Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show security ike sa

 

Syntax

Release Information

Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform.

Description

Display information about the Internet Key Exchange (IKE) Security Association (SA).

Required Privilege Level

view

Related Documentation

List of Sample Output

show security ike sa

show security ike sa detail

Output Fields

Table 1 lists the output fields for the show security ike sa command and Table 2 lists the output fields for the show security ike sa detail command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ike sa Output Fields

Field Name

Field Description

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

State

State of the IKE SAs:

  • DOWN - SA has not been negotiated with the peer.

  • UP - SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Mode

Mode determines the number of messages and the payload types that are contained in each message that is exchanged by the two IPsec endpoints, or peers.

Remote Address

Address of the remote peer.

Table 2: show security ike sa detail Output Fields

Field Name

Field Description

IKE peer

IP address of the destination peer with which the local peer communicates.

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Gateway Name

Name of the IKE gateway.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State

State of the IKE SAs:

  • DOWN - SA has not been negotiated with the peer.

  • UP - SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between one another. Each exchange type or mode determines the number of messages and the payload types that are contained in each message. The modes are:

  • main - The exchange is done with six messages. This mode encrypts the payload, protecting the identity of the neighbor.

  • aggressive - The exchange is done with three messages. This mode does not encrypt the payload, leaving the identity of the neighbor unprotected.

Authentication method

Method used to authenticate the source of IKE messages, which can be either Pre-shared-keys or digital certificates, such as DSA-signatures, ECDSA-signatures-256, ECDSA-signatures-384, or RSA-signatures.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Reauth Lifetime

When enabled, number of seconds remaining until re-authentication triggers a new IKEv2 SA negotiation.

IKE Fragmentation

Enabled means that both the IKEv2 initiator and responder support message fragmentation and have negotiated the support during the IKE_SA_INIT message exchange.

Size shows the maximum size of an IKEv2 message before it is fragmented.

Remote Access Client Info

Information of the remote access client.

Peer ike-id

ID of the IKE peer.

Algorithms

Authentication

Types of authentication algorithm used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • sha1 – Secure Hash Algorithm 1 authentication.

  • md5 - MD5 authentication.

  • sha-256 - Secure Hash Algorithm 256 authentication.

  • sha-384 - Secure Hash Algorithm 384 authentication.

Encryption

Types of encryption algorithm used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • aes-256-cbc - Advanced Encryption Standard (AES) 256-bit encryption.

  • aes-192-cbc - AES192-bit encryption.

  • aes-128-cbc - AES 128-bit encryption.

  • 3des-cbc - 3 Data Encryption Standard (DES) encryption.

  • des-cbc - DES encryption.

Diffie-Hellman group

Specifies the IKE Diffie-Hellman group.

Traffic Statistics

Input bytes

Number of bytes received.

Output bytes

Number of bytes transmitted.

Input packets

Number of packets received.

Output packets

Number of packets transmitted.

Input fragmentated packets

Number of IKEv2 fragmented packets received.

Output fragmentated packets

Number of IKEv2 fragmented packets transmitted.

IPSec security associations

  • number created: The number of SAs created.

  • number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of Phase 2 IKE negotiations in progress and status information:

  • Negotiation type - Type of Phase 2 negotiation. Junos OS currently supports quick mode.

  • Message ID - Unique identifier for a Phase 2 negotiation.

  • Local identity - Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

  • Remote identity - Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

  • Flags - Notification to the key management process of the status of the IKE negotiation:

    • caller notification sent - Caller program notified about the completion of the IKE negotiation.

    • waiting for done - Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

    • waiting for remove - Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

    • waiting for policy manager - Negotiation is waiting for a response from the policy manager.

Sample Output

show security ike sa

user@jdm> show security ike sa

show security ike sa detail

user@jdm> show security ike sa detail