show security group-vpn server ike security-associations

Syntax

show security group-vpn server ike security-associations [brief | detail] [group group-name | group-id group-id] [index sa-index]

Release Information

Command introduced in Release 10.2 of Junos OS.

Description

Display IKE security associations (SAs).

Options

none—Display all IKE SAs for all groups.

brief—(Optional) Display summary output.

detail—(Optional) Display detailed level of output.

group—(Optional) Display IKE SAs for the specified group.

group-id—(Optional) Display IKE SAs for the specified group.

Note: An IKE SA can be used by a group member to register to multiple groups. When you specify the group or group-id options to list the IKE SAs for a specified group, all existing IKE SAs that could be used to register to the group are displayed.

index—(Optional) Display information for a particular SA based on the index number of the SA. To obtain the index number for a particular SA, display the list of existing SAs by using the command with no options.

Required Privilege Level

view

Related Topics

show security group-vpn member ike security-associations

List of Sample Output

show security group-vpn server ike security-associations
show security group-vpn server ike security-associations detail

Output Fields

Table 99 lists the output fields for the show security group-vpn server ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 99: show security group-vpn member ike security-associations Output Fields

Field Name

Field Description

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Remote Address

IP address of the destination peer with which the local peer communicates.

State

State of the IKE security associations:

  • DOWN—SA has not been negotiated with the peer.
  • UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Mode

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

  • main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

IKE Peer

IP address of the destination peer with which the local peer communicates.

Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

  • main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
  • aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

Authentication method

Method the server uses to authenticate the source of IKE messages:

  • pre-shared-keys—Preshared key for encryption and decryption that both participants must have before beginning tunnel negotiations.

rsa-signatures—Digital signature, a certificate that confirms the identity of the certificate holder.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithms

Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Authentication—Type of authentication algorithm used.
    • sha1—Secure Hash Algorithm 1(sha1) authentication.
    • md5—MD5 authentication.
  • Encryption—Type of encryption algorithm used.
    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
    • aes-192-cbc— AES192-bit encryption
    • aes-128-cbc—AES 128-bit encryption.
    • 3des-cbc—3 Data Encryption Standard (DES) encryption.
    • des-cbc—DES encryption.

Traffic statistics

  • Input bytes—Number of bytes received.
  • Output bytes—Number of bytes transmitted.
  • Input packets—Number of packets received.
  • Output packets—Number of packets transmitted.

IPSec security associations

  • number created: The number of SAs created.
  • number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of Phase 2 IKE negotiations in progress and status information:

  • Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.
  • Message ID—Unique identifier for a Phase 2 negotiation.
  • Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Flags—Notification to the key management process of the status of the IKE negotiation:
    • caller notification sent—Caller program notified about the completion of the IKE negotiation.
    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

Sample Output

show security group-vpn server ike security-associations

user@host> show security group-vpn server ike security-associations
Index   Remote Address  State  Initiator cookie  Responder cookie  Mode
2059    10.1.1.13       UP     86c09e79d3f986b6  aadaaaf97129b8cc  Main

Sample Output

show security group-vpn server ike security-associations detail

user@host> show security group-vpn server ike security-associations detail
IKE peer 10.1.1.13, Index 2059,
  Role: Responder, State: UP
  Initiator cookie: 86c09e79d3f986b6, Responder cookie: aadaaaf97129b8cc
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 10.1.1.11:848, Remote: 10.1.1.13:848
  Lifetime: Expires in 3571 seconds
  Algorithms:
   Authentication        : sha1 
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
  Traffic statistics:
   Input  bytes  :                  628
   Output bytes  :                 1196
   Input  packets:                    5
   Output packets:                    5
  Flags: Caller notification sent 
  IPSec security associations: 0 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 2158764791
    Local: 10.1.1.11:848, Remote: 10.1.1.13:848
    Local identity: 10.1.1.11
    Remote identity: 10.1.1.13
    Flags: Caller notification sent, Waiting for done
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.