show security ipsec security-associations
Syntaxe
show security ipsec security-associations <brief | detail | extensive> <family (inet | inet6)> <fpc slot-number pic slot-number> <index SA-index-number> <kmd-instance (all | kmd-instance-name)> <node-local> <pic slot-number fpc slot-number> <sa-type shortcut> <traffic-selector traffic-selector-name> <srg-id id-number> <vpn-name vpn-name> <ha-link-encryption>
Description
Affichez des informations sur les associations de sécurité IPsec (SA).
Dans les versions 20.1R2, 20.2R2, 20.3R2, 20.3R1 et ultérieures de Junos OS, lorsque vous exécutez la show security ipsec security-associations detail
commande, un nouveau champ IKE SA Index
de sortie correspondant à chaque SA IPsec dans un tunnel s’affiche sous chaque information SA IPsec. Reportez-vous à la section show security ipsec security-associations details (SRX5400, SRX5600, SRX5800).
Options
none | Affichez des informations sur toutes les SA. |
brief | detail | extensive |
(Facultatif) Affichez le niveau de sortie spécifié. La valeur par défaut est |
family |
(Facultatif) Affichez les SA par famille. Cette option permet de filtrer la sortie.
|
fpc slot-number pic slot-number |
(Facultatif) Affichez des informations sur les SA IPsec existantes dans l’emplacement FPC (Flexible PIC Concentrator) et l’emplacement PIC spécifiés. Dans un cluster de châssis, lorsque vous exécutez la commande |
index SA-index-number |
(Facultatif) Affichez des informations détaillées sur l’AS spécifié identifié par ce numéro d’index. Pour obtenir une liste de toutes les SA incluant leurs numéros d’index, utilisez la commande sans options. |
kmd-instance |
(Facultatif) Affichez des informations sur les SA IPsec existantes dans le processus de gestion des clés (dans ce cas, il s’agit de KMD) identifié par le FPC slot-number et le PIC slot-number. Cette option s’applique lorsque vous disposez d’un
|
node-local | : (Facultatif) Affiche des informations sur les SA IPsec pour les tunnels locaux de nœud dans une configuration de haute disponibilité à plusieurs nœuds. |
pic slot-number fpc slot-number |
(Facultatif) Affichez des informations sur les SA IPsec existantes dans les emplacements PIC et FPC spécifiés. |
sa-type shortcut |
(Facultatif) C'est applicable pour ADVPN. Affichez des informations sur les SA IPsec par type |
traffic-selector traffic-selector-name |
(Facultatif) Affiche des informations sur le sélecteur de trafic spécifié. |
vpn-name vpn-name |
(Facultatif) Affichez des informations sur le VPN spécifié. |
ha-link-encryption | (Facultatif) Affichez uniquement les informations relatives au tunnel de liaison interchâssis. Voir ipsec (haute disponibilité), afficher la sécurité ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800) et afficher la sécurité ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800). |
srg-id | (Facultatif) Affichez les informations relatives à un groupe de redondance de services (SRG) spécifique dans une configuration de haute disponibilité à plusieurs nœuds. |
Niveau de privilège requis
Vue
Champs en sortie
Le tableau 1 répertorie les champs de sortie de la commande, le tableau 2 répertorie les champs de sortie de la commande et le tableau 3 répertorie les champs de sortie de la show security ipsec sa detail
show security ipsec security-associations
show security ipsec sa
commande . Les champs en sortie sont répertoriés dans l’ordre approximatif dans lequel ils apparaissent.
