1586/ unlim - root 500 10.21.14.172 >504004 ESP:aes-cbc-128/sha1 0xde0b63ee 1587/ unlim - root 500 10.21.15.164 <504004 ESP:aes-cbc-128/sha1 0x071b87d4 1587/ unlim - root 500 10.21.15.164 >508816 ESP:aes-cbc-128/sha1 0x2703b7a5 1618/ unlim - root 500 10.21.34.112 <508816 ESP:aes-cbc-128/sha1 0x071b8af6 1618/ unlim - root 500 10.21.34.112 >511341 ESP:aes-cbc-128/sha1 0x828f3330 1644/ unlim - root 500 10.21.44.77 <511341 ESP:aes-cbc-128/sha1 0x02dc6064 1644/ unlim - root 500 10.21.44.77 >500456 ESP:aes-cbc-128/sha1 0xa6f1515d 1572/ unlim - root 500 10.21.1.200 <500456 ESP:aes-cbc-128/sha1 0x1491fddb 1572/ unlim - root 500 10.21.1.200 >512506 ESP:aes-cbc-128/sha1 0x4108f3a3 1662/ unlim - root 500 10.21.48.218 <512506 ESP:aes-cbc-128/sha1 0x071b8d5d 1662/ unlim - root 500 10.21.48.218 >504657 ESP:aes-cbc-128/sha1 0x27a6b8b3 1591/ unlim - root 500 10.21.18.41 <504657 ESP:aes-cbc-128/sha1 0x112952fe 1591/ unlim - root 500 10.21.18.41 >506755 ESP:aes-cbc-128/sha1 0xc0afcff0 1604/ unlim - root 500 10.21.26.100 <506755 ESP:aes-cbc-128/sha1 0x149201f5 1604/ unlim - root 500 10.21.26.100 >508023 ESP:aes-cbc-128/sha1 0xa1a90af8 1612/ unlim - root 500 10.21.31.87 <508023 ESP:aes-cbc-128/sha1 0x02dc5e3b 1612/ unlim - root 500 10.21.31.87 >509190 ESP:aes-cbc-128/sha1 0xee52074d 1621/ unlim - root 500 10.21.35.230 <509190 ESP:aes-cbc-128/sha1 0x0f43c16e 1621/ unlim - root 500 10.21.35.230 >505051 ESP:aes-cbc-128/sha1 0x24130b1c 1593/ unlim - root 500 10.21.19.188 <505051 ESP:aes-cbc-128/sha1 0x149200d9 1593/ unlim - root 500 10.21.19.188 >513214 ESP:aes-cbc-128/sha1 0x2c4752d1 1676/ unlim - root 500 10.21.51.158 <513214 ESP:aes-cbc-128/sha1 0x071b8dd3 1676/ unlim - root 500 10.21.0.51.158 >510808 ESP:aes-cbc-128/sha1 0x4acd94d3 1637/ unlim - root 500 10.21.42.56 <510808 ESP:aes-cbc-128/sha1 0x071b8c42 1637/ unlim - root 500 10.21.42.56
mostrar associações de segurança ipsec (IPv6)
user@host> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:aes256/sha256 14caf1d9 3597/ unlim - root 500 2001:db8::1112 131074 ESP:aes256/sha256 9a4db486 3597/ unlim - root 500 2001:db8::1112
mostrar índice de associações de segurança ipsec 511672
user@host> show security ipsec security-associations index 511672
ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn
Local Gateway: 10.20.0.1, Remote Gateway: 10.21.45.152
Traffic Selector Name: ts
Local Identity: ipv4(10.191.151.0-10.191.151.255)
Remote Identity: ipv4(10.40.151.0-10.40.151.255)
Version: IKEv2
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Location: FPC 0, PIC 1, KMD-Instance 0
Anchorship: Thread 10
Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1639 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1257 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1639 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1257 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
mostrar índice de associações de segurança ipsec 131073 detalhes
user@host> show security ipsec security-associations index 131073 detail
ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1
Local Gateway: 10.4.0.1, Remote Gateway: 10.5.0.1
Local Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0)
Version: IKEv2
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39
Multi-sa, Configured SAs# 9, Negotiated SAs#: 9
Tunnel events:
Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times)
Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times)
Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times)
Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times)
Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times)
Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times)
Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1930 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1563 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Multi-sa FC Name: default
Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1930 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1563 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Multi-sa FC Name: default
Direction: inbound, SPI: 5d227e19, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1930 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1551 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Multi-sa FC Name: best-effort
Direction: outbound, SPI: 5490da, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1930 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1551 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
...Começando pelo Junos OS Release 18.2R1, a saída CLI show security ipsec security-associations index index-number detail exibe todos os detalhes da SA infantil, incluindo o nome da classe de encaminhamento.
