show security group-vpn member kek security-associations

Syntax

show security group-vpn member kek security-associations [brief | detail] [index sa-index] [peer-ipaddress]

Release Information

Command introduced in Release 10.2 of Junos OS.

Description

Display group VPN security associations (SAs) for a group member.

Options

none—Display information about all group VPN SAs for the group member.

brief—(Optional) Display summary output.

detail—(Optional) Display detailed output.

index sa-index—(Optional) Display detailed information about the specified SA identified by index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.

peer-ipaddress—(Optional) Display information about the SA with the specified peer.

Required Privilege Level

view

Related Topics

clear security group-vpn member kek security-associations

List of Sample Output

show security group-vpn member kek security-associations
show security group-vpn member kek security-associations detail

Output Fields

Table 98 lists the output fields for the show security group-vpn member kek security-associations command. Output fields are listed in the approximate order in which they appear.

Table 98: show security group-vpn member kek security-associations

Field Name

Field Description

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

State

State of the KEK security associations:

  • DOWN—SA is not active.
  • UP—SA is active.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.

GroupID

Group identifier.

KEK Peer

IP address of the destination peer with which the local peer communicates.

Role

For the member, it is always responder.

State

State of the KEK security associations, which is always up.

Authentication method

RSA is the supported authentication method.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithms

Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Sig-hash—Type of authentication algorithm used.
    • sha1—Secure Hash Algorithm 1(sha1) authentication.
    • md5—MD5 authentication.
  • Encryption—Type of encryption algorithm used.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
    • aes-192-cbc— AES192-bit encryption
    • aes-128-cbc—AES 128-bit encryption.
    • 3des-cbc—3 Data Encryption Standard (DES) encryption.
    • des-cbc—DES encryption.

Traffic statistics

  • Input bytes—Number of bytes received.
  • Output bytes—Number of bytes transmitted.
  • Input packets—Number of packets received.
  • Output packets—Number of packets transmitted.

Server Info Version

Identify the latest set of information maintained in the server.

Server Heartbeat Interval

Interval in seconds at which the server sends heartbeats to group members.

Member Heartbeat Threshold

The heartbeat threshold configured on the group member for the IPsec VPN. If this number of heartbeats is missed on the member, the member reregisters with the server.

Heartbeat Timeout Left

Number of heartbeats until the heartbeat threshold is reached, at which time the member reregisters with the server.

Note: When this number reaches 0, reregistration happens within 60 seconds.

Server Activation Delay

Number of seconds before a group member can use a new key when the member reregisters with the server.

Server Multicast Group

Multicast IP address to which the server sends rekey messages.

Server Replay Window

Antireplay time window value in seconds. 0 means antireplay is disabled.

Group Key Push sequence number

Sequence number of the KEK SA groupkey-push message. This number is incremented with every groupkey-push message, including heartbeats.

Sample Output

show security group-vpn member kek security-associations

user@host> show security group-vpn member kek security-associations
  Index   Remote Address  State  Initiator cookie  Responder cookie  GroupId
42      10.1.1.11       UP     a53603e30716fb74  8076194a850d56d0  2

Sample Output

show security group-vpn member kek security-associations detail

user@host> show security group-vpn member kek security-associations detail
KEK peer 10.1.1.37, Index 277
  Role: Responder, State: UP
  Initiator cookie: d858215649fba214, Responder cookie: e2ebd3fff04cf9d2
  Authentication method: RSA
  Local: 10.1.1.28:848, Remote: 10.1.1.37:848
  Lifetime: Expires in 37 seconds
  Algorithms:
   Sig-hash              : sha1
   Encryption            : 3des-cbc
  Traffic statistics:
   Input  bytes  :                  748
   Output bytes  :                   68
   Input  packets:                    3
   Output packets:                    1
  Group Id: 2
  Server Info Version: 5
  Server Heartbeat Interval: 60, Member Heartbeat Threshold: 5
  Heartbeat Timeout Left: 5 
  Server Activation Delay: 10
  Server Multicast Group: Unicast, Server Replay Window: 100
  Group Key Push sequence number: 5
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.