Nom du champ |
Description du champ |
Niveau de production |
---|---|---|
|
Nombre total de tunnels IPsec actifs. |
|
|
Numéro d’index de l’AS. Vous pouvez utiliser ce numéro pour obtenir des informations supplémentaires sur l’AS. |
Tous niveaux |
|
La cryptographie utilisée pour sécuriser les échanges entre pairs pendant les négociations IKE comprend :
|
|
|
Identificateur de l’indice des paramètres de sécurité (SPI). Une SA est identifiée de manière unique par un SPI. Chaque entrée comprend le nom du VPN, l’adresse de la passerelle distante, les SPI pour chaque direction, les algorithmes de chiffrement et d’authentification et les clés. Les passerelles homologues ont chacune deux SA, l’une résultant de chacune des deux phases de négociation : IKE et IPsec. |
|
|
La durée de vie de la SA, après laquelle elle expire, exprimée en secondes ou en kilo-octets. |
|
|
Le champ Mon fait référence à l’état de la surveillance VPN. Si la surveillance VPN est activée, ce champ s’affiche |
|
|
Le système racinaire. |
|
|
Si la traduction d’adresses réseau (NAT) est utilisée, cette valeur est 4500. Sinon, il s’agit du port IKE standard, 500. |
Tous niveaux |
|
Adresse IP de la passerelle distante. |
|
|
Nom du système logique. |
|
|
Nom IPsec pour VPN. |
|
|
L’état a deux options,
|
|
|
Adresse de passerelle du système local. |
|
|
Adresse de passerelle du système distant. |
|
|
Nom du sélecteur de trafic. |
|
|
Identité de l’homologue local afin que sa passerelle de destination partenaire puisse communiquer avec lui. La valeur est spécifiée sous la forme d’une adresse IP, d’un nom de domaine complet, d’une adresse e-mail ou d’un nom distinctif (DN). |
|
|
Adresse IP de la passerelle homologue de destination. |
|
|
Définit la plage d’adresses IP locales, la plage d’adresses IP distantes, la plage de ports source, la plage de ports de destination et le protocole. |
|
|
Plage de ports source configurée pour une durée déterminée. |
|
|
Plage de ports de destination configurée pour une durée déterminée. |
|
|
version IKE, soit |
|
|
État du bit ne pas fragmenter : |
|
|
|
|
|
L’événement tunnel et le nombre de fois qu’il s’est produit. Reportez-vous à la section Événements de tunnel pour obtenir une description des événements de tunnel et des actions que vous pouvez entreprendre.
|
|
|
ID de thread d’ancrage pour la SA (pour les équipements de la série SRX4600 avec l’option |
|
|
Direction de l’AS ; Il peut être entrant ou sortant. |
|
|
Valeur de l’indice des paramètres de sécurité auxiliaires (SPI).
|
|
|
Mode de la SA :
|
|
|
Type de l’AS :
|
|
|
État de l’Afrique du Sud :
|
|
|
Protocole pris en charge.
|
|
|
Type d’authentification utilisé. |
|
|
Type de chiffrement utilisé. À partir de Junos OS version 19.4R2, lorsque vous configurez |
|
|
La durée de vie logicielle informe le système de gestion des clés IPsec que la SA est sur le point d’expirer. Chaque durée de vie d’un SA dispose de deux options d’affichage, hard et soft, dont l’une doit être présente pour un SA dynamique. Cela permet au système de gestion des clés de négocier une nouvelle SA avant l’expiration de la durée de vie du matériel.
|
|
|
La durée de vie matérielle spécifie la durée de vie de la SA.
|
|
|
La taille de vie restante spécifie les limites d’utilisation en kilo-octets. Si aucune taille de vie n’est spécifiée, elle affiche illimité.
|
|
|
État du service qui empêche la relecture des paquets. Il peut s’agir de |
|
|
Taille de la fenêtre du service antireplay, qui est de 64 bits. |
|
|
Interface de tunnel à laquelle le VPN basé sur le routage est lié. |
|
|
Indique si le système copie la valeur DSCP externe de l’en-tête IP vers l’en-tête IP interne. |
|
|
Indique comment l’IKE est activé. |
|
|
Indique la liste des associations de sécurité IKE parentes. |
|
Nom du champ |
Description du champ |
---|---|
|
Nombre total de tunnels IPsec actifs. |
|
Numéro d’index de l’AS. Vous pouvez utiliser ce numéro pour obtenir des informations supplémentaires sur l’AS. |
|
La cryptographie utilisée pour sécuriser les échanges entre pairs pendant les négociations de la phase 2 de l’IKE comprend :
|
|
Identificateur de l’indice des paramètres de sécurité (SPI). Une SA est identifiée de manière unique par un SPI. Chaque entrée comprend le nom du VPN, l’adresse de la passerelle distante, les SPI pour chaque direction, les algorithmes de chiffrement et d’authentification et les clés. Les passerelles homologues ont chacune deux SA, une résultant de chacune des deux phases de négociation : la phase 1 et la phase 2. |
|
La durée de vie de la SA, après laquelle elle expire, exprimée en secondes ou en kilo-octets. |
|
Le champ Mon fait référence à l’état de la surveillance VPN. Si la surveillance VPN est activée, ce champ affiche U (haut) ou D (bas). Un trait d’union (-) signifie que la surveillance VPN n’est pas activée pour cette SA. Un V signifie que la vérification du chemin de données IPSec est en cours. |
|
Le système racinaire. |
|
Si la traduction d’adresses réseau (NAT) est utilisée, cette valeur est 4500. Sinon, il s’agit du port IKE standard, 500. |
|
Adresse de passerelle du système. |
Nom du champ |
Description du champ |
---|---|
|
Numéro d’index de l’AS. Vous pouvez utiliser ce numéro pour obtenir des informations supplémentaires sur l’AS. |
|
Nom du système virtuel. |
|
IPSec pour VPN. |
|
Adresse de passerelle du système local. |
|
Adresse de passerelle du système distant. |
|
Identité de l’homologue local afin que sa passerelle de destination partenaire puisse communiquer avec lui. La valeur est spécifiée sous la forme d’une adresse IP, d’un nom de domaine complet, d’une adresse e-mail ou d’un nom distinctif (DN). |
|
Adresse IP de la passerelle homologue de destination. |
|
Version IKE. Par exemple, IKEv1, IKEv2. |
|
Tunnelisation IPsec des paquets mal formés. Vous pouvez activer ou désactiver l’option. |
|
État du bit ne pas fragmenter : |
|
Interface de tunnel à laquelle le VPN basé sur le routage est lié. |
Événements de tunnel | |
|
Direction de l’AS ; Il peut être entrant ou sortant. |
|
Valeur de l’indice des paramètres de sécurité auxiliaires (SPI).