mostrar segurança ipsec sa
user@host> show security ipsec sa Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway >67108885 ESP:aes-gcm-256/None fdef4dab 2918/ unlim - root 500 2001:db8:3000::2 >67108885 ESP:aes-gcm-256/None e785dadc 2918/ unlim - root 500 2001:db8:3000::2 >67108887 ESP:aes-gcm-256/None 34a787af 2971/ unlim - root 500 2001:db8:5000::2 >67108887 ESP:aes-gcm-256/None cf57007f 2971/ unlim - root 500 2001:db8:5000::2
mostrar segurança ipsec sa detalhe
user@host> show security ipsec sa detail
ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN
Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2
Local Identity: ipv4(10.0.0.0-255.255.255.255)
Remote Identity: ipv4(10.0.0.0-255.255.255.255)
Version: IKEv1
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Location: FPC 0, PIC 1, KMD-Instance 0
Anchorship: Thread 1
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 91 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 44 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
tunnel-establishment: establish-tunnels-responder-only-no-rekey
Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 91 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 44 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
tunnel-establishment: establish-tunnels-responder-only-no-rekey
...Começando pelo Junos OS Release 19.1R1, um novo campo tunnel-establishment na saída da CLI show security ipsec sa detail exibe a opção configurada sob ipsec vpn establish-tunnels hierarquia.
Começando pelo Junos OS Release 21.3R1, um novo campo Tunnel MTU na saída da CLI show security ipsec sa detail exibe a opção configurada sob ipsec vpn hub-to-spoke-vpn tunnel-mtu hierarquia.
A partir do Junos OS Release 22.1R3, na linha SRX5000 de dispositivos, o MTU do túnel não é exibido na saída CLI se o MTU do túnel não estiver configurado.
mostrar detalhes de segurança ipsec sa (MX-SPC3)
user@host>show security ipsec sa detailID: 500055 Virtual-system: root, VPN Name: IPSEC_VPN
Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2
Local Identity: ipv4(10.0.0.0-255.255.255.255)
Remote Identity: ipv4(10.0.0.0-255.255.255.255)
Version: IKEv2
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 1420 Policy-name: IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 15
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x229b998e, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 23904 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 23288 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Enabled
tunnel-establishment: establish-tunnels-immediately
Direction: outbound, SPI: 0xb2e843a3, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 23904 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 23288 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Enabled
tunnel-establishment: establish-tunnels-immediately
mostrar detalhes de segurança ipsec sa (MX-SPC3) com tunelamento de modo passivo
user@host>show security ipsec sa detail
ID: 500054 Virtual-system: root, VPN Name: TUN_3
Local Gateway: 100.0.0.3, Remote Gateway: 200.0.0.3
Traffic Selector Name: ts1
Local Identity: ipv4(11.0.0.3-11.0.0.3)
Remote Identity: ipv4(75.0.0.3-75.0.0.3)
TS Type: traffic-selector
Version: IKEv2
Quantum Secured: No
PFS group: N/A
SRG ID: 0
Passive mode tunneling: Enabled
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.3, Policy-name: IPSEC_POLICY
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Tunnel events:
Mon Sep 19 2022 19:27:44: IPsec SA negotiation succeeds (1 times)
Location: FPC 3, PIC 1, KMD-Instance 0
Anchorship: Thread 15
Distribution-Profile: vms-3/1/0
Direction: inbound, SPI: 0x25c03740, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expired
Lifesize Remaining: Expired
Soft lifetime: Expires in 2920 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 512
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 122
Direction: outbound, SPI: 0x8e8f2009, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expired
Lifesize Remaining: Expired
Soft lifetime: Expires in 2920 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 512
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 122
mostrar segurança ipsec security-association
user@host>show security ipsec security-association Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500006 ESP:aes-gcm-128/aes128-gcm 0x782b233c 1432/ unlim - root 500 10.2.0.2
mostrar resumo das associações de segurança ipsec de segurança
user@host> show security ipsec security-associations brief Total active tunnels: 2 Total Ipsec sas: 18 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes256/sha256 89e5098 1569/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 f3117676 1609/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 6050109f 1609/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 606c90f6 1616/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 af8984b6 1619/ unlim - root 500 10.5.0.1 ...
