Technical Documentation

Related Topics
clear ike security-associations

show ike security-associations

Syntax

show ike security-associations<brief | detail> <peer-address>

Release Information

Command introduced before Junos OS Release 7.4.

Description

(Encryption interface on M Series and T Series routers only) Display information about Internet Key Exchange (IKE) security associations.

Options

none: Display standard information about all IKE security associations.
brief | detail: (Optional) Display the specified level of output.
peer-address: (Optional) Display IKE security associations for the specified peer address.

Required Privilege Level

view

List of Sample Output

show ike security-associations
show ike security-associations detail

Output Fields

Table 1 lists the output fields for the show ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show ike security-associations Output Fields

Field Name	Field Description	Level of Output
IKE peer	Remote end of the IKE negotiation.	detail
Role	Part played in the IKE session. The router triggering the IKE negotiation is the initiator, and the router accepting the first IKE exchange packets is the responder.	detail
Remote Address	Responder's address.	none specified
State	State of the IKE security association: Matured—The IKE security association is established. Not matured—The IKE security association is in the process of negotiation.	none specified
Initiator cookie	When the IKE negotiation is triggered, a random number is sent to the remote node.	All levels
Responder cookie	The remote node generates its own random number and sends it back to the initiator as a verification that the packets were received. Of the numerous security services available, protection against denial of service (DoS) is one of the most difficult to address. A “cookie” or anticlogging token (ACT) is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity. An exchange prior to CPU-intensive public key operations can thwart some DoS attempts (such as simple flooding with invalid IP source addresses).	All levels
Exchange type	Specifies the number of messages in an IKE exchange, and the payload types that are contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. Junos OS supports two types of exchanges: Main—The exchange is done with six messages. Main encrypts the payload, protecting the identity of the neighbor. Aggressive—The exchange is done with three messages. Aggressive does not encrypt the payload, leaving the identity of the neighbor unprotected.	All Levels
Authentication method	Type of authentication determines which payloads are exchanged and when they are exchanged. The Junos OS supports only pre-shared keys.	detail
Local	Prefix and port number of the local end.	detail
Remote	Prefix and port number of the remote end.	detail
Lifetime	Number of seconds remaining until the IKE security association expires.	detail
Algorithms	Header for the IKE algorithms output. Authentication—Type of authentication algorithm used:md5 or sha1. Encryption—Type of encryption algorithm used: des-cbc, 3des-cbc, or None. Pseudo random function—Function that generates highly unpredictable random numbers:hmac-md5 orhmac-sha1.	detail
Traffic statistics	Number of bytes and packets received and transmitted on the IKE security association. Input bytes, Output bytes—Number of bytes received and transmitted on the IKE security association. Input packets, Output packets—Number of packets received and transmitted on the IKE security association.	detail
Flags	Notification to the key management process of the status of the IKE negotiation: caller notification sent—Caller program notified about the completion of the IKE negotiation. waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire. waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation. waiting for policy manager—Negotiation is waiting for a response from the policy manager.	detail
IPsec security associates	Number of IPsec security associations created and deleted with this IKE security association.	detail
Phase 2 negotiations in progress	Number of phase 2 IKE negotiations in progress and status information: Negotiation type—Type of phase 2 negotiation. The Junos OS currently supports quick mode. Message ID—Unique identifier for a phase 2 negotiation. Local identity—Identity of the local phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation) Remote identity—Identity of the remote phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation) Flags—Notification to the key management process of the status of the IKE negotiation: caller notification sent—Caller program notified about the completion of the IKE negotiation. waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire. waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation. waiting for policy manager—Negotiation is waiting for a response from the policy manager.	detail

Sample Output

show ike security-associations

user@host> show ike security-associations

Remote Address  State         Initiator cookie  Responder cookie  Exchange type
4.4.4.4         Matured       93870456fa000011  723a20713700003e  Main

show ike security-associations detail

user@host> show ike security-associations detail

IKE peer 4.4.4.4
  Role: Initiator, State: Matured
  Initiator cookie: cf22bd81a7000001, Responder cookie: fe83795c2800002e
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 4.4.4.5:500, Remote: 4.4.4.4:500
  Lifetime: Expires in 187 seconds
  Algorithms:
   Authentication        : md5
   Encryption            : 3des-cbc
   Pseudo random function: hmac-md5
  Traffic statistics:
   Input  bytes  :                 1000
   Output bytes  :                 1280
   Input  packets:                    5
   Output packets:                    9
  Flags: Caller notification sent
  IPsec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Initiator, Message ID: 3582889153
    Local: 4.4.4.5:500, Remote: 4.4.4.4:500
    Local identity: ipv4_subnet(tcp:80,[0..7]=10.1.1.0/24)
    Remote identity: ipv4_subnet(tcp:100,[0..7]=10.1.2.0/24)
    Flags: Caller notification sent, Waiting for done