Monitoring the IKE Phase 1 SAs

Purpose

Display the Internet Key Exchange (IKE) phase 1 security associations (SAs) running on the router.

When Network Address Translation-Traversal (NAT-T) is enabled on both the client PC and E Series router and the router has negotiated NAT-T as part of the IKE SA, the local UDP port number displayed in the Local:Port column is typically 4500. When NAT-T is disabled or not supported on one or both sides of the IKE SA negotiation, the local UDP port number is 500.

Action

To display the IKE phase 1 SAs for three remote client PCs that are accessing an E Series router (IP address 21.227.9.8):

host1# show ipsec ike-sa
IKE Phase 1 SA's:
Local:Port     Remote:Port    Time(Sec) State  Local Cookie     Remote Cookie
21.227.9.8:500  21.227.9.10:500   26133 DONE 0x87a943562124c711 0xafa2cf4a260399a4
21.227.9.8:4500 21.227.9.11:4500  28774 DONE 0x01f9efa234d45ad8 0xada4cb7cafee9243
21.227.9.8:4500 21.227.9.11:14500 28729 DONE 0x0c5ccb6b94b00051 0xe975c0ae3b9ca8bf

The first client PC listed (IP address 21.227.9.10) is not located behind a NAT device and is therefore not using NAT-T to access the router. This PC appears in the Remote:Port column with its own IP address (21.227.9.10) and UDP port number 500.

The remaining two client PCs are located behind a NAT device that has IP address 21.227.9.11 and are using NAT-T to access the router. These PCs appear in the Remote:Port column with the same IP address (21.227.9.11) but with two different UDP port numbers: 4500 and 14500.

Meaning

Table 42 lists the output fields for the show ipsec ike-sa command.

Table 42: show ipsec ike-sa Output Fields

Field Name

Field Description

Local:Port

Local IP address and UDP port number of phase 1 negotiation

Remote:Port

Remote IP address and UDP port number of phase 1 negotiation

Time(Sec)

Time remaining in phase 1 lifetime, in seconds

State

Current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. Possible states are:

  • AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder
  • AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator
  • AM_FINAL_I—Initiator has finished aggressive mode negotiation
  • AM_DONE_R—Responder has finished aggressive mode negotiation
  • MM_SA_I—Initiator has sent initial main mode SA payload to the responder
  • MM_SA_R—Responder has sent a response to the initial main mode SA
  • MM_KE_I—Initiator has sent initial main mode key exchange to the responder
  • MM_KE_R—Responder has sent a response to the key exchange
  • MM_FINAL_I—Initiator has sent the final packet in the main mode negotiation
  • MM_FINAL_R—Responder has finished main mode negotiation
  • MM_DONE_I—Initiator has finished main mode negotiation
  • DONE—Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages

Local Cookie

Unique identifier (SPI) for the local phase 1 IKE SA

Remote Cookie

Unique identifier (SPI) for the remote phase 1 IKE SA

Related Documentation