show security ipsec security-associations
구문
show security ipsec security-associations <brief | detail> <family (inet | inet6)> <fpc slot-number pic slot-number> <index SA-index-number> <kmd-instance (all | kmd-instance-name)> <pic slot-number fpc slot-number> <sa-type shortcut> <traffic-selector traffic-selector-name> <srg-id id-number> <vpn-name vpn-name> <ha-link-encryption>
설명
IPsec 보안 연결(SA)에 대한 정보를 표시합니다.
Junos OS 릴리스 20.1R2, 20.2R2, 20.3R2, 20.3R1 이상에서 명령을 실행할 show security ipsec security-associations detail
때 터널 내의 모든 IPsec SA에 해당하는 새로운 출력 필드 IKE SA Index
가 각 IPsec SA 정보 아래에 표시됩니다. 을(를) 참조하십시오 show security ipsec security-associations detail(SRX5400, SRX5600, SRX5800).
옵션
none |
모든 SA에 대한 정보를 표시합니다. |
brief | detail |
(선택 사항) 지정된 출력 수준을 표시합니다. 기본값은 입니다 |
family |
(선택 사항) 제품군별 SA를 표시합니다. 이 옵션은 출력을 필터링하는 데 사용됩니다.
|
fpc slot-number pic
slot-number |
(선택 사항) 지정된 FPC(Flexible PIC Concentrator) 슬롯 및 PIC 슬롯에 기존 IPsec SA에 대한 정보를 표시합니다. 섀시 클러스터에서 운영 모드에서 CLI 명령을 |
index SA-index-number |
(선택 사항) 이 인덱스 번호로 식별된 지정된 SA에 대한 자세한 정보를 표시합니다. 인덱스 번호를 포함하는 모든 SA 목록을 얻으려면 옵션을 사용하지 않고 명령을 사용합니다. |
kmd-instance |
(선택 사항) FPC slot-number 및 PIC slot-number에 의해 식별된 키 관리 프로세스(이 경우 KMD)에서 기존 IPsec SA에 대한 정보를 표시합니다.
|
pic slot-number fpc
slot-number |
(선택 사항) 지정된 PIC 슬롯 및 FPC 슬롯에 기존 IPsec SA에 대한 정보를 표시합니다. |
sa-type |
(ADVPN의 경우 선택 사항) 지정된 유형의 SA에 대한 정보를 표시합니다. |
traffic-selector traffic-selector-name |
(선택 사항) 지정된 트래픽 선택기 정보를 표시합니다. |
vpn-name vpn-name |
(선택 사항) 지정된 VPN에 대한 정보를 표시합니다. |
ha-link-encryption |
(선택 사항) 섀시 링크 터널과 관련된 정보만 표시합니다. ipsec(고가용성), show security ipsec security-associations ha-link-encryption(SRX5400, SRX5600, SRX5800)및 을 show security ipsec sa detail ha-link-encryption(SRX5400, SRX5600, SRX5800)참조하십시오. |
srg-id |
(선택 사항) 멀티노드 고가용성 설정에서 특정 서비스 중복 그룹(SRG)과 관련된 정보를 표시합니다. |
필수 권한 수준
보기
출력 필드
표 1 은(는) 명령에 대한 show security ipsec security-associations
출력 필드를 나열하고, 표 2 명령의 show security ipsec sa
출력 필드를 나열하며, 표 3은(는) 의 출력 필드를 show security ipsec sa detail
나열합니다. 출력 필드는 나타나는 대략적 순서대로 나열됩니다.
필드 이름 |
필드 설명 |
출력 수준 |
---|---|---|
|
활성 IPsec 터널의 총 개수입니다. |
|
|
SA의 색인 번호입니다. 이 번호를 사용하여 SA에 대한 추가 정보를 얻을 수 있습니다. |
모든 수준 |
|
IKE 협상 중에 피어 간의 교환을 보호하는 데 사용되는 암호화에는 다음이 포함됩니다.
