show security group-vpn member ipsec security-associations

Syntax

show security group-vpn member ipsec security-associations [brief | detail] [index sa-index]

Release Information

Command introduced in Release 10.2 of Junos OS.

Description

Display group VPN security associations (SAs) for a group member.

Options

none—Display information about all group VPN SAs for the group member.

brief—(Optional) Display summary output.

detail—(Optional) Display detailed output.

index sa-index—(Optional) Display detailed information about the specified SA identified by index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.

Required Privilege Level

view

Related Topics

clear security group-vpn member ipsec security-associations

List of Sample Output

show security group-vpn member ipsec security-associations
show security group-vpn member ipsec security-associations detail

Output Fields

Table 97 lists the output fields for the show security group-vpn member ipsec security-associations command. Output fields are listed in the approximate order in which they appear.

Table 97: show security group-vpn member ipsec security-associations

Field Name

Field Description

Total active tunnels

Total number of active IPsec tunnels.

ID

Index number of the SA. You can use this number to get additional information about the SA.

Server

IP address of the group server (remote gateway).

Port

If Network Address Translation-Traversal (NAT-T) is used, this value is 4500. Otherwise it is the standard IKE port, 500.

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes

  • An authentication algorithm used to authenticate exchanges between the peers. Options are sha1 or md5.
  • An encryption algorithm used to encrypt data traffic. Options are 3des, aes-128, aes-192, aes-256, and des.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.

Life: sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

GId

Group identifier.

vsys or Virtual-system

The root system.

Local Gateway

Gateway address of the local system.

GDOI Server

IP address of the group server.

Local Identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IPv4 address, fully qualified domain name, e-mail address, or distinguished name.

Remote Identity

IPv4 address of the destination peer gateway.

DF-bit

State of the don't fragment bit: set or cleared.

Policy name

Name of the applicable policy.

Direction

Direction of the security association; it can be inbound or outbound.

AUX-SPI

Value of the auxiliary security parameter index.

  • When the value is AH or ESP, AUX-SPI is always 0.
  • When the value is AH+ESP, AUX-SPI is always a positive integer.

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds—Number of seconds left until the SA expires.

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

  • Expires in kilobytes—Number of kilobytes left until the SA expires.

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire.

Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds—Number of seconds left until the SA expires.

Mode

Mode of the security association:

  • transport—Protects host-to-host connections.
  • tunnel—Protects connections between security gateways.

Protocol

Protocol supported. Transport mode supports Encapsulation Security Protocol (ESP).

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

Sample Output

show security group-vpn member ipsec security-associations

user@host> show security group-vpn member ipsec security-associations
  Total active tunnels: 1
  ID    Server           Port  Algorithm       SPI      Life:sec/kb  GId vsys
  >133955585 10.1.1.11   848   ESP:3des/sha1   d1d5e67d 587/  unlim   2   root
  <133955585 10.1.1.11   848   ESP:3des/sha1   d1d5e67d 587/  unlim   2   root

Sample Output

show security group-vpn member ipsec security-associations detail

user@host> show security group-vpn member ipsec security-associations detail
  Virtual-system: root
  Local Gateway: 10.1.1.28, GDOI Server: 10.1.1.37
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    DF-bit: clear
    Policy-name: p5-0001

    Direction: outbound, SPI: 68df21cc, AUX-SPI: 0, Group Id: 2
    Hard lifetime: Expires in 546 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 516 seconds
    Mode: shared, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: time-based enabled, Replay window size: 100

    Direction: inbound, SPI: 68df21cc, AUX-SPI: 0, Group Id: 2
    Hard lifetime: Expires in 546 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 516 seconds
    Mode: shared, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: time-based enabled, Replay window size: 100
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.