mostrar detalhes das associações de segurança ipsec de segurança
user@host> show security ipsec security-associations detail
ID: 500009 Virtual-system: root, VPN Name: IPSEC_VPN
Local Gateway: 10.2.0.2, Remote Gateway: 10.2.0.1
Local Identity: ipv4(10.0.0.0-255.255.255.255)
Remote Identity: ipv4(10.0.0.0-255.255.255.255)
Version: IKEv1
PFS group: DH-group-14
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 0
Distribution-Profile: default-profile
IKE SA Index: 2068
Direction: inbound, SPI: 0xba7bb1f2, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 146 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 101 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-on-traffic
Direction: outbound, SPI: 0x41650a1b, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 146 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 101 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-on-trafficmostrar segurança ipsec associações de segurança família inet6
user@host> show security ipsec security-associations family inet6
Virtual-system: root
Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
DF-bit: clear
Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3440 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2813 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: 9a4db486, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3440 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2813 seconds
Mode: tunnel, Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc
Anti-replay service: counter-based enabled, Replay window size: 64 mostrar segurança ipsec security-associations fpc 6 pic 1 kmd-instance all (Dispositivos da Série SRX)
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 192.168.1.2 500 ESP:aes256/sha256 67a7d25d 28280/unlim - 0 >2 192.168.1.2 500 ESP:aes256/sha256 a23cbcdc 28280/unlim - 0
mostrar detalhes das associações de segurança ipsec (ADVPN Suggester, Túnel Estático)
user@host> show security ipsec security-associations detail ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times) Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Location: FPC 0, PIC 3, KMD-Instance 2 Direction: inbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 3, KMD-Instance 2 Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
mostrar detalhes das associações de segurança ipsec (Parceiro ADVPN, Túnel Estático)
user@host> show security ipsec security-associations detail ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 Tunnel events: Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times) Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times) Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
mostrar segurança ipsec security-associations sa-type shortcut (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111 >268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111
mostrar segurança ipsec security-associations sa-type shortcut detail (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut detail
node0:
--------------------------------------------------------------------------
ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN
Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Auto Discovery VPN:
Type: Shortcut, Shortcut Role: Initiator
Version: IKEv2
DF-bit: clear, Bind-interface: st0.1
Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29
Tunnel events:
Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times)
Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times)
Direction: inbound, SPI: b7a5518, AUX-SPI: 0
Hard lifetime: Expires in 1766 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1381 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Direction: outbound, SPI: b7e0268, AUX-SPI: 0
Hard lifetime: Expires in 1766 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1381 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
mostrar segurança ipsec de segurança associações de segurança família detalhe
user@host> show security ipsec security-associations family inet detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear , Copy-Outer-DSCP Enabled Bind-interface: st0.99 Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times) Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times) Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times) Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times) Location: FPC 0, PIC 1, KMD-Instance 1 Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 1 Direction: outbound, SPI: 727f629d, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
mostrar detalhes das associações de segurança ipsec (SRX4600)
user@host> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: ike-vpn
Local Gateway: 10.62.1.3, Remote Gateway: 10.62.1.2
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv2
DF-bit: clear, Bind-interface: st0.0
Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Tunnel events:
Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times)
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 6
Direction: inbound, SPI: 812c9c01, AUX-SPI: 0
Hard lifetime: Expires in 2224 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1598 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 7
Direction: outbound, SPI: c4de0972, AUX-SPI: 0
Hard lifetime: Expires in 2224 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1598 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
mostrar detalhes das associações de segurança ipsec (SRX5400, SRX5600, SRX5800)
Um novo campo IKE SA Index de saída correspondente a cada SA IPsec dentro de um túnel é exibido sob cada informação de SA IPsec.
