show security group-vpn server ipsec security-associations

Syntax

show security group-vpn server ipsec security-associations [brief | detail] [group group-name | group-id group-id]

Release Information

Command introduced in Release 10.2 of Junos OS.

Description

Display IPsec security associations (SAs).

Options

none—Display all IPsec SAs for all groups.

brief—(Optional) Display summary output.

detail—(Optional) Display detailed level of output.

group—(Optional) Display IPsec SAs for the specified group.

group-id—(Optional) Display IPsec SAs for the specified group.

Required Privilege Level

view

Related Topics

Table 97

List of Sample Output

show security group-vpn server ipsec security-associations
show security group-vpn server ipsec security-associations detail

Output Fields

Table 100 lists the output fields for the show security group-vpn server ipsec security-associations command. Output fields are listed in the approximate order in which they appear.

Table 100: show security group-vpn server ipsec security-associations

Field Name

Field Description

Group

Group name.

Group ID

Group identifier.

Total IPsec SAs

The total number of IPsec SAs for each group is shown.

IPsec SA

Name of the SA.

Protocol

Protocol supported. Transport mode supports Encapsulation Security Protocol (ESP).

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes

  • An authentication algorithm used to authenticate exchanges between the peers. Options are sha1 and md5.
  • An encryption algorithm used to encrypt data traffic. Options are 3des, aes-128, aes-192, aes-256, or des.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.

Lifetime

The lifetime of the SA, after which it expires, expressed in seconds.

Policy Name

Group policy associated with the IPsec SA. The source address, destination address, source port, destination port, and protocol defined for the policy are displayed.

Sample Output

show security group-vpn server ipsec security-associations

user@host> show security group-vpn server ipsec security-associations
Group: g2, Group Id: 2
  Total IPsec SAs: 2
  IPsec SA          Algorithm        SPI              Lifetime
  g2-gsa-1          ESP:aes-256/sha1 91f16f54         66
  g2-gsa-1          ESP:3des/sha1    39f8604a         1798
  g2-gsa-2          ESP:aes-256/sha1 e9450698         66
  g2-gsa-2          ESP:3des/sha1    99e3ead9         1798
Group: g3, Group Id: 3
  Total IPsec SAs: 2
  IPsec SA          Algorithm        SPI              Lifetime
  g2-gsa-1          ESP:aes-256/sha1 c81b4eba         66
  g2-gsa-1          ESP:3des/sha1    6696c219         1798
  g2-gsa-2          ESP:aes-256/sha1 e9230079         66
  g2-gsa-2          ESP:3des/sha1    710a231f         1798

In the output shown above, note that the encapsulation algorithm for the IPsec SAs changed from aes-256 to 3des. When this happened, the lifetime of the old key was reduced and the lifetime of the new key was set to 1800 seconds. When the show command was executed, 2 seconds had passed; therefore, the lifetime shown for the new keys is 1798 seconds.

Sample Output

show security group-vpn server ipsec security-associations detail

user@host> show security group-vpn server ipsec security-associations detail
Group: g2, Group Id: 2
Total IPsec SAs: 2
  IPsec SA: g2-gsa-1
    Protocol: ESP, Authentication: sha1, Encryption: aes-256
    SPI: 91f16f54
    Lifetime left: 52
    Policy Name: gsa-pol-1
      Source: 0.0.0.0/0
      Destination: 1.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
    Policy Name: gsa-pol-2
      Source: 0.0.0.0/0
      Destination: 2.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
  IPsec SA: g2-gsa-1
    Protocol: ESP, Authentication: sha1, Encryption: 3des
    SPI: 39f8604a
    Lifetime left: 1784
    Policy Name: gsa-pol-1
      Source: 0.0.0.0/0
      Destination: 1.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
    Policy Name: gsa-pol-2
      Source: 0.0.0.0/0
      Destination: 2.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
  IPsec SA: g2-gsa-2
    Protocol: ESP, Authentication: sha1, Encryption: aes-256
    SPI: e9450698
    Lifetime left: 52
  IPsec SA: g2-gsa-2
    Protocol: ESP, Authentication: sha1, Encryption: 3des
    SPI: 99e3ead9
    Lifetime left: 1784
Group: g3, Group Id: 3
Total IPsec SAs: 2
  IPsec SA: g2-gsa-1
    Protocol: ESP, Authentication: sha1, Encryption: aes-256
    SPI: c81b4eba
    Lifetime left: 52
    Policy Name: gsa-pol-1
      Source: 0.0.0.0/0
      Destination: 1.1.2.0/24
      Source Port: 5
      Destination Port: 0               
      Protocol: 0
    Policy Name: gsa-pol-2
      Source: 0.0.0.0/0
      Destination: 2.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
  IPsec SA: g2-gsa-1
    Protocol: ESP, Authentication: sha1, Encryption: 3des
    SPI: 6696c219
    Lifetime left: 1784
    Policy Name: gsa-pol-1
      Source: 0.0.0.0/0
      Destination: 1.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
    Policy Name: gsa-pol-2
      Source: 0.0.0.0/0
      Destination: 2.1.2.0/24
      Source Port: 5
      Destination Port: 0
      Protocol: 0
  IPsec SA: g2-gsa-2
    Protocol: ESP, Authentication: sha1, Encryption: aes-256
    SPI: e9230079
    Lifetime left: 52
  IPsec SA: g2-gsa-2
    Protocol: ESP, Authentication: sha1, Encryption: 3des
    SPI: 710a231f
    Lifetime left: 1784
Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.