|
|
|
SPI(Security Parameter Index) 식별자. SA는 SPI에 의해 고유하게 식별됩니다. 각 항목에는 VPN, 원격 게이트웨이 주소, 각 방향에 대한 SPI, 암호화 및 인증 알고리즘 및 키가 포함됩니다. 피어 게이트웨이에는 각각 두 개의 SA가 있으며, 하나는 각 두 단계의 협상에서 비롯됩니다. IKE 및 IPsec. |
|
|
SA가 만료된 SA의 수명은 초 또는 킬로바이트 단위로 표시됩니다. |
|
|
Mon 필드는 VPN 모니터링 상태를 나타냅니다. VPN 모니터링이 활성화된 경우, 이 필드에는 (업) 또는 |
|
|
루트 시스템입니다. |
|
|
네트워크 주소 변환(NAT)를 사용하는 경우, 이 값은 4500입니다. 그렇지 않으면 표준 IKE 포트인 500입니다. |
모든 수준 |
|
원격 게이트웨이의 IP 주소입니다. |
|
|
논리적 시스템의 이름입니다. |
|
|
VPN의 IPsec 이름입니다. |
|
|
- 상태는 두 가지 옵션, 및 을(를)
|
|
|
로컬 시스템의 게이트웨이 주소입니다. |
|
|
원격 시스템의 게이트웨이 주소입니다. |
|
|
트래픽 선택기의 이름입니다. |
|
|
파트너 대상 게이트웨이가 해당 피어와 통신할 수 있도록 로컬 피어의 ID. 값은 IP 주소, 정규화된 도메인 이름, 이메일 주소 또는 고유 이름(DN)으로 지정됩니다. |
|
|
대상 피어 게이트웨이의 IP 주소입니다. |
|
|
로컬 IP 범위, 원격 IP 범위, 소스 포트 범위, 대상 포트 범위 및 프로토콜을 정의합니다. |
|
|
용어에 대해 구성된 소스 포트 범위. |
|
|
용어에 대해 구성된 대상 포트 범위입니다. |
|
|
IKE 버전 또는 |
|
|
비트 부분을 단편화하지 않는 상태: |
|
|
|
|
|
터널 이벤트 및 이벤트 발생 횟수. 터널 이벤트 및 수행할 수 있는 작업에 대한 설명은 터널 이벤트를 참조하십시오. |
|
|
SA를 위한 앵커 스레드 ID(옵션을 포함하는 SRX4600 시리즈 디바이스의 |
|
|
SA의 방향; 인바운드 또는 아웃바운드일 수 있습니다. |
|
|
보조 보안 매개변수 인덱스(SPI)의 값입니다.
|
|
|
SA의 모드:
|
|
|
SA 유형:
|
|
|
SA 상태:
|
|
|
지원되는 프로토콜입니다.
|
|
|
사용된 인증 유형입니다. |
|
|
사용된 암호화 유형입니다. 릴리스 19.4R2 Junos OS 계층 수준에서 또는 암호화 알고리즘 |
|
|
소프트 수명은 SA가 곧 만료될 것임을 IPsec 키 관리 시스템에 알릴 수 있습니다. SA의 각 수명에는 하드 및 소프트의 두 가지 디스플레이 옵션이 있으며, 그 중 하나는 동적 SA에 존재해야 합니다. 이를 통해 하드 수명이 만료되기 전에 키 관리 시스템이 새로운 SA를 협상할 수 있습니다.
|
|
|
하드 수명은 SA의 수명을 지정합니다.
|
|
|
나머지 실물 크기는 킬로바이트의 사용 제한을 지정합니다. 실물 크기가 지정되지 않으면 무제한으로 표시됩니다.
|
|
|
패킷 재생을 방지하는 서비스 상태. 또는 |
|
|
64비트인 반플레이 서비스 창 크기. |
|
|
경로 기반 VPN이 바인딩된 터널 인터페이스입니다. |
|
|
시스템이 IP 헤더에서 내부 IP 헤더로 외부 DSCP 값을 복사하는지 나타냅니다. |
|
|
IKE(Internet Internet) 활성화 방법을 나타냅니다. |
|
|
상위 IKE(Internet Internet) 보안 연결 목록을 나타냅니다. |
|
필드 이름 |
필드 설명 |
---|---|
|
활성 IPsec 터널의 총 개수입니다. |
|
SA의 색인 번호입니다. 이 번호를 사용하여 SA에 대한 추가 정보를 얻을 수 있습니다. |
|
IKE(Internet Internet Exchange) 2단계 협상 중에 피어 간의 교환을 보호하는 데 사용되는 암호화에는 다음이 포함됩니다.
