show security ipsec security-associations
Syntax
Release Information
Command introduced in Junos OS Release 8.5. Support for the family option added in Junos OS Release 11.1. Support for the vpn-name option added in Junos OS Release 11.4R3. Support for the traffic-selector option and traffic selector field added in Junos OS Release 12.1X46-D10. Support for Auto Discovery VPN (ADVPN) added in Junos OS Release 12.3X48-D10. Support for IPsec datapath verification added in Junos OS Release 15.1X49-D70. Support for thread anchorship added in Junos OS Release 17.4R1. Starting in Junos OS Release 18.2R2 the show security ipsec security-assocations detail command output will include thread anchorship information for the security associations (SAs).
Description
Display information about the IPsec security associations (SAs).
Options
inet—IPv4 address family.
inet6—IPv6 address family.
In a chassis cluster, when you execute the CLI command show security ipsec security-associations pic <slot-number> fpc <slot-number> in operational mode, only the primary node information about the existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot is displayed.
all—All KMD instances running on the Services Processing Unit (SPU).
kmd-instance-name—Name of the KMD instance running on the SPU.
Required Privilege Level
view
Related Documentation
List of Sample Output
show security ipsec security-associations (IPv4)show security ipsec security-associations (IPv6)
show security ipsec security-associations index 511672
show security ipsec security-associations index 131073 detail
show security ipsec sa detail
show security ipsec sa detail
show security ipsec security-associations brief
show security ipsec security-associations detail
show security ipsec security-associations family inet6
show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel)
show security ipsec security-associations detail (ADVPN Partner, Static Tunnel)
show security ipsec security-associations sa-type shortcut (ADVPN)
show security ipsec security-associations sa-type shortcut detail (ADVPN)
show security ipsec security-associations family inet detail
show security ipsec security-associations detail (SRX4600)
Output Fields
Table 1 lists the output fields for the show security ipsec security-associations command. Output fields are listed in the approximate order in which they appear.
Table 1: show security ipsec security-associations
Field Name | Field Description | Level of Output |
---|---|---|
Total active tunnels | Total number of active IPsec tunnels. | brief |
ID | Index number of the SA. You can use this number to get additional information about the SA. | All levels |
Algorithm | Cryptography used to secure exchanges between peers during the IKE negotiations includes:
| brief |
SPI | Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: IKE and IPsec. | brief |
Life: sec/kb | The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes. | brief |
Mon | The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPsec datapath verification is in progress. | brief |
lsys | The root system. | brief |
Port | If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500. | All levels |
Gateway | IP address of the remote gateway. | brief |
Virtual-system | Name of the logical system. | detail |
VPN name | IPsec name for VPN. | detail |
State | State has two options, Installed and Not Installed.
| detail |
Local gateway | Gateway address of the local system. | detail |
Remote gateway | Gateway address of the remote system. | detail |
Traffic selector | Name of the traffic selector. | detail |
Local identity | Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). | detail |
Remote identity | IP address of the destination peer gateway. | detail |
Version | IKE version, either IKEv1 or IKEv2. | detail |
DF-bit | State of the don't fragment bit: set or cleared. | detail |
Location | FPC—Flexible PIC Concentrator (FPC) slot number. PIC—PIC slot number. KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances running on each SPU, and any particular IPsec negotiation is carried out by a single KMD instance. | detail |
Tunnel events | Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take. | detail |
Anchorship | Anchor thread ID for the SA (for SRX4600 Series devices with the detail option). | |
Direction | Direction of the SA; it can be inbound or outbound. | detail |
AUX-SPI | Value of the auxiliary security parameter index(SPI).
| detail |
Mode | Mode of the SA:
| detail |
Type | Type of the SA:
| detail |
State | State of the SA:
| detail |
Protocol | Protocol supported.
| detail |
Authentication | Type of authentication used. | detail |
Encryption | Type of encryption used. | detail |
Soft lifetime | The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.
| detail |
Hard lifetime | The hard lifetime specifies the lifetime of the SA.