user@host> show security ipsec security-associations detail
ID: 500005 Virtual-system: root, VPN Name: 85BX5-OAM
Local Gateway: 10.217.0.4, Remote Gateway: 10.200.254.118
Traffic Selector Name: TS_DEFAULT
Local Identity: ipv4(0.0.0.0-255.255.255.255)
Remote Identity: ipv4(10.181.235.224-10.181.235.224)
Version: IKEv2
PFS group: N/A
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: MACRO-IPSEC-POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Location: FPC 7, PIC 1, KMD-Instance 0
Anchorship: Thread 15
Distribution-Profile: default-profile
Direction: inbound, SPI: 0xe2eb3838, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 644 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 159 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
Anti-replay service: disabled
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 22
Direction: outbound, SPI: 0x4f7c3101, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 644 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 159 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
Anti-replay service: disabled
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 22
Direction: inbound, SPI: 0x30b6d66f, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1771 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1391 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
Anti-replay service: disabled
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 40
Direction: outbound, SPI: 0xd2db4108, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1771 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1391 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
Anti-replay service: disabled
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-responder-only
IKE SA Index: 40
mostrar segurança ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
A partir do Junos OS Release 20.4R1, quando você configura o recurso de alta disponibilidade (HA), você pode usar este comando show para visualizar apenas detalhes do túnel do link de interchassis.
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 91 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495001 ESP:aes-gcm-256/aes256-gcm 0x0047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2446c5cd 298/ unlim - root 500 10.23.0.2 ...
mostrar segurança ipsec sa detalhar a criptografia ha-link (SRX5400, SRX5600, SRX5800)
A partir do Junos OS Release 20.4R1, quando você configura o recurso de alta disponibilidade (HA), você pode usar este comando show para visualizar apenas detalhes do túnel do link de interchassis. Ele exibe os multiSAs criados para o túnel de criptografia de enlace interchassis.
user@host> show security ipsec sa detail ha-link-encryption
ID: 495001 Virtual-system: root, VPN Name: L3HA_IPSEC_VPN
Local Gateway: 10.23.0.1, Remote Gateway: 10.23.0.2
Traffic Selector Name: __L3HA_IPSEC_VPN__multi_node__
Local Identity: ipv4(180.100.1.1-180.100.1.1)
Remote Identity: ipv4(180.100.1.2-180.100.1.2)
Version: IKEv2
PFS group: DH-Group-24
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Policy-name: L3HA_IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
HA Link Encryption Mode: Multi-Node
Location: FPC -, PIC -, KMD-Instance -
Anchorship: Thread -
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x00439cf8, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 294 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 219 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 1, PIC 0, KMD-Instance 0
Anchorship: Thread 15
IKE SA Index: 4294966297
Direction: outbound, SPI: 0x004cfceb, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 294 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 219 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 1, PIC 0, KMD-Instance 0
Anchorship: Thread 15
IKE SA Index: 4294966297
Direction: inbound, SPI: 0x04439cf8, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 294 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 219 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
Location: FPC 1, PIC 0, KMD-Instance 0
Anchorship: Thread 16
IKE SA Index: 4294966297
Direction: outbound, SPI: 0x044cfceb, AUX-SPI: 0
, VPN Monitoring: -
...No Junos OS Release 22.3R1 e posterior, quando você configura o recurso de criptografia de enlace de controle ha do Chassis Cluster, você pode executar o show security ike sa ha-link-encryption detail, show security ipsec sa ha-link-encryption detaile show security ipsec sa ha-link-encryption comandos para ver os detalhes do túnel de criptografia do enlace de controle de cluster chassis.
