show security ike security-associations
Syntax
show security ike security-associations
<peer-address>
<brief | detail>
<family (inet | inet6)>
<fpc slot-number>
<index SA-index-number>
<kmd-instance (all | kmd-instance-name)>
<pic slot-number>
<sa-type shortcut >
<ha-link-encryption>
Description
SAS(Internet Key Exchange 보안 연결)에 대한 IKE(Internet Key Exchange) 표시
Options
none—인덱스 번호를 포함하여 기존 IKE(Internet Key Exchange) SAS에 대한 표준 정보를 표시합니다.
peer-address—(옵션) 대상 피어의 IPv4 또는 IPv6 주소를 기반으로 특정 SA에 대한 세부 정보를 표시합니다. 이 옵션은 동일한index수준의 출력을 제공합니다.brief—(옵션) 모든 기존 SAS에 대한 표준 IKE(Internet Key Exchange) 표시 (기본)detail—(옵션) 모든 기존 SAS에 대한 상세 IKE(Internet Key Exchange) 표시family—(옵션) IKE(Internet Key Exchange) SAS에 대한 디스플레이. 이 옵션은 출력을 필터링하는 데 사용됩니다.inet—IPv4 주소 패밀리.inet6—IPv6 주소 패밀리.
fpc slot-number—(옵션) FPC(Flexible PIC Concentrator) 슬롯에 기존 IKE(Internet Key Exchange) SAS에 대한 정보를 표시합니다. 이 옵션은 출력을 필터링하는 데 사용됩니다.섀시 클러스터에서 운영 모드에서 CLI 명령을 실행할 때
show security ike security-associations pic <slot-number> fpc <slot-number>지정된 FPC(Flexible PIC Concentrator) 슬롯 및 PIC 슬롯에 있는 기존 IPsec SAS에 대한 기본 노드 정보만 표시됩니다.index SA-index-number—(옵션) SA 인덱스 번호를 기준으로 특정 SA에 대한 정보를 표시합니다. 특정 SA의 경우, 옵션 없는 명령어를 사용해 기존 SA 목록을 표시합니다. 이 옵션은 동일한peer-address수준의 출력을 제공합니다.
kmd-instance—(옵션) FPC 슬롯 번호 IKE(Internet Key Exchange) PIC 슬롯 번호로 식별되는 주요 관리 프로세스(이 경우 KMD)에 기존 SAS에 대한 정보를 표시합니다. 이 옵션은 출력을 필터링하는 데 사용됩니다.all—서비스 프로세싱 유닛(SPU)에서 실행되는 모든 KMD 인스턴스.kmd-instance-name—SPU에서 실행되는 KMD 인스턴스의 이름.
pic slot-number—(옵션) 이 PIC 슬롯에 기존 IKE(Internet Key Exchange) SAS에 대한 정보를 표시합니다. 이 옵션은 출력을 필터링하는 데 사용됩니다.sa-type—(ADVPN에 대한 옵션) SA 유형shortcut은 이번 릴리스의 유일한 옵션입니다.
ha-link-encryption—(옵션) interchassis 링크 터널과 관련된 정보 표시 전용. ipsec(고가용성) 및 show security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800) 를 확인하십시오.
Required Privilege Level
보기
Output Fields
표 1 명령의 출력 필드를 show security ike security-associations 나열합니다. 출력 필드는 대략적인 순서로 나열되어 있습니다.
