Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Related Documentation

  • Example: Configuring a Route-Based VPN Tunnel in a User Logical System

show security ike security-associations

Syntax

show security ike security-associationspeer-addressbrief | detailfamily (inet | inet6)fpc slot-numberindex SA-index-numberkmd-instance (all | kmd-instance-name)pic slot-numbersa-type shortcut <detail>

Release Information

Command introduced in Junos OS Release 8.5 . Support for the fpc, pic, and kmd-instance options added in Junos OS Release 9.3. Support for the family option added in Junos OS Release 11.1. Support for Auto Discovery VPN added in Junos OS Release 12.3X48-D10.

Description

Display information about Internet Key Exchange security associations (IKE SAs).

Options

  • none—Display standard information about existing IKE SAs, including index numbers.
  • peer-address—(Optional) Display details about a particular SA based on the IPv4 or IPv6 address of the destination peer. This option and index provide the same level of output.
  • brief—(Optional) Display standard information about all existing IKE SAs. (Default)
  • detail—(Optional) Display detailed information about all existing IKE SAs.
  • family—(Optional) Display IKE SAs by family. This option is used to filter the output.
    • inet—IPv4 address family.
    • inet6—IPv6 address family.
  • fpc slot-number—(Optional) Display information about existing IKE SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter the output.
  • index SA-index-number—(Optional) Display information for a particular SA based on the index number of the SA. For a particular SA, display the list of existing SAs by using the command with no options. This option and peer-address provide the same level of output.
  • kmd-instance —(Optional) Display information about existing IKE SAs in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number. This option is used to filter the output.
    • all—All KMD instances running on the Services Processing Unit (SPU).
    • kmd-instance-name—Name of the KMD instance running on the SPU.
  • pic slot-number —(Optional) Display information about existing IKE SAs in this PIC slot. This option is used to filter the output.
  • sa-type—(Optional for ADVPN) Type of SA. shortcut is the only option for this release.

Required Privilege Level

view

Related Documentation

  • Example: Configuring a Route-Based VPN Tunnel in a User Logical System

List of Sample Output

show security ike security-associations (IPv4)
show security ike security-associations (IPv6)
show security ike security-associations detail (Branch SRX Series Devices)
show security ike security-associations detail (High-End SRX Series Devices)
show security ike security-associations family inet6
show security ike security-associations index 8 detail
show security ike security-associations 1.1.1.2
show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
show security ike security-associations detail (ADVPN Enabled on Suggester Only)
show security ike security-associations detail (ADVPN Enabled on Partner)
show security ike security-associations sa-type shortcut (ADVPN)
show security ike security-associations sa-type shortcut detail (ADVPN)

Output Fields

Table 10 lists the output fields for the show security ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 10: show security ike security-associations Output Fields

Field Name

Field Description

IKE Peer or Remote Address

IP address of the destination peer with which the local peer communicates.

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Gateway Name

Name of the IKE gateway.

Location

  • FPC—Flexible PIC Concentrator (FPC) slot number.
  • PIC—PIC slot number.
  • KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances are running on each SPU, and any particular IKE negotiation is carried out by a single KMD instance.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State

State of the IKE SAs:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Mode or Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between one another. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are:

  • main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

Note: IKEv2 protocol does not use the mode configuration for negotiation. Therefore, mode displays the version number of the security association.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithms

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Authentication—Type of authentication algorithm used:
    • sha1—Secure Hash Algorithm 1 authentication.
    • md5—MD5 authentication.
  • Encryption—Type of encryption algorithm used:
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
    • aes-192-cbc— AES192-bit encryption.
    • aes-128-cbc—AES 128-bit encryption.
    • 3des-cbc—3 Data Encryption Standard (DES) encryption.
    • des-cbc—DES encryption.

Diffie-Hellman group

Specifies the IKE Diffie-Hellman group.

Traffic statistics

  • Input bytes—Number of bytes received.
  • Output bytes—Number of bytes transmitted.
  • Input packets—Number of packets received.
  • Output packets—Number of packets transmitted.

Flags

Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.
  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

IPSec security associations

  • number created: The number of SAs created.
  • number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of Phase 2 IKE negotiations in progress and status information:

  • Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.
  • Message ID—Unique identifier for a Phase 2 negotiation.
  • Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).
  • Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).
  • Flags—Notification to the key management process of the status of the IKE negotiation:
    • caller notification sent—Caller program notified about the completion of the IKE negotiation.
    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

Sample Output

show security ike security-associations (IPv4)

user@host> show security ike security-associations
Index		Remote Address				State		Initiator cookie					Responder cookie					Mode
8		1.1.1.2				UP		3a895f8a9f620198					9040753e66d700bb					Main
Index		Remote Address				State		Initiator cookie					Responder cookie					Mode
9		1.2.1.3 				UP		5ba96hfa9f65067			1		70890755b65b80b			d		Main

Sample Output

show security ike security-associations (IPv6)

user@host> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
5       UP     e48efd6a444853cf  0d09c59aafb720be  Aggressive     1212::1112