| detail |
Lifesize Remaining | The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.
| detail |
Anti-replay service | State of the service that prevents packets from being replayed. It can be Enabled or Disabled. | detail |
Replay window size | Size of the antireplay service window, which is 64 bits. | detail |
Bind-interface | The tunnel interface to which the route-based VPN is bound. | detail |
Copy-Outer-DSCP | Indicates if the system copies the outer DSCP value from the IP header to the inner IP header. | detail |
tunnel-establishment | Indicates how the IKE is activated. | detail |
Sample Output
show security ipsec security-associations (IPv4)
user@host> show security ipsec security-associations
Total active tunnels: 14743 Total Ipsec sas: 14743 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <511672 ESP:aes-cbc-128/sha1 0x071b8cd2 - root 500 21.0.45.152 >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 21.0.12.255 <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 21.0.12.255 >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 21.0.50.96 <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 21.0.50.96 >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 21.0.54.57 <513881 ESP:aes-cbc-128/sha1 0x0a57860c 1696/ unlim - root 500 21.0.54.57 >505835 ESP:aes-cbc-128/sha1 0xf827b5c6 1598/ unlim - root 500 21.0.22.204 <505835 ESP:aes-cbc-128/sha1 0x0f43bf3f 1598/ unlim - root 500 21.0.22.204 >506531 ESP:aes-cbc-128/sha1 0x01694572 1602/ unlim - root 500 21.0.25.131 <506531 ESP:aes-cbc-128/sha1 0x0a578143 1602/ unlim - root 500 21.0.25.131 >512802 ESP:aes-cbc-128/sha1 0xdc292de4 1668/ unlim - root 500 21.0.50.1 <512802 ESP:aes-cbc-128/sha1 0x0a578558 1668/ unlim - root 500 21.0.50.1 >512413 ESP:aes-cbc-128/sha1 0xbe2c52d5 1660/ unlim - root 500 21.0.48.125 <512413 ESP:aes-cbc-128/sha1 0x1129580c 1660/ unlim - root 500 21.0.48.125 >505075 ESP:aes-cbc-128/sha1 0x2aae6647 1593/ unlim - root 500 21.0.19.213 <505075 ESP:aes-cbc-128/sha1 0x02dc5c50 1593/ unlim - root 500 21.0.19.213 >514055 ESP:aes-cbc-128/sha1 0x2b8adfcb 1704/ unlim - root 500 21.0.54.238 <514055 ESP:aes-cbc-128/sha1 0x0f43c49a 1704/ unlim - root 500 21.0.54.238 >508898 ESP:aes-cbc-128/sha1 0xbcced4d6 1619/ unlim - root 500 21.0.34.194 <508898 ESP:aes-cbc-128/sha1 0x1492035a 1619/ unlim - root 500 21.0.34.194 >505328 ESP:aes-cbc-128/sha1 0x2a8d2b36 1594/ unlim - root 500 21.0.20.208 <505328 ESP:aes-cbc-128/sha1 0x14920107 1594/ unlim - root 500 21.0.20.208 >500815 ESP:aes-cbc-128/sha1 0xdd86c89a 1573/ unlim - root 500 21.0.3.47 <500815 ESP:aes-cbc-128/sha1 0x1129507f 1573/ unlim - root 500 21.0.3.47 >503758 ESP:aes-cbc-128/sha1 0x64cc490e 1586/ unlim - root 500 21.0.14.172 <503758 ESP:aes-cbc-128/sha1 0x14920001 1586/ unlim - root 500 21.0.14.172 >504004 ESP:aes-cbc-128/sha1 0xde0b63ee 1587/ unlim - root 500 21.0.15.164 <504004 ESP:aes-cbc-128/sha1 0x071b87d4 1587/ unlim - root 500 21.0.15.164 >508816 ESP:aes-cbc-128/sha1 0x2703b7a5 1618/ unlim - root 500 21.0.34.112 <508816 ESP:aes-cbc-128/sha1 0x071b8af6 1618/ unlim - root 500 21.0.34.112 >511341 ESP:aes-cbc-128/sha1 0x828f3330 1644/ unlim - root 500 21.0.44.77 <511341 ESP:aes-cbc-128/sha1 0x02dc6064 1644/ unlim - root 500 21.0.44.77 >500456 ESP:aes-cbc-128/sha1 0xa6f1515d 1572/ unlim - root 500 21.0.1.200 <500456 ESP:aes-cbc-128/sha1 0x1491fddb 1572/ unlim - root 500 