필드 이름 |
필드 설명 |
|---|---|
|
로컬 피어가 통신하는 대상 피어의 IP 주소 |
|
SA 인덱스 수. 이 번호는 단일 SA에 대한 정보를 표시하는 데 사용할 수 있는 내부적으로 생성된 번호입니다. |
|
IKE(Internet Key Exchange) 이름 |
|
|
|
세션에서 파트가 IKE(Internet Key Exchange). IKE(Internet Key Exchange) 협상을 트리거하는 디바이스는 시작자이자, 첫 번째 IKE(Internet Key Exchange) 교환 패킷을 수신하는 디바이스가 응답자입니다. |
|
IKE(INTERNET KEY EXCHANGE) 상태:
|
|
쿠키라고 하는 임의의 수입니다. 쿠키는 사용자 협상이 트리거될 때 IKE(Internet Key Exchange) 리모트 노드로 전송됩니다. |
|
원격 노드에서 임의 번호가 생성되어 패킷이 수신된 검증으로 시작자에 다시 전송됩니다. 쿠키는 과도한 CPU 리소스를 소비하여 쿠키의 진위를 판단하지 않고 공격으로부터 컴퓨팅 리소스를 보호하는 것을 목표로 합니다. |
|
서로 정보를 교환하는 데 사용되는 2개의 IPsec 엔드포인트 또는 피어에 의해 합의된 협상 방식입니다. 각 교환 유형 또는 모드는 메시지 수와 각 메시지에 포함된 페이로드 유형을 결정합니다. 모드는 다음을 제공합니다.
IKEv2 프로토콜은 협상을 위해 모드 구성을 사용하지 않습니다. 따라서 이 모드는 보안 연결의 버전 번호를 표시합니다. |
|
를 통해 IKE(Internet Key Exchange) 수 있는 디지털 인증서의 소스를 인증하는 |
|
로컬 피어 주소. |
|
원격 피어 주소. |
|
sa가 만료될 때까지 남은 IKE(Internet Key Exchange) 수 있습니다. |
|
활성화하면 재인식이 시작될 때까지 남은 초 수로 새로운 IKEv2 SA 협상이 트리거됩니다. |
|
|
|
IKE(Internet Key Exchange) 2단계 프로세스 동안 피어 간의 교환을 암호화하고 보호하는 데 사용되는 알고리즘을 제공합니다.
|
|
|
|
협상의 상태에 대한 주요 관리 프로세스에 IKE(Internet Key Exchange) 통보:
|
|
|
|
진행 상황 및 상태 IKE(Internet Key Exchange) 협상을 위한 2단계 개수:
|
|
로컬 게이트웨이의 인터페이스 이름. |
|
로컬 게이트웨이 라우팅 인스턴스의 이름. |
|
자식 IPsec 터널 아이디 목록을 나타 |
Sample Output
- show security ike security-associations (IPv4)
- show security ike security-associations (IPv6)
- show security ike security-associations detail (SRX300, SRX320, SRX340, SRX345, and SRX550HM Devices)
- show security ike security-associations detail (SRX5400, SRX5600, and SRX5800 Devices)
- command-name
- show security ike security-associations family inet6
- show security ike security-associations index 222075191 detail
- show security ike security-associations index 788674 detail
- show security ike security-associations 192.168.1.2
- show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
- show security ike security-associations detail (ADVPN Suggester, Static Tunnel)
- show security ike security-associations detail (ADVPN Partner, Static Tunnel)
- show security ike security-associations detail (ADVPN Partner, Shortcut)
- show security ike security-associations sa-type shortcut (ADVPN)
- show security ike security-associations sa-type shortcut detail (ADVPN)
- show security ike security-associations detail (IKEv2 Reauthentication)
- show security ike security-associations detail (IKEv2 Fragmentation)
- show security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
show security ike security-associations (IPv4)
user@host> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 8 192.168.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main Index Remote Address State fInitiator cookie Responder cookie Mode 9 192.168.1.3 UP 5ba96hfa9f65067 70890755b65b80b Main
show security ike security-associations (IPv6)
user@host> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5 UP e48efd6a444853cf 0d09c59aafb720be Aggressive 2001:db8::1112
show security ike security-associations detail (SRX300, SRX320, SRX340, SRX345, and SRX550HM Devices)
user@host> show security ike security-associations detail
IKE peer 192.168.134.245, Index 2577565, Gateway Name: tropic
Role: Initiator, State: UP
Initiator cookie: b869b3424513340a, Responder cookie: 4cb3488cb19397c3
Exchange type: Main, Authentication method: Pre-shared-keys Trusted CA group: xyz_ca_grp
Local: 192.168.134.241:500, Remote: 192.168.134.245:500
Local gateway interface: ge-0/0/0
Routing instance: default
Lifetime: Expires in 169 seconds
Peer ike-id: 192.168.134.245
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes-128-gcm
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 1012
Output bytes : 1196
Input packets: 4
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 192.168.134.241:500, Remote: 192.168.134.245:500