|
|
SPI(Security Parameter Index) 식별자. SA는 SPI에 의해 고유하게 식별됩니다. 각 항목에는 VPN, 원격 게이트웨이 주소, 각 방향에 대한 SPI, 암호화 및 인증 알고리즘 및 키가 포함됩니다. 피어 게이트웨이에는 각각 두 개의 SA가 있으며, 하나는 각 두 단계의 협상에서 비롯됩니다. 1단계 및 2단계. |
|
SA가 만료된 SA의 수명은 초 또는 킬로바이트 단위로 표시됩니다. |
|
Mon 필드는 VPN 모니터링 상태를 나타냅니다. VPN 모니터링이 활성화된 경우, 이 필드에는 U(업) 또는 D(다운)가 표시됩니다. 하이픈(-)은 이 SA에 대해 VPN 모니터링이 활성화되지 않음을 의미합니다. V는 IPSec 데이터 경로 검증이 진행 중임을 의미합니다. |
|
루트 시스템입니다. |
|
네트워크 주소 변환(NAT)를 사용하는 경우, 이 값은 4500입니다. 그렇지 않으면 표준 IKE 포트인 500입니다. |
|
시스템의 게이트웨이 주소입니다. |
필드 이름 |
필드 설명 |
---|---|
|
SA의 색인 번호입니다. 이 번호를 사용하여 SA에 대한 추가 정보를 얻을 수 있습니다. |
|
가상 시스템 이름입니다. |
|
VPN의 IPSec 이름입니다. |
|
로컬 시스템의 게이트웨이 주소입니다. |
|
원격 시스템의 게이트웨이 주소입니다. |
|
파트너 대상 게이트웨이가 해당 피어와 통신할 수 있도록 로컬 피어의 ID. 값은 IP 주소, 정규화된 도메인 이름, 이메일 주소 또는 고유 이름(DN)으로 지정됩니다. |
|
대상 피어 게이트웨이의 IP 주소입니다. |
|
IKE 버전입니다. 예를 들어 IKEv1, IKEv2가 있습니다. |
|
비트 부분을 단편화하지 않는 상태: |
|
경로 기반 VPN이 바인딩된 터널 인터페이스입니다. |
터널 이벤트 | |
|
SA의 방향; 인바운드 또는 아웃바운드일 수 있습니다. |
|
보조 보안 매개변수 인덱스(SPI)의 값입니다.
|
|
VPN 모니터링이 활성화된 경우 필드는 또는 |
|
하드 수명은 SA의 수명을 지정합니다.
|
|
나머지 실물 크기는 킬로바이트의 사용 제한을 지정합니다. 실물 크기가 지정되지 않으면 무제한으로 표시됩니다. |
|
소프트 수명은 SA가 곧 만료될 것임을 IPsec 키 관리 시스템에 알릴 수 있습니다. SA의 각 수명에는 하드 및 소프트의 두 가지 디스플레이 옵션이 있으며, 그 중 하나는 동적 SA에 존재해야 합니다. 이를 통해 하드 수명이 만료되기 전에 키 관리 시스템이 새로운 SA를 협상할 수 있습니다.
|
|
SA의 모드:
|
|
SA 유형:
|
|
SA 상태:
전송 모드의 경우 상태 값이 항상 설치됩니다. |
|
지원되는 프로토콜입니다.
|
|
패킷 재생을 방지하는 서비스 상태. 또는 |
|
재생 방지 서비스 창의 구성된 크기. 32개 또는 64개의 패킷이 될 수 있습니다. 재생 창 크기가 0인 경우, 재생 해제 서비스가 비활성화됩니다. 재생 방지 창 크기는 이전 패킷 또는 중복 패킷을 거부하여 재생 공격으로부터 수신기를 보호합니다. |
섀시 간 링크 터널 |
|
HA 링크 암호화 모드 |
고가용성 모드 지원. |
샘플 출력
간결성을 위해 show 명령 출력은 구성의 모든 값을 표시하지 않습니다. 구성의 하위 집합만 표시됩니다. 시스템의 나머지 구성은 타원(...)으로 대체되었습니다.