Sample Output

show security ike security-associations detail (Branch SRX Series Devices)

user@host> show security ike security-associations detail
IKE peer 25.191.134.245, Index 2577565, Gateway Name: tropic  
  Role: Initiator, State: UP
  Initiator cookie: b869b3424513340a, Responder cookie: 4cb3488cb19397c3
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 25.191.134.241:500, Remote: 25.191.134.245:500
  Lifetime: Expires in 169 seconds
  Peer ike-id: 25.191.134.245
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha1
  Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 1012
   Output bytes  :                 1196
   Input  packets:                    4
   Output packets:                    5
  Flags: IKE SA is created
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 25.191.134.241:500, Remote: 25.191.134.245:500
    Local identity: 25.191.134.241
    Remote identity: 25.191.134.245
    Flags: IKE SA is created

Sample Output

show security ike security-associations detail (High-End SRX Series Devices)

user@host> show security ike security-associations detail
IKE peer 1.1.1.2, Index 914039858, Gateway Name: tropic   
  Location: FPC 3, PIC 1, KMD-Instance 3
  Role: Initiator, State: UP
  Initiator cookie: 219a697652bdde37, Responder cookie: b49c30b229d36bcd
  Exchange type: Aggressive, Authentication method: Pre-shared-keys
  Local: 1.1.1.1:500, Remote: 1.1.1.2:500
  Lifetime: Expires in 26297 seconds
  Peer ike-id: 1.1.1.2
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
  Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                    0
   Output bytes  :                    0
   Input  packets:                    0
   Output packets:                    0
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 1

Sample Output

show security ike security-associations family inet6

user@host> show security ike security-associations family inet6
  IKE peer 1212::1112, Index 5, Gateway Name: tropic 
  Role: Initiator, State: UP
  Initiator cookie: e48efd6a444853cf, Responder cookie: 0d09c59aafb720be
  Exchange type: Aggressive, Authentication method: Pre-shared-keys
  Local: 1212::1111:500, Remote: 1212::1112:500
  Lifetime: Expires in 19518 seconds
  Peer ike-id: not valid
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : sha1 
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 1568
   Output bytes  :                 2748
   Input  packets:                    6
   Output packets:                   23
  Flags: Caller notification sent 
  IPSec security associations: 5 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 2900338624
    Local: 1212::1111:500, Remote: 1212::1112:500
    Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Flags: Caller notification sent, Waiting for done	  

Sample Output

show security ike security-associations index 8 detail

user@host> show security ike security-associations index 8 detail
IKE peer 1.1.1.2, Index 8, Gateway Name: tropic 
	Role: Responder, State:UP
	Initiator cookie: 3a895f8a9f620198, Responder cookie: 9040753e66d700bb
	Exchange type; main, Authentication method: Pre-shared-keys
	Local: 1.1.1.1:500, Remote: 1.1.1.2:500
	Lifetime: Expired in 381 seconds
	Algorithms:
		Authentication: 						md5
		Encryption:						3des-cbc
		Pseudo random function						hmac-md5
     Diffie-Hellman group  : DH-group-5
	   Traffic statistics: 
		Input bytes:							11268
		Output bytes:						 	6940
		Input packets:						 	57
		Output packets: 							57
	Flags: Caller notification sent
	IPsec security associations: 0 created, 0 deleted
	Phase 2 negotiations in progress: 1

		Negotiation type: Quick mode, Role: Responder, Message ID: 1765792815
		Local: 1.1.1.1:500, Remote: 1.1.1.2:500
		Local identity: No Id
		Remote identity: No Id
		Flags: Caller notification sent, Waiting for remove

Sample Output

show security ike security-associations 1.1.1.2

user@host> show security ike security-associations 1.1.1.2
Index     State  Initiator cookie  Responder cookie  Mode Remote Address
   8        UP     3a895f8a9f620198  9040753e66d700bb  Main 1.1.1.2

Sample Output

show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)

user@host> show security ike security-associations fpc 6 pic 1 kmd-instance all
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode

1728053250 1.1.1.2      UP     fc959afd1070d10b  bdeb7e8c1ea99483  Main

Sample Output

show security ike security-associations detail (ADVPN Enabled on Suggester Only)

user@host> show security ike security-associations detail
IKE peer 17.0.1.7, Index 8375028, Gateway Name: hub_gw
  Auto Discovery VPN:
   Type: Static, Local Capability: Suggester, Peer Capability: Not Supported
   Suggester Shortcut Suggestions Statistics:
     Suggestions sent    :    0
     Suggestions accepted:    0
     Suggestions declined:    0
  Role: Responder, State: UP

Sample Output

show security ike security-associations detail (ADVPN Enabled on Partner)

user@host> show security ike security-associations detail
IKE peer 23.0.0.250, Index 1345685, Gateway Name: spoke_gw
  Auto Discovery VPN:
   Type: Static, Local Capability: Partner, Peer Capability: Suggester
   Partner Shortcut Suggestions Statistics:
     Suggestions received:    0
     Suggestions accepted:    0
     Suggestions declined:    0
  Role: Responder, State: UP

Sample Output

show security ike security-associations sa-type shortcut (ADVPN)

user@host> show security ike security-associations sa-type shortcut
Index   State  Initiator cookie  Responder cookie  Mode      Remote Address   
3075266  UP    e0368d95b3289c77  5a8e2e025abdfd6e  IKEv2     23.0.0.106

Sample Output

show security ike security-associations sa-type shortcut detail (ADVPN)

user@host> show security ike security-associations sa-type shortcut detail
IKE peer 23.0.0.111, Index 1345683, Gateway Name: spoke_gw
  Auto Discovery VPN:
   Type: Shortcut, Local Capability: Partner, Peer Capability: Partner
  Role: Initiator, State: UP

Modified: 2016-05-01