Local identity: 192.168.134.241
Remote identity: 192.168.134.245
Flags: IKE SA is created
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
Initiator stats: Responder stats:
Request Out : 1 Request In : 0
Response In : 1 Response Out : 0
No Proposal Chosen In : 0 No Proposal Chosen Out : 0
Invalid KE In : 0 Invalid KE Out : 0
TS Unacceptable In : 0 TS Unacceptable Out : 0
Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0
Res Verify SA Fail : 0
Res Verify DH Group Fail: 0
Res Verify TS Fail : 0show security ike security-associations detail (SRX5400, SRX5600, and SRX5800 Devices)
user@host> show security ike security-associations detail
IKE peer 2.0.0.2, Index 2068, Gateway Name: IKE_GW
Role: Responder, State: DOWN
Initiator cookie: aa08091f3d4f1fb6, Responder cookie: 08c89a7add5f9332
Exchange type: IKEv2, Authentication method: Pre-shared-keys
Local gateway interface: ge-0/0/3
Routing instance: default
Local: 2.0.0.1:500, Remote: 2.0.0.2:500
Lifetime: Expires in 186 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Remote Access Client Info: Unknown Client
Peer ike-id: 2.0.0.2
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha256-128
Encryption : aes128-cbc
Pseudo random function: hmac-sha256
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 704
Output bytes : 1408
Input packets: 4
Output packets: 4
Input fragmented packets: 0
Output fragmented packets: 0
IPSec security associations: 4 created, 2 deleted
Phase 2 negotiations in progress: 1
IPSec Tunnel IDs: 500766, 500767
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 2.0.0.1:500, Remote: 2.0.0.2:500
Local identity: 2.0.0.1
Remote identity: 2.0.0.2
Flags: IKE SA is created
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
Initiator stats: Responder stats:
Request Out : 0 Request In : 0
Response In : 0 Response Out : 0
No Proposal Chosen In : 0 No Proposal Chosen Out : 0
Invalid KE In : 0 Invalid KE Out : 0
TS Unacceptable In : 0 TS Unacceptable Out : 0
Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0
Res Verify SA Fail : 0
Res Verify DH Group Fail: 0
Res Verify TS Fail : 0command-name
show security ike stats 항목은 명령의 출력 필드를 show security ike security-associations detail 나열합니다.
show security ike security-associations family inet6
user@host> show security ike security-associations family inet6
IKE peer 2001:db8:1212::1112, Index 5, Gateway Name: tropic
Role: Initiator, State: UP
Initiator cookie: e48efd6a444853cf, Responder cookie: 0d09c59aafb720be
Exchange type: Aggressive, Authentication method: Pre-shared-keys
Local: 2001:db8:1212::1111:500, Remote: 2001:db8:1212::1112:500
Lifetime: Expires in 19518 seconds
Peer ike-id: not valid
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : sha1
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 1568
Output bytes : 2748
Input packets: 6
Output packets: 23
Flags: Caller notification sent
IPSec security associations: 5 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 2900338624
Local: 2001:db8:1212::1111:500, Remote: 2001:db8:1212::1112:500
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Flags: Caller notification sent, Waiting for done show security ike security-associations index 222075191 detail
user@host> show security ike security-associations index 222075191 detail
node0:
-
IKE peer 192.168.1.2, Index 222075191, Gateway Name: ZTH_HUB_GW
Location: FPC 0, PIC 3, KMD-Instance 2
Auto Discovery VPN:
Type: Static, Local Capability: Suggester, Peer Capability: Partner
Suggester Shortcut Suggestions Statistics:
Suggestions sent : 2
Suggestions accepted: 4
Suggestions declined: 1
Role: Responder, State: UP
Initiator cookie: 7b996b4c310d2424, Responder cookie: 5724c5882a212157
Exchange type: IKEv2, Authentication method: RSA-signatures
Local: 192.168.1.1:500, Remote: 192.168.1.2:500