- show security ipsec security-associations(IPv4)
- show security ipsec security-associations(IPv6)
- 보안 ipsec 보안 연결 색인 511672
- 보안 ipsec 보안 연결 색인 131073 세부 정보 표시
- show security ipsec sa
- 보안 ipsec sa 세부 정보 표시
- show security ipsec sa details(MX-SPC3)
- 보안 ipsec 보안 연결 표시
- 보안 ipsec 보안 연결 개요 표시
- 보안 ipsec 보안 연결 세부 정보 표시
- show security ipsec security-associations family inet6
- show security ipsec security-associations fpc 6 pic 1kmd-instance all(SRX 시리즈 디바이스)
- show security ipsec security-associations detail(ADVPN Suggester, Static Tunnel)
- show security ipsec security-associations detail(ADVPN 파트너, 정적 터널)
- show security ipsec security-associations sa-type 바로 가기(ADVPN)
- show security ipsec security-associations sa-type 바로 가기 세부 정보(ADVPN)
- 보안 ipsec 보안 연결 제품군 세부 정보 표시
- show security ipsec security-associations detail(SRX4600)
- show security ipsec security-associations detail(SRX5400, SRX5600, SRX5800)
- show security ipsec security-associations ha-link-encryption(SRX5400, SRX5600, SRX5800)
- show security ipsec sa detail ha-link-encryption(SRX5400, SRX5600, SRX5800)
show security ipsec security-associations(IPv4)
user@host> show security ipsec security-associations Total active tunnels: 14743 Total Ipsec sas: 14743 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <511672 ESP:aes-cbc-128/sha1 0x071b8cd2 - root 500 10.21.45.152 >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 10.21.12.255 <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 10.21.12.255 >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 10.21.50.96 <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 10.21.50.96 >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 10.21.54.57 <513881 ESP:aes-cbc-128/sha1 0x0a57860c 1696/ unlim - root 500 10.21.54.57 >505835 ESP:aes-cbc-128/sha1 0xf827b5c6 1598/ unlim - root 500 10.21.22.204 <505835 ESP:aes-cbc-128/sha1 0x0f43bf3f 1598/ unlim - root 500 10.21.22.204 >506531 ESP:aes-cbc-128/sha1 0x01694572 1602/ unlim - root 500 10.21.25.131 <506531 ESP:aes-cbc-128/sha1 0x0a578143 1602/ unlim - root 500 10.21.25.131 >512802 ESP:aes-cbc-128/sha1 0xdc292de4 1668/ unlim - root 500 10.21.50.1 <512802 ESP:aes-cbc-128/sha1 0x0a578558 1668/ unlim - root 500 10.21.50.1 >512413 ESP:aes-cbc-128/sha1 0xbe2c52d5 1660/ unlim - root 500 10.21.48.125 <512413 ESP:aes-cbc-128/sha1 0x1129580c 1660/ unlim - root 500 10.21.48.125 >505075 ESP:aes-cbc-128/sha1 0x2aae6647 1593/ unlim - root 500 10.21.19.213 <505075 ESP:aes-cbc-128/sha1 0x02dc5c50 1593/ unlim - root 500 10.21.19.213 >514055 ESP:aes-cbc-128/sha1 0x2b8adfcb 1704/ unlim - root 500 10.21.54.238 <514055 ESP:aes-cbc-128/sha1 0x0f43c49a 1704/ unlim - root 500 10.21.54.238 >508898 ESP:aes-cbc-128/sha1 0xbcced4d6 1619/ unlim - root 500 10.21.34.194 <508898 ESP:aes-cbc-128/sha1 0x1492035a 1619/ unlim - root 500 10.21.34.194 >505328 ESP:aes-cbc-128/sha1 0x2a8d2b36 1594/ unlim - root 500 10.21.20.208 <505328 ESP:aes-cbc-128/sha1 0x14920107 1594/ unlim - root 500 10.21.20.208 >500815 ESP:aes-cbc-128/sha1 0xdd86c89a 1573/ unlim - root 500 10.21.3.47 <500815 ESP:aes-cbc-128/sha1 0x1129507f 1573/ unlim - root 500 10.21.3.47 >503758 ESP:aes-cbc-128/sha1 0x64cc490e 1586/ unlim - root 500 10.21.14.172 <503758 ESP:aes-cbc-128/sha1 0x14920001 1586/ unlim - root 500 10.21.14.172 >504004 ESP:aes-cbc-128/sha1 0xde0b63ee 1587/ unlim - root 500 10.21.15.164 <504004 ESP:aes-cbc-128/sha1 0x071b87d4 1587/ unlim - root 500 10.21.15.164 >508816 ESP:aes-cbc-128/sha1 0x2703b7a5 1618/ unlim - root 500 10.21.34.112 <508816 ESP:aes-cbc-128/sha1 0x071b8af6 1618/ unlim - root 500 10.21.34.112 >511341 ESP:aes-cbc-128/sha1 0x828f3330 1644/ unlim - root 500 10.21.44.77 <511341 ESP:aes-cbc-128/sha1 0x02dc6064 1644/ unlim - root 500 10.21.44.77 >500456 ESP:aes-cbc-128/sha1 0xa6f1515d 1572/ unlim - root 500 10.21.1.200 <500456 ESP:aes-cbc-128/sha1 0x1491fddb 1572/ unlim - root 500 10.21.1.200 >512506 ESP:aes-cbc-128/sha1 0x4108f3a3 1662/ unlim - root 500 10.21.48.218 <512506 ESP:aes-cbc-128/sha1 0x071b8d5d 1662/ unlim - root 500 10.21.48.218 >504657 ESP:aes-cbc-128/sha1 0x27a6b8b3 1591/ unlim - root 500 10.21.18.41 <504657 ESP:aes-cbc-128/sha1 0x112952fe 1591/ unlim - root 500 10.21.18.41 >506755 ESP:aes-cbc-128/sha1 0xc0afcff0 1604/ unlim - root 500 10.21.26.100 <506755 ESP:aes-cbc-128/sha1 0x149201f5 1604/ unlim - root 500 10.21.26.100 >508023 ESP:aes-cbc-128/sha1 0xa1a90af8 1612/ unlim - root 500 10.21.31.87 <508023 ESP:aes-cbc-128/sha1 0x02dc5e3b 1612/ unlim - root 500 10.21.31.87 >509190 ESP:aes-cbc-128/sha1 0xee52074d 1621/ unlim - root 500 10.21.35.230 <509190 ESP:aes-cbc-128/sha1 0x0f43c16e 1621/ unlim - root 500 10.21.35.230 >505051 ESP:aes-cbc-128/sha1 0x24130b1c 1593/ unlim - root 500 10.21.19.188 <505051 ESP:aes-cbc-128/sha1 0x149200d9 1593/ unlim - root 500 10.21.19.188 >513214 ESP:aes-cbc-128/sha1 0x2c4752d1 1676/ unlim - root 500 10.21.51.158 <513214 ESP:aes-cbc-128/sha1 0x071b8dd3 1676/ unlim - root 500 10.21.0.51.158 >510808 ESP:aes-cbc-128/sha1 0x4acd94d3 1637/ unlim - root 500 10.21.42.56 <510808 ESP:aes-cbc-128/sha1 0x071b8c42 1637/ unlim - root 500 10.21.42.56
show security ipsec security-associations(IPv6)
user@host> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:aes256/sha256 14caf1d9 3597/ unlim - root 500 2001:db8::1112 131074 ESP:aes256/sha256 9a4db486 3597/ unlim - root 500 2001:db8::1112
보안 ipsec 보안 연결 색인 511672
user@host> show security ipsec security-associations index 511672 ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn Local Gateway: 10.20.0.1, Remote Gateway: 10.21.45.152 Traffic Selector Name: ts Local Identity: ipv4(10.191.151.0-10.191.151.255) Remote Identity: ipv4(10.40.151.0-10.40.151.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 10 Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
보안 ipsec 보안 연결 색인 131073 세부 정보 표시
user@host> show security ipsec security-associations index 131073 detail ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1 Local Gateway: 10.4.0.1, Remote Gateway: 10.5.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39 Multi-sa, Configured SAs# 9, Negotiated SAs#: 9 Tunnel events: Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times) Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times) Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times) Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times) Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: inbound, SPI: 5d227e19, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: best-effort Direction: outbound, SPI: 5490da, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ...
Junos OS 릴리스 18.2R1부터 CLI show security ipsec security-associations index index-number detail
출력은 포워딩 클래스 이름을 포함한 모든 하위 SA 세부 정보를 표시합니다.
show security ipsec sa
user@host> show security ipsec sa Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway >67108885 ESP:aes-gcm-256/None fdef4dab 2918/ unlim - root 500 2001:db8:3000::2 >67108885 ESP:aes-gcm-256/None e785dadc 2918/ unlim - root 500 2001:db8:3000::2 >67108887 ESP:aes-gcm-256/None 34a787af 2971/ unlim - root 500 2001:db8:5000::2 >67108887 ESP:aes-gcm-256/None cf57007f 2971/ unlim - root 500 2001:db8:5000::2
보안 ipsec sa 세부 정보 표시
user@host> show security ipsec sa detail ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey ...
