Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

show security ipsec sa

 

Syntax

Release Information

Command introduced in Junos OS Release 15.1X53-D47 for the NFX250 Network Services Platform.

Description

Display information about the IPSec Security Association (SA).

Required Privilege Level

view

Related Documentation

List of Sample Output

show security ipsec sa

show security ipsec sa detail

Output Fields

Table 1 lists the output fields for the show security ipsec sa command and Table 2 lists the output fields for the show security ipsec sa detail command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec sa Output Fields

Field Name

Field Description

Total active tunnels

Total number of active IPsec tunnels.

ID

Index number of the SA. You can use this number to get additional information about the SA.

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes:

  • An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-96, hmac-sha-256-128, or hmac-sha1-96.

  • An encryption algorithm used to encrypt data traffic. Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

Life:sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPSec datapath verification is in progress.

lsys

The root system.

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

Gateway

Gateway address of the system.

Table 2: show security ipsec sa detail Output Fields

Field Name

Field Description

ID

Index number of the SA. You can use this number to get additional information about the SA.

Virtual-system

The virtual system name.

VPN Name

IPSec name for VPN.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

Traffic Selector Name

Name of the traffic selector.

Local Identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Remote Identity

IP address of the destination peer gateway.

Version

IKE version. For example, IKEv1, IKEv2.

DF-bit

State of the don't fragment bit: set or cleared.

Bind-interface

The tunnel interface to which the route-based VPN is bound.

Tunnel Events

Direction

Direction of the SA; it can be inbound or outbound.

AUX-SPI

Value of the auxiliary security parameter index(SPI).

  • When the value is AH or ESP, AUX-SPI is always 0.

  • When the value is AH+ESP, AUX-SPI is always a positive integer.

VPN Monitoring

If VPN monitoring is enabled, then the Mon field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPSec datapath verification is in progress.

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds - Number of seconds left until the SA expires.

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds - Number of seconds left until the SA expires.

Mode

Mode of the SA:

  • transport - Protects host-to-host connections.

  • tunnel - Protects connections between security gateways.

Type

Type of the SA:

  • manual - Security parameters require no negotiation. They are static and are configured by the user.

  • dynamic - Security parameters are negotiated by the IKE protocol. Dynamic SAs are not supported in transport mode.

State

State of the SA:

  • Installed - The SA is installed in the SA database.

  • Not Installed - The SA is not installed in the SA database.

For transport mode, the value of State is always Installed.

Protocol

Protocol supported.

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).

  • Tunnel mode supports ESP and AH.

    • Authentication - Type of authentication used.

    • Encryption - Type of encryption used.

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

Replay window size

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets.

Sample Output

show security ipsec sa

user@jdm> show security ipsec sa

show security ipsec sa detail

user@jdm> show security ipsec sa detail