21.0.1.200 >512506 ESP:aes-cbc-128/sha1 0x4108f3a3 1662/ unlim - root 500 21.0.48.218 <512506 ESP:aes-cbc-128/sha1 0x071b8d5d 1662/ unlim - root 500 21.0.48.218 >504657 ESP:aes-cbc-128/sha1 0x27a6b8b3 1591/ unlim - root 500 21.0.18.41 <504657 ESP:aes-cbc-128/sha1 0x112952fe 1591/ unlim - root 500 21.0.18.41 >506755 ESP:aes-cbc-128/sha1 0xc0afcff0 1604/ unlim - root 500 21.0.26.100 <506755 ESP:aes-cbc-128/sha1 0x149201f5 1604/ unlim - root 500 21.0.26.100 >508023 ESP:aes-cbc-128/sha1 0xa1a90af8 1612/ unlim - root 500 21.0.31.87 <508023 ESP:aes-cbc-128/sha1 0x02dc5e3b 1612/ unlim - root 500 21.0.31.87 >509190 ESP:aes-cbc-128/sha1 0xee52074d 1621/ unlim - root 500 21.0.35.230 <509190 ESP:aes-cbc-128/sha1 0x0f43c16e 1621/ unlim - root 500 21.0.35.230 >505051 ESP:aes-cbc-128/sha1 0x24130b1c 1593/ unlim - root 500 21.0.19.188 <505051 ESP:aes-cbc-128/sha1 0x149200d9 1593/ unlim - root 500 21.0.19.188 >513214 ESP:aes-cbc-128/sha1 0x2c4752d1 1676/ unlim - root 500 21.0.51.158 <513214 ESP:aes-cbc-128/sha1 0x071b8dd3 1676/ unlim - root 500 21.0.51.158 >510808 ESP:aes-cbc-128/sha1 0x4acd94d3 1637/ unlim - root 500 21.0.42.56 <510808 ESP:aes-cbc-128/sha1 0x071b8c42 1637/ unlim - root 500 21.0.42.56
show security ipsec security-associations (IPv6)
user@host> show security ipsec security-associations
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:aes256/sha256 14caf1d9 3597/ unlim - root 500 2001:db8::1112 131074 ESP:aes256/sha256 9a4db486 3597/ unlim - root 500 2001:db8::1112
show security ipsec security-associations index 511672
user@host> show security ipsec security-associations
index 511672
ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn Local Gateway: 20.0.0.1, Remote Gateway: 21.0.45.152 Traffic Selector Name: ts Local Identity: ipv4(191.45.151.0-191.45.151.255) Remote Identity: ipv4(40.45.151.0-40.45.151.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 10 Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations index 131073 detail
user@host> show security ipsec security-associations
index 131073 detail
ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1 Local Gateway: 4.0.0.1, Remote Gateway: 5.0.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39 Multi-sa, Configured SAs# 9, Negotiated SAs#: 9 Tunnel events: Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times) Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times) Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times) Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times) Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: inbound, SPI: 5d227e19, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: best-effort Direction: outbound, SPI: 5490da, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ...
Starting with Junos OS Release 18.2R1, the CLI show security ipsec security-associations index index-number detail output displays all the child SA details including forwarding class name.
show security ipsec sa detail
user@host> show security ipsec sa detail
ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 2.0.0.1, Remote Gateway: 2.0.0.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only ...
show security ipsec sa detail
user@host> show security ipsec sa detail
ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 2.0.0.1, Remote Gateway: 2.0.0.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey ...