Junos OS 릴리스 19.1R1부터 CLI show security ipsec sa detail
출력의 새로운 필드에 tunnel-establishment 계층에서 ipsec vpn establish-tunnels
구성된 옵션이 표시됩니다.
Junos OS 릴리스 21.3R1부터 CLI show security ipsec sa detail
출력의 새로운 필드는 Tunnel MTU 계층에서 ipsec vpn hub-to-spoke-vpn tunnel-mtu
구성된 옵션을 표시합니다.
Junos OS 릴리스 22.1R3부터는 디바이스 SRX5000 라인 터널 MTU가 구성되지 않은 경우 터널 MTU가 CLI 출력에 표시되지 않습니다.
show security ipsec sa details(MX-SPC3)
user@host>show security ipsec sa detailID: 500055 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 1420 Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0x229b998e, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately Direction: outbound, SPI: 0xb2e843a3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately
보안 ipsec 보안 연결 표시
user@host>show security ipsec security-association Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500006 ESP:aes-gcm-128/aes128-gcm 0x782b233c 1432/ unlim - root 500 10.2.0.2
보안 ipsec 보안 연결 개요 표시
user@host> show security ipsec security-associations brief Total active tunnels: 2 Total Ipsec sas: 18 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes256/sha256 89e5098 1569/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 f3117676 1609/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 6050109f 1609/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 606c90f6 1616/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 af8984b6 1619/ unlim - root 500 10.5.0.1 ...
보안 ipsec 보안 연결 세부 정보 표시
user@host> show security ipsec security-associations detail ID: 500009 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.2, Remote Gateway: 10.2.0.1 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 0 Distribution-Profile: default-profile IKE SA Index: 2068 Direction: inbound, SPI: 0xba7bb1f2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic Direction: outbound, SPI: 0x41650a1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic
show security ipsec security-associations family inet6
user@host> show security ipsec security-associations family inet6 Virtual-system: root Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations fpc 6 pic 1kmd-instance all(SRX 시리즈 디바이스)
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 192.168.1.2 500 ESP:aes256/sha256 67a7d25d 28280/unlim - 0 >2 192.168.1.2 500 ESP:aes256/sha256 a23cbcdc 28280/unlim - 0
show security ipsec security-associations detail(ADVPN Suggester, Static Tunnel)
user@host> show security ipsec security-associations detail ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times) Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Location: FPC 0, PIC 3, KMD-Instance 2 Direction: inbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 3, KMD-Instance 2 Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail(ADVPN 파트너, 정적 터널)
user@host> show security ipsec security-associations detail ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 Tunnel events: Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times) Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times) Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations sa-type 바로 가기(ADVPN)
user@host> show security ipsec security-associations sa-type shortcut Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111 >268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111
show security ipsec security-associations sa-type 바로 가기 세부 정보(ADVPN)
user@host> show security ipsec security-associations sa-type shortcut detail node0: -------------------------------------------------------------------------- ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Auto Discovery VPN: Type: Shortcut, Shortcut Role: Initiator Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29 Tunnel events: Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: b7a5518, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: b7e0268, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
보안 ipsec 보안 연결 제품군 세부 정보 표시
user@host> show security ipsec security-associations family inet detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear , Copy-Outer-DSCP Enabled Bind-interface: st0.99 Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times) Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times) Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times) Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times) Location: FPC 0, PIC 1, KMD-Instance 1 Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 1 Direction: outbound, SPI: 727f629d, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail(SRX4600)
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 10.62.1.3, Remote Gateway: 10.62.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 6 Direction: inbound, SPI: 812c9c01, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 7 Direction: outbound, SPI: c4de0972, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations detail(SRX5400, SRX5600, SRX5800)
터널 내의 모든 IPsec SA에 해당하는 새로운 출력 필드 IKE SA Index
가 각 IPsec SA 정보 아래에 표시됩니다.
user@host> show security ipsec security-associations detail ID: 500005 Virtual-system: root, VPN Name: 85BX5-OAM Local Gateway: 10.217.0.4, Remote Gateway: 10.200.254.118 Traffic Selector Name: TS_DEFAULT Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(10.181.235.224-10.181.235.224) Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: MACRO-IPSEC-POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 7, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe2eb3838, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: outbound, SPI: 0x4f7c3101, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: inbound, SPI: 0x30b6d66f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40 Direction: outbound, SPI: 0xd2db4108, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40
show security ipsec security-associations ha-link-encryption(SRX5400, SRX5600, SRX5800)
릴리스 20.4R1 Junos OS 시작하여 고가용성(HA) 기능을 구성할 때 이 표시 명령을 사용하여 섀시 간 링크 터널 세부 정보만 볼 수 있습니다.