|
|
Si la surveillance VPN est activée, le À partir de Junos OS version 23.4R1 , la sortie affiche |
|
La durée de vie matérielle spécifie la durée de vie de la SA.
|
|
La taille de vie restante spécifie les limites d’utilisation en kilo-octets. Si aucune taille de vie n’est spécifiée, elle affiche illimité. |
|
La durée de vie logicielle informe le système de gestion des clés IPsec que la SA est sur le point d’expirer. Chaque durée de vie d’un SA dispose de deux options d’affichage, hard et soft, dont l’une doit être présente pour un SA dynamique. Cela permet au système de gestion des clés de négocier une nouvelle SA avant l’expiration de la durée de vie du matériel.
|
|
Mode de la SA :
|
|
Type de l’AS :
|
|
État de l’Afrique du Sud :
Pour le mode transport, la valeur de State est toujours Installed. |
|
Protocole pris en charge.
|
|
État du service qui empêche la relecture des paquets. Il peut s’agir de |
|
Taille configurée de la fenêtre du service antireplay. Il peut s’agir de 32 ou 64 paquets. Si la taille de la fenêtre de relecture est égale à 0, le service antireplay est désactivé. La taille de la fenêtre anti-rejeu protège le récepteur contre les attaques par rejeu en rejetant les paquets anciens ou dupliqués. |
Tunnel de liaison interchâssis |
|
Mode de chiffrement des liens HA |
Mode haute disponibilité pris en charge. S’affiche |
Exemple de sortie
Par souci de concision, la commande show outputs n’affiche pas toutes les valeurs de la configuration. Seul un sous-ensemble de la configuration est affiché. Le reste de la configuration sur le système a été remplacé par des ellipses (...).
- show security ipsec security-associations (IPv4)
- show security ipsec security-associations (IPv6)
- show security ipsec security-associations index 511672
- afficher les détails de l’index des associations de sécurité IPsec 131073 de sécurité
- show security ipsec sa
- afficher le détail de la sécurité ipsec sa
- afficher les détails de la sécurité ipsec sa (MX-SPC3)
- show security ipsec sa detail (MX-SPC3) avec tunnelisation en mode passif
- show security ipsec security-association
- afficher la sécurité Présentation d’IPSec Security-Associations
- afficher le détail des associations de sécurité ipsec
- show security ipsec-associations avec surveillance VPN activée
- afficher les détails des associations de sécurité ipsec avec la surveillance VPN activée
- show security ipsec security-associations famille inet6
- show security ipsec security-associations fpc 6 pic 1 kmd-instance all (pare-feu SRX Series)
- show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel) (afficher le détail des associations de sécurité ipsec (ADVPN Suggester, Static Tunnel)
- show security ipsec security-associations detail (partenaire ADVPN, tunnel statique)
- show security ipsec security-associations sa-type shortcut (ADVPN)
- show security ipsec security-associations sa-type shortcut detail (ADVPN)
- afficher la sécurité ipsec détails de la famille d’associations de sécurité
- afficher les détails des associations de sécurité IPsec (SRX4600)
- afficher les détails des associations de sécurité IPsec (SRX5400, SRX5600 et SRX5800)
- show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
- afficher la sécurité ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800)
show security ipsec security-associations (IPv4)
user@host> show security ipsec security-associations Total active tunnels: 14743 Total Ipsec sas: 14743 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <511672 ESP:aes-cbc-128/sha1 0x071b8cd2 - root 500 10.21.45.152 >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 10.21.12.255 <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 10.21.12.255 >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 10.21.50.96 <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 10.21.50.96 >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 10.21.54.57 <513881 ESP:aes-cbc-128/sha1 0x0a57860c 1696/ unlim - root 500 10.21.54.57 >505835 ESP:aes-cbc-128/sha1 0xf827b5c6 1598/ unlim - root 500 10.21.22.204 <505835 ESP:aes-cbc-128/sha1 0x0f43bf3f 1598/ unlim - root 500 10.21.22.204 >506531 ESP:aes-cbc-128/sha1 0x01694572 1602/ unlim - root 500 10.21.25.131 <506531 