show security ike security-associations

IKE Peer or Remote Address

IP address of the destination peer with which the local peer communicates.

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Location

• FPC—Flexible PIC Concentrator (FPC) slot number.
• PIC—PIC slot number.
• KMD-Instance—The name of the kmd-instance running on the SPU, identified by the FPC slot-number and PIC slot-number. Currently, 4 kmd-instances running on each SPU and any particular IKE negotiation is carried out by a single kmd-instance.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State

State of the IKE security associations:

• DOWN—SA has not been negotiated with the peer.
• UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Mode or Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

• main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.
• aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithms

Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

• Authentication—Type of authentication algorithm used.
  • sha1—Secure Hash Algorithm 1(sha1) authentication.
  • md5—MD5 authentication
• Encryption—Type of encryption algorithm used.
  • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.
  • aes-192-cbc— AES192-bit encryption
  • aes-128-cbc—AES 128-bit encryption.
  • 3des-cbc—3 Data Encryption Standard (DES) encryption.
  • des-cbc—DES encryption.

Traffic statistics

• Input bytes—Number of bytes received.
• Output bytes—Number of bytes transmitted.
• Input packets—Number of packets received.
• Output packets—Number of packets transmitted.

Flags

Notification to the key management process of the status of the IKE negotiation:

• caller notification sent—Caller program notified about the completion of the IKE negotiation.
• waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
• waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
• waiting for policy manager—Negotiation is waiting for a response from the policy manager.

IPSec security associations

• number created: The number of SAs created.
• number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of phase 2 IKE negotiations in progress and status information:

• Negotiation type—Type of phase 2 negotiation. Junos OS currently supports quick mode.
• Message ID—Unique identifier for a phase 2 negotiation.
• Local identity—Identity of the local phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
• Remote identity—Identity of the remote phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
• Flags—Notification to the key management process of the status of the IKE negotiation:
  • caller notification sent—Caller program notified about the completion of the IKE negotiation.
  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.