Lifetime: Expires in 828 seconds
Peer ike-id: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=cssvk36-d
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 20474
Output bytes : 21091
Input packets: 237
Output packets: 237
IPSec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 192.168.1.1:500, Remote: 192.168.1.2:500
Local identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host1
Remote identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host2
Flags: IKE SA is created
show security ike security-associations index 788674 detail
user@host> show security ike security-associations index 788674 detail
IKE peer 192.168.1.1, Index 788674, Gateway Name: ZTH_SPOKE_GW
Auto Discovery VPN:
Type: Static, Local Capability: Partner, Peer Capability: Suggester
Partner Shortcut Suggestions Statistics:
Suggestions received: 2
Suggestions accepted: 2
Suggestions declined: 0
Role: Initiator, State: UP
Initiator cookie: 7b996b4c310d2424, Responder cookie: 5724c5882a212157
Exchange type: IKEv2, Authentication method: RSA-signatures
Local: 192.168.1.2:500, Remote: 192.168.1.1:500
Lifetime: Expires in 734 seconds
Peer ike-id: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=test
Xauth user-name: not available
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes256-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 22535
Output bytes : 21918
Input packets: 256
Output packets: 256
IPSec security associations: 2 created, 0 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 192.168.1.2:500, Remote: 192.168.1.1:500
Local identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host1
Remote identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host2
Flags: IKE SA is created
show security ike security-associations 192.168.1.2
user@host> show security ike security-associations 192.168.1.2 Index State Initiator cookie Responder cookie Mode Remote Address 8 UP 3a895f8a9f620198 9040753e66d700bb Main 192.168.1.2
show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)
user@host> show security ike security-associations fpc 6 pic 1 kmd-instance all Index Remote Address State Initiator cookie Responder cookie Mode 1728053250 192.168.1.2 UP fc959afd1070d10b bdeb7e8c1ea99483 Main
show security ike security-associations detail (ADVPN Suggester, Static Tunnel)
user@host> show security ike security-associations detail
IKE peer 192.168.0.105, Index 13563297, Gateway Name: zth_hub_gw
Location: FPC 0, PIC 0, KMD-Instance 1
Auto Discovery VPN:
Type: Static, Local Capability: Suggester, Peer Capability: Partner
Suggester Shortcut Suggestions Statistics:
Suggestions sent : 12
Suggestion response accepted: 12
Suggestion response declined: 0
Role: Responder, State: UP
Initiator cookie: 4d3f4e4b2e75d727, Responder cookie: 81ab914e13cecd21
Exchange type: IKEv2, Authentication method: RSA-signatures
Local: 192.168.0.154:500, Remote: 192.168.0.105:500
Lifetime: Expires in 26429 seconds
Peer ike-id: DC=example, CN=host02, L=Sunnyvale, ST=CA, C=USshow security ike security-associations detail (ADVPN Partner, Static Tunnel)
user@host> show security ike security-associations detail
IKE peer 192.168.0.154, Index 4980720, Gateway Name: zth_spoke_gw
Location: FPC 0, PIC 0, KMD-Instance 1
Auto Discovery VPN:
Type: Static, Local Capability: Partner, Peer Capability: Suggester
Partner Shortcut Suggestions Statistics:
Suggestions received: 12
Suggestions accepted: 12
Suggestions declined: 0
Role: Initiator, State: UP
Initiator cookie: 4d3f4e4b2e75d727, Responder cookie: 81ab914e13cecd21
Exchange type: IKEv2, Authentication method: RSA-signatures
Local: 192.168.0.105:500, Remote: 192.168.0.154:500
Lifetime: Expires in 26252 seconds
Peer ike-id: DC=example, CN=host01, OU=SBU, O=example, L=Sunnyvale, ST=CA, C=US