Starting with Junos OS Release 19.1R1, a new field tunnel-establishment in the output of the CLI show security ipsec sa detail displays the option configured under ipsec vpn establish-tunnels hierarchy.
show security ipsec security-associations brief
user@host> show security ipsec security-associations
brief
Total active tunnels: 2 Total Ipsec sas: 18 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes256/sha256 89e5098 1569/ unlim - root 500 5.0.0.1 >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim - root 500 5.0.0.1 <131073 ESP:aes256/sha256 f3117676 1609/ unlim - root 500 5.0.0.1 >131073 ESP:aes256/sha256 6050109f 1609/ unlim - root 500 5.0.0.1 <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim - root 500 5.0.0.1 >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim - root 500 5.0.0.1 <131073 ESP:aes256/sha256 606c90f6 1616/ unlim - root 500 5.0.0.1 >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim - root 500 5.0.0.1 <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim - root 500 5.0.0.1 >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim - root 500 5.0.0.1 <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim - root 500 5.0.0.1 >131073 ESP:aes256/sha256 af8984b6 1619/ unlim - root 500 5.0.0.1 ...
show security ipsec security-associations detail
user@host> show security ipsec security-associations
detail
ID: 500006 Virtual-system: root, VPN Name: HUB_VPN Local Gateway: 2.0.0.1, Remote Gateway: 7.0.0.6 Traffic Selector Name: HUB_VPN_TS4 Local Identity: ipv4(92.0.5.0-92.0.5.255) Remote Identity: ipv4(91.0.5.0-91.0.5.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 4 Direction: inbound, SPI: 0xcd53aad7, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2665 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2021 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0x0970d113, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2665 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2021 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 ID: 500012 Virtual-system: root, VPN Name: HUB_VPN Local Gateway: 2.0.0.1, Remote Gateway: 7.0.0.6 Traffic Selector Name: HUB_VPN_TS6 Local Identity: ipv4(82.0.5.0-82.0.5.255) Remote Identity: ipv4(81.0.5.0-81.0.5.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 8 Direction: inbound, SPI: 0x8fa57316, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2665 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2043 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0xeec2c1c5, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 2665 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2043 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations family inet6
user@host> show security ipsec security-associations
family inet6
Virtual-system: root Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
user@host> show security ipsec security-associations
fpc 6 pic 1 kmd-instance all
Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 192.168.1.2 500 ESP:aes256/sha256 67a7d25d 28280/unlim - 0 >2 192.168.1.2 500 ESP:aes256/sha256 a23cbcdc 28280/unlim - 0
show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel)
user@host> show security ipsec security-associations
detail
ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times) Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Location: FPC 0, PIC 3, KMD-Instance 2 Direction: inbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 3, KMD-Instance 2 Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail (ADVPN Partner, Static Tunnel)
user@host> show security ipsec security-associations
detail
ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 Tunnel events: Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times) Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times) Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations sa-type shortcut (ADVPN)
user@host> show security ipsec security-associations
sa-type shortcut
Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111 >268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111
show security ipsec security-associations sa-type shortcut detail (ADVPN)
user@host> show security ipsec security-associations
sa-type shortcut detail
node0: -------------------------------------------------------------------------- ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Auto Discovery VPN: Type: Shortcut, Shortcut Role: Initiator Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29 Tunnel events: Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: b7a5518, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: b7e0268, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations family inet detail
user@host> show security ipsec security-associations
family inet detail
ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear , Copy-Outer-DSCP Enabled Bind-interface: st0.99 Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times) Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times) Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times) Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times) Location: FPC 0, PIC 1, KMD-Instance 1 Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 1 Direction: outbound, SPI: 727f629d, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail (SRX4600)
user@host> show security ipsec security-associations
detail
ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 62.1.1.3, Remote Gateway: 62.1.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 6 Direction: inbound, SPI: 812c9c01, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 7 Direction: outbound, SPI: c4de0972, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64