ESP:aes-cbc-128/sha1 0x0a578143 1602/ unlim - root 500 10.21.25.131 >512802 ESP:aes-cbc-128/sha1 0xdc292de4 1668/ unlim - root 500 10.21.50.1 <512802 ESP:aes-cbc-128/sha1 0x0a578558 1668/ unlim - root 500 10.21.50.1 >512413 ESP:aes-cbc-128/sha1 0xbe2c52d5 1660/ unlim - root 500 10.21.48.125 <512413 ESP:aes-cbc-128/sha1 0x1129580c 1660/ unlim - root 500 10.21.48.125 >505075 ESP:aes-cbc-128/sha1 0x2aae6647 1593/ unlim - root 500 10.21.19.213 <505075 ESP:aes-cbc-128/sha1 0x02dc5c50 1593/ unlim - root 500 10.21.19.213 >514055 ESP:aes-cbc-128/sha1 0x2b8adfcb 1704/ unlim - root 500 10.21.54.238 <514055 ESP:aes-cbc-128/sha1 0x0f43c49a 1704/ unlim - root 500 10.21.54.238 >508898 ESP:aes-cbc-128/sha1 0xbcced4d6 1619/ unlim - root 500 10.21.34.194 <508898 ESP:aes-cbc-128/sha1 0x1492035a 1619/ unlim - root 500 10.21.34.194 >505328 ESP:aes-cbc-128/sha1 0x2a8d2b36 1594/ unlim - root 500 10.21.20.208 <505328 ESP:aes-cbc-128/sha1 0x14920107 1594/ unlim - root 500 10.21.20.208 >500815 ESP:aes-cbc-128/sha1 0xdd86c89a 1573/ unlim - root 500 10.21.3.47 <500815 ESP:aes-cbc-128/sha1 0x1129507f 1573/ unlim - root 500 10.21.3.47 >503758 ESP:aes-cbc-128/sha1 0x64cc490e 1586/ unlim - root 500 10.21.14.172 <503758 ESP:aes-cbc-128/sha1 0x14920001 1586/ unlim - root 500 10.21.14.172 >504004 ESP:aes-cbc-128/sha1 0xde0b63ee 1587/ unlim - root 500 10.21.15.164 <504004 ESP:aes-cbc-128/sha1 0x071b87d4 1587/ unlim - root 500 10.21.15.164 >508816 ESP:aes-cbc-128/sha1 0x2703b7a5 1618/ unlim - root 500 10.21.34.112 <508816 ESP:aes-cbc-128/sha1 0x071b8af6 1618/ unlim - root 500 10.21.34.112 >511341 ESP:aes-cbc-128/sha1 0x828f3330 1644/ unlim - root 500 10.21.44.77 <511341 ESP:aes-cbc-128/sha1 0x02dc6064 1644/ unlim - root 500 10.21.44.77 >500456 ESP:aes-cbc-128/sha1 0xa6f1515d 1572/ unlim - root 500 10.21.1.200 <500456 ESP:aes-cbc-128/sha1 0x1491fddb 1572/ unlim - root 500 10.21.1.200 >512506 ESP:aes-cbc-128/sha1 0x4108f3a3 1662/ unlim - root 500 10.21.48.218 <512506 ESP:aes-cbc-128/sha1 0x071b8d5d 1662/ unlim - root 500 10.21.48.218 >504657 ESP:aes-cbc-128/sha1 0x27a6b8b3 1591/ unlim - root 500 10.21.18.41 <504657 ESP:aes-cbc-128/sha1 0x112952fe 1591/ unlim - root 500 10.21.18.41 >506755 ESP:aes-cbc-128/sha1 0xc0afcff0 1604/ unlim - root 500 10.21.26.100 <506755 ESP:aes-cbc-128/sha1 0x149201f5 1604/ unlim - root 500 10.21.26.100 >508023 ESP:aes-cbc-128/sha1 0xa1a90af8 1612/ unlim - root 500 10.21.31.87 <508023 ESP:aes-cbc-128/sha1 0x02dc5e3b 1612/ unlim - root 500 10.21.31.87 >509190 ESP:aes-cbc-128/sha1 0xee52074d 1621/ unlim - root 500 10.21.35.230 <509190 ESP:aes-cbc-128/sha1 0x0f43c16e 1621/ unlim - root 500 10.21.35.230 >505051 ESP:aes-cbc-128/sha1 0x24130b1c 1593/ unlim - root 500 10.21.19.188 <505051 ESP:aes-cbc-128/sha1 0x149200d9 1593/ unlim - root 500 10.21.19.188 >513214 ESP:aes-cbc-128/sha1 0x2c4752d1 1676/ unlim - root 500 10.21.51.158 <513214 ESP:aes-cbc-128/sha1 0x071b8dd3 1676/ unlim - root 500 10.21.0.51.158 >510808 ESP:aes-cbc-128/sha1 0x4acd94d3 1637/ unlim - root 500 10.21.42.56 <510808 ESP:aes-cbc-128/sha1 0x071b8c42 1637/ unlim - root 500 10.21.42.56
show security ipsec security-associations (IPv6)
user@host> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:aes256/sha256 14caf1d9 3597/ unlim - root 500 2001:db8::1112 131074 ESP:aes256/sha256 9a4db486 3597/ unlim - root 500 2001:db8::1112
show security ipsec security-associations index 511672
user@host> show security ipsec security-associations index 511672 ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn Local Gateway: 10.20.0.1, Remote Gateway: 10.21.45.152 Traffic Selector Name: ts Local Identity: ipv4(10.191.151.0-10.191.151.255) Remote Identity: ipv4(10.40.151.0-10.40.151.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 10 Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
afficher les détails de l’index des associations de sécurité IPsec 131073 de sécurité