show security ike security-associations detail (ADVPN Partner, Shortcut)
user@host> show security ike security-associations detail IKE peer 192.168.0.106, Index 4980737, Gateway Name: GW-ADVPN-GT-ADVPN-zth_spoke_vpn-268173323 Location: FPC 0, PIC 0, KMD-Instance 1 Auto Discovery VPN: Type: Shortcut, Local Capability: Partner, Peer Capability: Partner Role: Responder, State: UP Initiator cookie: e1ed0c655929debc, Responder cookie: 437de6ed784ba63e Exchange type: IKEv2, Authentication method: RSA-signatures Local: 192.168.0.105:500, Remote: 192.168.0.106:500 Lifetime: Expires in 28796 seconds Peer ike-id: DC=example, CN=paulyd, L=Sunnyvale, ST=CA, C=US
show security ike security-associations sa-type shortcut (ADVPN)
user@host> show security ike security-associations sa-type shortcut Index State Initiator cookie Responder cookie Mode Remote Address 4980742 UP vb56fbe694eaee5b6 064dbccbfa3b2aab IKEv2 192.168.0.106
show security ike security-associations sa-type shortcut detail (ADVPN)
user@host> show security ike security-associations sa-type shortcut detail IKE peer 192.168.0.106, Index 4980742, Gateway Name: GW-ADVPN-GT-ADVPN-zth_spoke_vpn-268173327 Location: FPC 0, PIC 0, KMD-Instance 1 Auto Discovery VPN: Type: Shortcut, Local Role: Partner, Peer Role: Partner Role: Responder, State: UP
show security ike security-associations detail (IKEv2 Reauthentication)
user@host> show security ike security-associations detail IKE peer 10.1.2.11, Index 6009224, Gateway Name: GW Role: Responder, State: UP Initiator cookie: 2c74d14c798a9d70, Responder cookie: 83cbb49bfbcb80cb Exchange type: IKEv2, Authentication method: RSA-signatures Local: 10.1.1.11:500, Remote: 10.1.2.11:500 Lifetime: Expires in 173 seconds Reauth Lifetime: Expires in 600 seconds Peer ike-id: vsrx@example.net AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes128-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 1782 Output bytes : 1743 Input packets: 2
show security ike security-associations detail (IKEv2 Fragmentation)
user@host> show security ike security-associations detail
IKE peer 172.24.23.157, Index 11883008, Gateway Name: routebased_s2s_gw-552_1
Role: Responder, State: UP
Initiator cookie: f3255e720f162e3a, Responder cookie: 17555e3ff7451841
Exchange type: Main, Authentication method: Pre-shared-keys Trusted CA group: xyz_ca_grp
Local: 192.168.254.1:500, Remote: 172.24.23.157:500
Lifetime: Expires in 530 seconds
Reauth Lifetime: Disabled
IKE Fragmentation: Enabled, Size: 576
Peer ike-id: 172.24.23.157
AAA assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : 3des-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 1004
Output bytes : 756
Input packets: 6
Output packets: 4
Input fragmented packets: 3
Output fragmented packets: 3
IPSec security associations: 1 created, 1 deleted
Phase 2 negotiations in progress: 1
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 192.168.254.1:500, Remote: 172.24.23.157:500
Local identity: 192.168.254.1
Remote identity: 172.24.23.157
Flags: IKE SA is createdshow security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
Junos OS Release 20.4R1 고가용성(고가용성(HA)) 기능을 구성할 때 이 show 명령을 사용하여 interchassis 링크 터널 세부 정보만 볼 수 있습니다. 다음 명령어는 양 노드의 링크 암호화 SAS만 표시합니다.
user@host> show security ike security-associations ha-link-encryption Index State Initiator cookie Responder cookie Mode Remote Address 4294966287 UP 7b77b4e2fd5a87e5 ab4a398e6a28687a IKEv2 23.0.0.2
Release Information
릴리스 8.5에 Junos OS 명령어가 도입되었습니다. 에 대한 지원 및 Junos OS fpcpic 릴리스 kmd-instance 9.3에 추가된 옵션. Junos OS family 릴리스 11.1에 추가된 옵션 지원. 새로운 릴리스 릴리스에서 Auto Discovery VPN에 Junos OS 지원 12.3X48-D10. 새로운 릴리스 릴리스에 추가된 IKEv2 재인식 Junos OS 지원 15.1X49-D60. IKEv2 단편화 추가 지원 Junos OS 릴리스 15.1X49-D80.
릴리스 ha-link-encryption 날짜에 추가된 Junos OS 지원 20.4R1.