mostrar segurança ike sa ha-link-criptografia detalhe
user@host> show security ike sa ha-link-encryption detail
IKE peer 10.2.0.1, Index 4294966274, Gateway Name: IKE_GW_HA_0
Role: Initiator, State: UP
Initiator cookie: ae5bcb5540d388a1, Responder cookie: 28bbae629ceb727f
Exchange type: IKEv2, Authentication method: Pre-shared-keys
Local gateway interface: em0
Routing instance: __juniper_private1__
Local: 10.7.0.2:500, Remote: 10.2.0.1:500
Lifetime: Expires in 24856 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Remote Access Client Info: Unknown Client
Peer ike-id: 10.2.0.1
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-2
Traffic statistics:
Input bytes : 200644
Output bytes : 200644
Input packets: 2635
Output packets: 2635
Input fragmented packets: 0
Output fragmented packets: 0
IPSec security associations: 6 created, 3 deleted
Phase 2 negotiations in progress: 1
IPSec Tunnel IDs: 495002
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 10.7.0.2:500, Remote: 10.2.0.1:500
Local identity: 10.7.0.2
Remote identity: 10.2.0.1
Flags: IKE SA is created
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
Initiator stats: Responder stats:
Request Out : 1 Request In : 1
Response In : 1 Response Out : 1
No Proposal Chosen In : 0 No Proposal Chosen Out : 0
Invalid KE In : 0 Invalid KE Out : 0
TS Unacceptable In : 0 TS Unacceptable Out : 0
Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0
Res Verify SA Fail : 0
Res Verify DH Group Fail: 0
Res Verify TS Fail : 0mostrar detalhes de criptografia ipsec sa ha-link de segurança
user@host> show security ipsec sa ha-link-encryption detail
ID: 495002 Virtual-system: root, VPN Name: IPSEC_VPN_HA_0
Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1
Traffic Selector Name: __IPSEC_VPN_HA_0__l2_chassis_clu
Local Identity: ipv4(10.7.0.2-10.7.0.2)
Remote Identity: ipv4(10.2.0.1-10.2.0.1)
TS Type: traffic-selector
Version: IKEv2
PFS group: DH-group-24
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: IPSEC_POL_HA_0
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
HA Link Encryption Mode: L2 Chassis Cluster
Location: FPC -, PIC -, KMD-Instance -
Anchorship: Thread -
Distribution-Profile: default-profile
Direction: inbound, SPI: 0x35fae26b, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3435 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2818 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 4294966274
Direction: outbound, SPI: 0x0a2b9927, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 3435 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2818 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 4294966274mostrar segurança ipsec sa ha-link-criptografia
user@host> show security ipsec sa ha-link-encryption Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495002 ESP:aes-cbc-256/sha1 0x35fae26b 3484/ unlim - root 500 10.2.0.1 >495002 ESP:aes-cbc-256/sha1 0x0a2b9927 3484/ unlim - root 500 10.2.0.1
mostrar detalhes das associações de segurança ipsec (dispositivos da Série SRX e roteadores da Série MX)
No Junos OS Release 20.4R2, 21.1R1 e posterior, você pode executar o show security ipsec security-associations detail comando para visualizar o tipo seletor de tráfego para uma VPN.