user@host> show security ipsec security-associations index 131073 detail ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1 Local Gateway: 10.4.0.1, Remote Gateway: 10.5.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39 Multi-sa, Configured SAs# 9, Negotiated SAs#: 9 Tunnel events: Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times) Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times) Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times) Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times) Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: inbound, SPI: 5d227e19, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: best-effort Direction: outbound, SPI: 5490da, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ...
À partir de Junos OS version 18.2R1, la sortie CLI show security ipsec security-associations index index-number detail
affiche tous les détails de la SA enfant, y compris le nom de la classe de transfert.
show security ipsec sa
user@host> show security ipsec sa Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway >67108885 ESP:aes-gcm-256/None fdef4dab 2918/ unlim - root 500 2001:db8:3000::2 >67108885 ESP:aes-gcm-256/None e785dadc 2918/ unlim - root 500 2001:db8:3000::2 >67108887 ESP:aes-gcm-256/None 34a787af 2971/ unlim - root 500 2001:db8:5000::2 >67108887 ESP:aes-gcm-256/None cf57007f 2971/ unlim - root 500 2001:db8:5000::2
afficher le détail de la sécurité ipsec sa
user@host> show security ipsec sa detail ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey ...
À partir de Junos OS version 19.1R1, un nouvel établissement de tunnel de champ dans la sortie de l’interface show security ipsec sa detail
de ligne de commande affiche l’option configurée sous ipsec vpn establish-tunnels
hiérarchie.
À partir de Junos OS version 21.3R1, un nouveau champ MTU de tunnel dans la sortie de l’interface show security ipsec sa detail
de ligne de commande affiche l’option configurée sous ipsec vpn hub-to-spoke-vpn tunnel-mtu
hiérarchie.
À partir de Junos OS version 22.1R3, sur les équipements de la gamme SRX5000, la MTU du tunnel ne s’affiche pas dans la sortie CLI si elle n’est pas configurée.
afficher les détails de la sécurité ipsec sa (MX-SPC3)
user@host> show security ipsec sa detail ID: 500055 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 1420 Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0x229b998e, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately Direction: outbound, SPI: 0xb2e843a3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately
show security ipsec sa detail (MX-SPC3) avec tunnelisation en mode passif
user@host> show security ipsec sa detail ID: 500054 Virtual-system: root, VPN Name: TUN_3 Local Gateway: 100.0.0.3, Remote Gateway: 200.0.0.3 Traffic Selector Name: ts1 Local Identity: ipv4(11.0.0.3-11.0.0.3) Remote Identity: ipv4(75.0.0.3-75.0.0.3) TS Type: traffic-selector Version: IKEv2 Quantum Secured: No PFS group: N/A SRG ID: 0 Passive mode tunneling: Enabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.3, Policy-name: IPSEC_POLICY Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Mon Sep 19 2022 19:27:44: IPsec SA negotiation succeeds (1 times) Location: FPC 3, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: vms-3/1/0 Direction: inbound, SPI: 0x25c03740, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expired Lifesize Remaining: Expired Soft lifetime: Expires in 2920 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 512 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 122 Direction: outbound, SPI: 0x8e8f2009, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expired Lifesize Remaining: Expired Soft lifetime: Expires in 2920 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 512 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 122
show security ipsec security-association
user@host>show security ipsec security-association Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500006 ESP:aes-gcm-128/aes128-gcm 0x782b233c 1432/ unlim - root 500 10.2.0.2
afficher la sécurité Présentation d’IPSec Security-Associations
user@host> show security ipsec security-associations brief Total active tunnels: 2 Total Ipsec sas: 18 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes256/sha256 89e5098 1569/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 f3117676 1609/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 6050109f 1609/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 606c90f6 1616/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 af8984b6 1619/ unlim - root 500 10.5.0.1 ...
