show services ipsec-vpn ipsec security-associations

(Adaptive services interface only) Display IPSec security associations for the specified service set. If no service set is specified, the security associations for all service sets are displayed.

Options

none — Display standard information about IPSec security associations for all service sets.

brief | detail | extensive — (Optional) Display the specified level of output.

service-set service-set-name — (Optional) Display information about a particular service set.

Required Privilege Level

List of Sample Output

Output Fields

Table 215 lists the output fields for the show services ipsec-vpn ipsec security-associations command. Output fields are listed in the approximate order in which they appear.

Field Name	Field Description	Level of Output
Service set	Name of the service set for which the IPSec security associations are defined. If appropriate, includes the outside service interface VRF name.	All levels
Rule	Name of the rule set applied to the security association.	detail extensive
Term	Name of the IPSec term applied to the security association.	detail extensive
Tunnel index	Numeric identifier of the specific IPSec tunnel for the security association.	detail extensive
Local gateway	Gateway address of the local system.	All levels
Remote gateway	Gateway address of the remote system.	All levels
IPSec inside interface	Name of the logical interface hosting the IPSec tunnels.	All levels
Local identity	Prefix and port number of the local end	All levels
Remote identity	Prefix and port number of the remote end.	All levels
Primary remote gateway	IP address of the configured primary remote peer.	All levels
Backup remote gateway	IP address of the configured backup remote peer.	All levels
State	State of the primary or backup interface: Active, Offline, or Standby. Both ES PICs are initialized to Offline. For primary and backup peers, State can be Active or Standby. If both peers are in a state of Standby, no connection exists yet between the two peers.	All levels
Failover counter	Number of times a PIC switched between primary and backup interfaces, or the number of times the tunnel switched between the primary and remote peers since the software has been activated.	All levels
Direction	Direction of the security association: inbound or outbound.	All levels
SPI	Value of the security parameter index.	All levels
AUX-SPI	Value of the auxiliary security parameter index. When the value of Protocol is AH or ESP, AUX-SPI is always 0. When the value of Protocol is AH+ESP, AUX-SPI is always a positive integer.	All levels
Mode	Mode of the security association: transport—Protects single host-to-host protections. tunnel—Protects connections between security gateways.	detail extensive
Type	Type of security association: manual—Security parameters require no negotiation. They are static, and are configured by the user. dynamic—Security parameters are negotiated by the IKE protocol. Dynamic security associations are not supported in transport mode.	detail extensive
State	Status of the security association: Installed—The security association is installed in the security association database. (For transport mode security associations, the value of State must always be Installed) Not installed—The security association is not installed in the security association database.	detail extensive
Protocol	Protocol supported: transport mode supports Encapsulation Security Protocol (ESP) or Authentication Header (AH). tunnel mode supports ESP or AH+ESP.	All levels
Authentication	Type of authentication used: hmac-md5-96, hmac-sha1-96, or none.	detail extensive
Encryption	Type of encryption algorithm used: can be aes-cbc (128 bits), aes-cbc (192 bits), aes-cbc (256 bits), des-cbc, 3des-cbc, or None.	detail
Soft lifetime Hard lifetime	Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. The hard lifetime specifies the lifetime of the SA. The soft lifetime, which is derived from the hard lifetime, informs the IPSec key management system that the SA is about to expire. This information allows the key management system to negotiate a new SA before the hard lifetime expires. Expires in seconds seconds—Number of seconds left until the security association expires. Expires in kilobytes kilobytes—Number of kilobytes left until the security association expires.	detail extensive
Anti-replay service	State of the service that prevents packets from being replayed: Enabled or Disabled.	detail extensive
Replay window size	Configured size, in packets, of the antireplay service window: 32 or 64. The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets. If the replay window size is 0, antireplay service is disabled.	detail

show services ipsec-vpn ipsec security associations extensive

user@host> show services ipsec-vpn ipsec security-associations
extensive

Service set: service-set-1
  Rule: _junos_, Term: term-1, Tunnel index: 1
  Local gateway: 101.101.101.2, Remote gateway: 14.14.14.4
  IPSec inside interface: sp-2/0/0.1  Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Primary remote gateway: 101.101.101.1, State: Standby
  Backup remote gateway: 14.14.14.4, State: Active
  Failover counter: 1

   Direction: inbound, SPI: 3743521590, AUX-SPI: 0
   Mode: tunnel, Type: dynamic, State: Installed
   Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
   Soft lifetime: Expires in 23043 seconds
   Hard lifetime: Expires in 23178 seconds
   Anti-replay service: Enabled, Replay window size: 64

   Direction: outbound, SPI: 2551045240, AUX-SPI: 0
   Mode: tunnel, Type: dynamic, State: Installed
   Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
   Soft lifetime: Expires in 23043 seconds
   Hard lifetime: Expires in 23178 seconds
   Anti-replay service: Enabled, Replay window size: 64

Syntax

Release Information

Description

Options

Required Privilege Level

List of Sample Output

Output Fields

show services ipsec-vpn ipsec security associations extensive