show ipsec security-associations

(Encryption interface on M Series and T Series routers only) Display information about the IPSec security associations applied to the local or transit traffic stream.

Options

Required Privilege Level

List of Sample Output

Output Fields

Table 236 lists the output fields for the show ipsec security-associations command. Output fields are listed in the approximate order in which they appear.

Sample Output

Field Name	Field Description	Level of Output
Security association	Name of the security association.	All levels
Interface family	Status of the interface family of the security association. If the interface family field is absent, it is a transport mode security association. The interface family can have one of three options: Up—The security association is referenced in the interface family and the interface family is up. Down—The security association is referenced in the interface family and the interface family is down. No reference—The security association is not referenced in the interface family.	All levels
Local gateway	Gateway address of the local system.	All levels
Remote gateway	Gateway address of the remote system.	All levels
Local identity	Prefix and port number of the local end	All levels
Remote identity	Prefix and port number of the remote end.	All levels
Direction	Direction of the security association: inbound or outbound.	All levels
SPI	Value of the security parameter index.	All levels
AUX-SPI	Value of the auxiliary security parameter index. When the value is AH or ESP, AUX-SPI is always 0. When the value isAH+ESP, AUX-SPI is always a positive integer.	All levels
State	Status of the security association: Installed—The security association is installed in the security association database. (For transport mode security associations, the value of State must always be Installed.) Not installed—The security association is not installed in the security association database.	detail
Mode	Mode of the security association: transport—Protects single host-to-host protections. tunnel—Protects connections between security gateways.	All levels
Type	Type of security association:. manual—Security parameters require no negotiation. They are static, and are configured by the user. dynamic—Security parameters are negotiated by the IKE protocol. Dynamic security associations are not supported in transport mode.	All levels
Protocol	Protocol supported: transport mode—Supports Encapsulation Security Protocol (ESP) or Authentication Header (AH). tunnel mode—Supports ESP or AH+ESP.	All levels
Authentication	Type of authentication used: hmac-md5-96, hmac-sha1-96, or None.	detail
Encryption	Type of encryption used: des-cbc, 3des-csc, or None.	detail
Soft lifetime Hard lifetime	(dynamic output only) Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPSec key management system that the SA is about to expire. This allows the key management system to negotiate a new SA before the hard lifetime expires. Expires in seconds seconds—Number of seconds left until the security association expires. Expires in kilobytes kilobytes—Number of kilobytes left until the security association expires.	detail
Anti-replay service	State of the service that prevents packets from being replayed: Enabled or Disabled.	detail
Replay window size	Configured size, in packets, of the antireplay service window: 32 or 64. The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets. If the replay window size is 0, the antireplay service is disabled.	detail

show ipsec security-associations sa-name

user@host> show ipsec security-associations
               sa-cosmic brief

Security association: sa-cosmic, Interface family: Up
Local gateway: 21.21.1.1, Remote gateway: 21.21.2.1
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Direction SPI         AUX-SPI     Mode       Type     Protocol
inbound   2908734119  0           tunnel     dynamic  AH
outbound  3494029335  0           tunnel     dynamic  AH

show ipsec security-associations sa-name detail

user@host> show ipsec security-associations
               sa-cosmic detail

Security association: sa-cosmic, Interface family: Up

Local gateway: 21.21.1.1, Remote gateway: 21.21.2.1
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Direction: inbound, SPI: 2908734119, AUX-SPI: 0, State: Installed
Mode: tunnel, Type: dynamic
Protocol: AH, Authentication: hmac-md5-96, Encryption: None
Soft lifetime: Expired
Hard lifetime: Expires in 120 seconds
Anti-replay service: Disabled

Direction: outbound, SPI: 3494029335, AUX-SPI: 0, State: Installed
Mode: tunnel, Type: dynamic
Protocol: AH, Authentication: hmac-md5-96, Encryption: None
Soft lifetime: Expired
Hard lifetime: Expires in 120 seconds
Anti-replay service: Disabled

Syntax

Release Information

Description

Options

Required Privilege Level

List of Sample Output

Output Fields

Sample Output