afficher le détail des associations de sécurité ipsec
user@host> show security ipsec security-associations detail ID: 500009 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.2, Remote Gateway: 10.2.0.1 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 0 Distribution-Profile: default-profile IKE SA Index: 2068 Direction: inbound, SPI: 0xba7bb1f2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic Direction: outbound, SPI: 0x41650a1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic
show security ipsec-associations avec surveillance VPN activée
user@host> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None 15e8de2c 2086/ unlim U root 500 3.0.0.1 >131073 ESP:aes-gcm-256/None 2a1f46fb 2086/ unlim U root 500 3.0.0.1 VPN Monitoring: UP
afficher les détails des associations de sécurité ipsec avec la surveillance VPN activée
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: SPK_VPN1 Local Gateway: 3.0.0.2, Remote Gateway: 3.0.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 Direction: inbound, SPI: 15e8de2c, AUX-SPI: 0 , VPN Monitoring: UP Mode: optimized Interval:10sec Threshold: 3 Hard lifetime: Expires in 1314 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 708 seconds Mode: Tunnel(10 5), Type: dynamic, State: installed Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 2a1f46fb, AUX-SPI: 0 , VPN Monitoring: UP Mode: optimized Interval:10sec Threshold: 3 Hard lifetime: Expires in 1313 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 707 seconds Mode: Tunnel(10 5), Type: dynamic, State: installed Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations famille inet6
user@host> show security ipsec security-associations family inet6 Virtual-system: root Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations fpc 6 pic 1 kmd-instance all (pare-feu SRX Series)
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 192.168.1.2 500 ESP:aes256/sha256 67a7d25d 28280/unlim - 0 >2 192.168.1.2 500 ESP:aes256/sha256 a23cbcdc 28280/unlim - 0
show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel) (afficher le détail des associations de sécurité ipsec (ADVPN Suggester, Static Tunnel)
user@host> show security ipsec security-associations detail ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times) Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Location: FPC 0, PIC 3, KMD-Instance 2 Direction: inbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 3, KMD-Instance 2 Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail (partenaire ADVPN, tunnel statique)
user@host> show security ipsec security-associations detail ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 Tunnel events: Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times) Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times) Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations sa-type shortcut (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111 >268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111
show security ipsec security-associations sa-type shortcut detail (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut detail node0: -------------------------------------------------------------------------- ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Auto Discovery VPN: Type: Shortcut, Shortcut Role: Initiator Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29 Tunnel events: Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: b7a5518, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: b7e0268, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
afficher la sécurité ipsec détails de la famille d’associations de sécurité
user@host> show security ipsec security-associations family inet detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear , Copy-Outer-DSCP Enabled Bind-interface: st0.99 Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times) Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times) Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times) Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times) Location: FPC 0, PIC 1, KMD-Instance 1 Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 1 Direction: outbound, SPI: 727f629d, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
afficher les détails des associations de sécurité IPsec (SRX4600)
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 10.62.1.3, Remote Gateway: 10.62.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 6 Direction: inbound, SPI: 812c9c01, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 7 Direction: outbound, SPI: c4de0972, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
afficher les détails des associations de sécurité IPsec (SRX5400, SRX5600 et SRX5800)
Un nouveau champ IKE SA Index
de sortie correspondant à chaque SA IPsec au sein d’un tunnel s’affiche sous chaque information SA IPsec.
user@host> show security ipsec security-associations detail ID: 500005 Virtual-system: root, VPN Name: 85BX5-OAM Local Gateway: 10.217.0.4, Remote Gateway: 10.200.254.118 Traffic Selector Name: TS_DEFAULT Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(10.181.235.224-10.181.235.224) Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: MACRO-IPSEC-POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 7, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe2eb3838, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: outbound, SPI: 0x4f7c3101, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: inbound, SPI: 0x30b6d66f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40 Direction: outbound, SPI: 0xd2db4108, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40
show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
À partir de Junos OS version 20.4R1, lorsque vous configurez la fonctionnalité de haute disponibilité (HA), vous pouvez utiliser cette commande show pour afficher uniquement les détails du tunnel de liaison interchâssis.