user@host> show security ipsec security-associations detail
ID: 500024 Virtual-system: root, VPN Name: S2S_VPN2
Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1
Traffic Selector Name: ts1
Local Identity: ipv4(10.20.20.0-10.20.20.255)
Remote Identity: ipv4(10.10.10.0-10.10.10.255)
TS Type: traffic-selector
Version: IKEv2
PFS group: DH-group-14
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2, Policy-name: IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Tunnel events:
Tue Jan 19 2021 04:43:49: IPsec SA negotiation succeeds (1 times)
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 1
Distribution-Profile: default-profile
Direction: inbound, SPI: 0xf8642fae, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1798 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1397 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 17
Direction: outbound, SPI: 0xb2a26969, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1798 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1397 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 17
ID: 500025 Virtual-system: root, VPN Name: S2S_VPN1
Local Gateway: 10.7.0.1, Remote Gateway: 10.2.0.1
Local Identity: ipv4(0.0.0.0-255.255.255.255)
Remote Identity: ipv4(0.0.0.0-255.255.255.255)
TS Type: proxy-id
Version: IKEv2
PFS group: DH-group-14
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Tunnel events:
Tue Jan 19 2021 04:44:41: IPsec SA negotiation succeeds (1 times)
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 1
Distribution-Profile: default-profile
Direction: inbound, SPI: 0xe293762a, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1755 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1339 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 18
Direction: outbound, SPI: 0x7aef9d7f, AUX-SPI: 0
, VPN Monitoring: -
Hard lifetime: Expires in 1755 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 1339 seconds
Mode: Tunnel(0 0), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
Anti-replay service: counter-based enabled, Replay window size: 64
Extended-Sequence-Number: Disabled
tunnel-establishment: establish-tunnels-immediately
IKE SA Index: 18
- mostrar detalhes das associações de segurança ipsec (SRX5400, SRX5600, SRX5800)
- mostrar segurança ipsec security-associations srg-id
mostrar detalhes das associações de segurança ipsec (SRX5400, SRX5600, SRX5800)
A partir do Junos OS Release 21.1R1, você pode ver os detalhes do seletor de tráfego, que inclui identidade local, identidade remota, protocolo, alcance de porta de origem, alcance de porta de destino para vários termos definidos para um IPsec SA.
Nas versões anteriores do Junos, a seleção de tráfego para uma SA específica é realizada usando a faixa de IP definida usando endereço IP ou máscara de rede. A partir do Junos OS Release 21.1R1, além disso, o tráfego é selecionado por meio de protocolo especificado usando protocol_name. Além disso, faixa de porta baixa e alta especificada para números de portas de origem e destino.
user@host> show security ipsec security-associations detail ID: 500075 Virtual-system: root, VPN Name: pkn-r0-r1-ipsec-vpn-1 Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2 Traffic Selector Name: ts1 Local Identity: Protocol Port IP 17/UDP 100-200 198.51.100.0-198.51.100.255 6/TCP 250-300 198.51.100.0-198.51.100.255 Remote Identity: Protocol Port IP 17/UDP 150-200 10.80.0.1-10.80.0.1 6/TCP 250-300 10.80.1.1-10.80.1.1 Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: pkn-r0-r1-ipsec-policy Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: ……… Direction: outbound, SPI: …………
mostrar segurança ipsec security-associations srg-id
user@host> show security ipsec security-associations srg-id 1 Total active tunnels: 1 Total IPsec sas: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <17277217 ESP:aes-cbc-256/sha256 0xc7faee3e 1440/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0x7921d472 1440/ unlim - root 500 10.112.0.1 <17277217 ESP:aes-cbc-256/sha256 0xf1a01dd4 1498/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0xa0b77273 1498/ unlim - root 500 10.112.0.1
Informações de lançamento
Comando introduzido no Junos OS Release 8.5. Suporte para a opção family adicionada no Junos OS Release 11.1.
Suporte para a opção vpn-name adicionada no Junos OS Release 11.4R3. Suporte para a opção e o traffic-selector campo seletor de tráfego adicionado no Junos OS Release 12.1X46-D10.
Suporte para AUTO Discovery VPN (ADVPN) adicionado no Junos OS Release 12.3X48-D10.
Suporte para verificação de datapath IPsec adicionado no Junos OS Release 15.1X49-D70.
Suporte à ancoragem de segmentos adicionado no Junos OS Release 17.4R1.
A partir do Junos OS Release 18.2R2, a show security ipsec security-assocations detail saída de comando incluirá informações de ancoragem de segmentos para as associações de segurança (SAs).
A partir do Junos OS Release 19.4R1, preterimos a opção fc-name CLI (cos Forward Class) no novo iked processo que exibe as associações de segurança (SAs) sob o comando show security ipsec sashow.
Suporte para a opção ha-link-encryption adicionada no Junos OS Release 20.4R1.
Suporte para a opção srg-id adicionada no Junos OS Release 22.4R1.
O suporte para passive-mode-tunneling o MX-SPC3 é introduzido no Junos OS Release 23.1R1.