show security group-vpn member ike security-associations

Syntax

show security group-vpn member ike security-associations [brief | detail] [index sa-index] [peer-ipaddress]

Release Information

Command introduced in Release 10.2 of Junos OS.

Description

Display IKE security associations (SAs) for a group member.

Options

none—Display summary information about all IKE SAs for the group member.

brief—(Optional) Display summary output.

detail—(Optional) Display detailed output.

index sa-index—(Optional) Display detailed information about the specified SA identified by index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.

peer-ipaddress—(Optional) Display information about the SA with the specified peer.

Required Privilege Level

view

Related Topics

clear security group-vpn member ike security-associations

List of Sample Output

show security group-vpn member ike security-associations
show security group-vpn member ike security-associations detail

Output Fields

Table 96 lists the output fields for the show security group-vpn member ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 96: show security group-vpn member ike security-associations Output Fields

Field Name

Field Description

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

State

State of the IKE security associations:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Mode

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

  • main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

IKE Peer

IP address of the destination peer with which the local peer communicates.

Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

  • main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

Authentication method

Method the server uses to authenticate the source of IKE messages:

  • pre-shared-keys—Preshared key for encryption and decryption that both participants must have before beginning tunnel negotiations.

rsa-signatures —Digital signature, a certificate that confirms the identity of the certificate holder.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithms

Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Authentication—Type of authentication algorithm used.
    • sha1—Secure Hash Algorithm 1(sha1) authentication.
    • md5—MD5 authentication.
  • Encryption—Type of encryption algorithm used.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
    • aes-192-cbc— AES192-bit encryption
    • aes-128-cbc—AES 128-bit encryption.
    • 3des-cbc—3 Data Encryption Standard (DES) encryption.
    • des-cbc—DES encryption.

Traffic statistics

  • Input bytes—Number of bytes received.
  • Output bytes—Number of bytes transmitted.
  • Input packets—Number of packets received.
  • Output packets—Number of packets transmitted.

IPSec security associations

  • number created: The number of SAs created.
  • number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of Phase 2 IKE negotiations in progress and status information:

  • Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.
  • Message ID—Unique identifier for a Phase 2 negotiation.
  • Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Flags—Notification to the key management process of the status of the IKE negotiation:
    • caller notification sent—Caller program notified about the completion of the IKE negotiation.
    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

Sample Output

show security group-vpn member ike security-associations

user@host> show security group-vpn member ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
1       10.1.1.11       UP     a9b023fbdc7a6571  a67cefbc3397c3c2  Main

Sample Output

show security group-vpn member ike security-associations detail

user@host> show security group-vpn member ike security-associations detail
IKE peer 10.1.1.11, Index 411,
  Role: Initiator, State: UP
  Initiator cookie: 941108c6c186324a, Responder cookie: 0000000000000000
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 10.1.1.13:848, Remote: 10.1.1.11:848
  Lifetime: Expires in 3536 seconds
  Algorithms:
   Authentication        : unknown 
   Encryption            : unknown
   Pseudo random function: unknown
  Traffic statistics:
   Input  bytes  :                    0
   Output bytes  :                  560
   Input  packets:                    0
   Output packets:                    4
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 0
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.