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 91 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495001 ESP:aes-gcm-256/aes256-gcm 0x0047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2446c5cd 298/ unlim - root 500 10.23.0.2 ...
afficher la sécurité ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800)
À partir de Junos OS version 20.4R1, lorsque vous configurez la fonctionnalité de haute disponibilité (HA), vous pouvez utiliser cette commande show pour afficher uniquement les détails du tunnel de liaison interchâssis. Il affiche les SA multiples créées pour le tunnel de chiffrement des liens interchâssis.
user@host> show security ipsec sa detail ha-link-encryption ID: 495001 Virtual-system: root, VPN Name: L3HA_IPSEC_VPN Local Gateway: 10.23.0.1, Remote Gateway: 10.23.0.2 Traffic Selector Name: __L3HA_IPSEC_VPN__multi_node__ Local Identity: ipv4(180.100.1.1-180.100.1.1) Remote Identity: ipv4(180.100.1.2-180.100.1.2) Version: IKEv2 PFS group: DH-Group-24 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Policy-name: L3HA_IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: Multi-Node Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x00439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x004cfceb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: inbound, SPI: 0x04439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 16 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x044cfceb, AUX-SPI: 0 , VPN Monitoring: - ...
Dans Junos OS version 22.3R1 et ultérieure, lorsque vous configurez la fonctionnalité de chiffrement de liaison de contrôle Chassis Cluster HA, vous pouvez exécuter les show security ike sa ha-link-encryption detail
commandes , show security ipsec sa ha-link-encryption detail
et show security ipsec sa ha-link-encryption
pour afficher les détails du tunnel de chiffrement de liaison de contrôle Chassis cluster.
afficher la sécurité ike sa ha-link-encryption détail
user@host> show security ike sa ha-link-encryption detail IKE peer 10.2.0.1, Index 4294966274, Gateway Name: IKE_GW_HA_0 Role: Initiator, State: UP Initiator cookie: ae5bcb5540d388a1, Responder cookie: 28bbae629ceb727f Exchange type: IKEv2, Authentication method: Pre-shared-keys Local gateway interface: em0 Routing instance: __juniper_private1__ Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Lifetime: Expires in 24856 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 10.2.0.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 200644 Output bytes : 200644 Input packets: 2635 Output packets: 2635 Input fragmented packets: 0 Output fragmented packets: 0 IPSec security associations: 6 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 495002 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Local identity: 10.7.0.2 Remote identity: 10.2.0.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 1 Response In : 1 Response Out : 1 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
afficher la sécurité ipsec sa ha-link-encryption détail
user@host> show security ipsec sa ha-link-encryption detail ID: 495002 Virtual-system: root, VPN Name: IPSEC_VPN_HA_0 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: __IPSEC_VPN_HA_0__l2_chassis_clu Local Identity: ipv4(10.7.0.2-10.7.0.2) Remote Identity: ipv4(10.2.0.1-10.2.0.1) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-24 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: IPSEC_POL_HA_0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: L2 Chassis Cluster Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x35fae26b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274 Direction: outbound, SPI: 0x0a2b9927, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274
show security ipsec sa ha-link-encryption
user@host> show security ipsec sa ha-link-encryption Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495002 ESP:aes-cbc-256/sha1 0x35fae26b 3484/ unlim - root 500 10.2.0.1 >495002 ESP:aes-cbc-256/sha1 0x0a2b9927 3484/ unlim - root 500 10.2.0.1
afficher le détail des associations de sécurité IPsec (pare-feu SRX Series et routeurs MX Series)
Dans Junos OS version 20.4R2, 21.1R1 et ultérieure, vous pouvez exécuter la show security ipsec security-associations detail
commande pour afficher le type de sélecteur de trafic pour un VPN.
user@host> show security ipsec security-associations detail ID: 500024 Virtual-system: root, VPN Name: S2S_VPN2 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: ts1 Local Identity: ipv4(10.20.20.0-10.20.20.255) Remote Identity: ipv4(10.10.10.0-10.10.10.255) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:43:49: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xf8642fae, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 Direction: outbound, SPI: 0xb2a26969, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 ID: 500025 Virtual-system: root, VPN Name: S2S_VPN1 Local Gateway: 10.7.0.1, Remote Gateway: 10.2.0.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:44:41: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe293762a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18 Direction: outbound, SPI: 0x7aef9d7f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18
- afficher les détails des associations de sécurité IPsec (SRX5400, SRX5600 et SRX5800)
- show security ipsec associations de sécurité srg-id
- show security ipsec sécurité-associations noeud-local
- afficher le détail du noeud local des associations de sécurité ipsec
afficher les détails des associations de sécurité IPsec (SRX5400, SRX5600 et SRX5800)
À partir de Junos OS version 21.1R1, vous pouvez afficher les détails du sélecteur de trafic, notamment l’identité locale, l’identité distante, le protocole, la plage de ports source, la plage de ports de destination pour plusieurs termes définis pour une SA IPsec.
