Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Monitoring the IKE Phase 1 SAs

    Purpose

    Display the Internet Key Exchange (IKE) phase 1 security associations (SAs) running on the router.

    When Network Address Translation-Traversal (NAT-T) is enabled on both the client PC and E Series router and the router has negotiated NAT-T as part of the IKE SA, the local UDP port number displayed in the Local:Port column is typically 4500. When NAT-T is disabled or not supported on one or both sides of the IKE SA negotiation, the local UDP port number is 500.

    Action

    To display the IKE phase 1 SAs for three remote client PCs that are accessing an E Series router (IP address 21.227.9.8):

    host1# show ipsec ike-sa
    IKE Phase 1 SA's:
    Local:Port     Remote:Port    Time(Sec) State  Local Cookie     Remote Cookie
    21.227.9.8:500  21.227.9.10:500   26133 DONE 0x87a943562124c711 0xafa2cf4a260399a4
    21.227.9.8:4500 21.227.9.11:4500  28774 DONE 0x01f9efa234d45ad8 0xada4cb7cafee9243
    21.227.9.8:4500 21.227.9.11:14500 28729 DONE 0x0c5ccb6b94b00051 0xe975c0ae3b9ca8bf
    

    The first client PC listed (IP address 21.227.9.10) is not located behind a NAT device and is therefore not using NAT-T to access the router. This PC appears in the Remote:Port column with its own IP address (21.227.9.10) and UDP port number 500.

    The remaining two client PCs are located behind a NAT device that has IP address 21.227.9.11 and are using NAT-T to access the router. These PCs appear in the Remote:Port column with the same IP address (21.227.9.11) but with two different UDP port numbers: 4500 and 14500.

    Meaning

    Table 1 lists the output fields for the show ipsec ike-sa command.

    Table 1: show ipsec ike-sa Output Fields

    Field Name

    Field Description

    Local:Port

    Local IP address and UDP port number of phase 1 negotiation

    Remote:Port

    Remote IP address and UDP port number of phase 1 negotiation

    Time(Sec)

    Time remaining in phase 1 lifetime, in seconds

    State

    Current state of the phase 1 negotiation. Corresponds to the messaging state in the main mode and aggressive mode negotiations. Possible states are:

    • AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange to the responder
    • AM_SA_R—Responder has sent aggressive mode SA payload and key exchange to the initiator
    • AM_FINAL_I—Initiator has finished aggressive mode negotiation
    • AM_DONE_R—Responder has finished aggressive mode negotiation
    • MM_SA_I—Initiator has sent initial main mode SA payload to the responder
    • MM_SA_R—Responder has sent a response to the initial main mode SA
    • MM_KE_I—Initiator has sent initial main mode key exchange to the responder
    • MM_KE_R—Responder has sent a response to the key exchange
    • MM_FINAL_I—Initiator has sent the final packet in the main mode negotiation
    • MM_FINAL_R—Responder has finished main mode negotiation
    • MM_DONE_I—Initiator has finished main mode negotiation
    • DONE—Phase 1 SA negotiation is complete, as evidenced by receipt of some phase 2 messages

    Local Cookie

    Unique identifier (SPI) for the local phase 1 IKE SA

    Remote Cookie

    Unique identifier (SPI) for the remote phase 1 IKE SA

    Published: 2014-08-12