Dans les versions antérieures de Junos, la sélection du trafic d’une SA particulière s’effectue à l’aide d’une plage d’adresses IP existante définie à l’aide d’une adresse IP ou d’un masque de réseau. À partir de Junos OS version 21.1R1, le trafic est également sélectionné via le protocole spécifié à l’aide protocol_namede . De plus, la plage de ports basse et haute est spécifiée pour les numéros de port source et de destination.
user@host> show security ipsec security-associations detail ID: 500075 Virtual-system: root, VPN Name: pkn-r0-r1-ipsec-vpn-1 Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2 Traffic Selector Name: ts1 Local Identity: Protocol Port IP 17/UDP 100-200 198.51.100.0-198.51.100.255 6/TCP 250-300 198.51.100.0-198.51.100.255 Remote Identity: Protocol Port IP 17/UDP 150-200 10.80.0.1-10.80.0.1 6/TCP 250-300 10.80.1.1-10.80.1.1 Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: pkn-r0-r1-ipsec-policy Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: ……… Direction: outbound, SPI: …………
show security ipsec associations de sécurité srg-id
user@host> show security ipsec security-associations srg-id 1 Total active tunnels: 1 Total IPsec sas: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <17277217 ESP:aes-cbc-256/sha256 0xc7faee3e 1440/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0x7921d472 1440/ unlim - root 500 10.112.0.1 <17277217 ESP:aes-cbc-256/sha256 0xf1a01dd4 1498/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0xa0b77273 1498/ unlim - root 500 10.112.0.1
show security ipsec sécurité-associations noeud-local
user@host> show security ipsec security-associations node-local Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500001 ESP:aes-cbc-256/sha256 0x5f2fdf60 3093/ unlim - root 500 6.0.0.2 >500001 ESP:aes-cbc-256/sha256 0x293e67e0 3093/ unlim - root 500 6.0.0.2
afficher le détail du noeud local des associations de sécurité ipsec
user@host> show security ipsec security-associations node-local ID: 500003 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 4.0.0.1, Remote Gateway: 6.0.0.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 Quantum Secured: No PFS group: DH-group-19 Passive mode tunneling: Disabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Sun Apr 09 2023 22:22:27: IPsec SA negotiation succeeds (1 times) Location: FPC 1, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x8c8c3761, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3564 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2884 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 25 Direction: outbound, SPI: 0x0e798f8c, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3564 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2884 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 25
Informations sur la version
Commande introduite dans Junos OS version 8.5. Prise en charge de l’option family
ajoutée dans Junos OS version 11.1.
Prise en charge de l’option vpn-name
ajoutée dans Junos OS version 11.4R3. Prise en charge des options et du traffic-selector
champ de sélection de trafic ajouté dans Junos OS version 12.1X46-D10.
La prise en charge d’Auto Discovery VPN (ADVPN) a été ajoutée dans Junos OS version 12.3X48-D10.
La prise en charge de la vérification IPsec des chemins de données a été ajoutée dans Junos OS version 15.1X49-D70.
La prise en charge de l’ancrage de thread a été ajoutée dans Junos OS version 17.4R1.
À partir de Junos OS version 18.2R2, la sortie de la show security ipsec security-assocations detail
commande inclut les informations d’ancrage de thread pour les associations de sécurité (SA).
À partir de Junos OS version 19.4R1, nous avons déconseillé l’option fc-name
CLI (nom de la classe d’expédition COS) dans le nouveau processus iked qui affiche les associations de sécurité (SA) sous la commande show security ipsec sa
show .
Prise en charge de l’option ha-link-encryption
ajoutée dans Junos OS version 20.4R1.
Prise en charge de l’option srg-id
ajoutée dans Junos OS version 22.4R1.
La prise en charge du passive-mode-tunneling
sur MX-SPC3 est introduite dans Junos OS version 23.1R1.
La prise en charge de cette node-local
option a été ajoutée dans Junos OS version 23.2R1.
À partir de Junos OS version 23.4R1, kmd-instance
l’option est disponible uniquement lorsque vous disposez d’un kmd
processus pour VPN IPsec. Lorsque vous activez iked
le processus à l’aide d’un junos-iked
package, cette option n’est pas disponible.
La prise en charge de la taille de vie en kilo-octets, de la taille de vie restante et des informations de surveillance VPN dans la sortie de commande avec le VPN IPsec exécutant le processus iked est ajoutée dans Junos OS version 23.4R1.