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 91 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495001 ESP:aes-gcm-256/aes256-gcm 0x0047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2446c5cd 298/ unlim - root 500 10.23.0.2 ...
show security ipsec sa detail ha-link-encryption(SRX5400, SRX5600, SRX5800)
릴리스 20.4R1 Junos OS 시작하여 고가용성(HA) 기능을 구성할 때 이 표시 명령을 사용하여 섀시 간 링크 터널 세부 정보만 볼 수 있습니다. 섀시 간 링크 암호화 터널을 위해 생성된 다중 SA를 표시합니다.
user@host> show security ipsec sa detail ha-link-encryption ID: 495001 Virtual-system: root, VPN Name: L3HA_IPSEC_VPN Local Gateway: 10.23.0.1, Remote Gateway: 10.23.0.2 Traffic Selector Name: __L3HA_IPSEC_VPN__multi_node__ Local Identity: ipv4(180.100.1.1-180.100.1.1) Remote Identity: ipv4(180.100.1.2-180.100.1.2) Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Policy-name: L3HA_IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: Multi-Node Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x00439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x004cfceb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: inbound, SPI: 0x04439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 16 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x044cfceb, AUX-SPI: 0 , VPN Monitoring: - ...
Junos OS 릴리스 22.3R1 이상에서 섀시 Cluster HA 제어 링크 암호화 기능을 구성할 때, show security ipsec sa ha-link-encryption detail
및 show security ipsec sa ha-link-encryption
명령을 실행show security ike sa ha-link-encryption detail
하여 섀시 클러스터 제어 링크 암호화 터널 세부 정보를 볼 수 있습니다.
보안 ike sa ha-link-encryption 세부 정보 표시
user@host> show security ike sa ha-link-encryption detail IKE peer 10.2.0.1, Index 4294966274, Gateway Name: IKE_GW_HA_0 Role: Initiator, State: UP Initiator cookie: ae5bcb5540d388a1, Responder cookie: 28bbae629ceb727f Exchange type: IKEv2, Authentication method: Pre-shared-keys Local gateway interface: em0 Routing instance: __juniper_private1__ Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Lifetime: Expires in 24856 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 10.2.0.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 200644 Output bytes : 200644 Input packets: 2635 Output packets: 2635 Input fragmented packets: 0 Output fragmented packets: 0 IPSec security associations: 6 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 495002 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Local identity: 10.7.0.2 Remote identity: 10.2.0.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 1 Response In : 1 Response Out : 1 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
보안 ipsec sa ha-link-encryption 세부 정보 표시
user@host> show security ipsec sa ha-link-encryption detail ID: 495002 Virtual-system: root, VPN Name: IPSEC_VPN_HA_0 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: __IPSEC_VPN_HA_0__l2_chassis_clu Local Identity: ipv4(10.7.0.2-10.7.0.2) Remote Identity: ipv4(10.2.0.1-10.2.0.1) TS Type: traffic-selector Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: IPSEC_POL_HA_0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: L2 Chassis Cluster Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x35fae26b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274 Direction: outbound, SPI: 0x0a2b9927, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274
보안 ipsec sa ha-link-encryption 표시
user@host> show security ipsec sa ha-link-encryption Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495002 ESP:aes-cbc-256/sha1 0x35fae26b 3484/ unlim - root 500 10.2.0.1 >495002 ESP:aes-cbc-256/sha1 0x0a2b9927 3484/ unlim - root 500 10.2.0.1
show security ipsec security-associations detail(SRX 시리즈 디바이스 및 MX 시리즈 라우터)
Junos OS 릴리스 20.4R2, 21.1R1 이상에서 명령을 실행 show security ipsec security-associations detail
하여 VPN의 트래픽 선택기 유형을 볼 수 있습니다.
user@host> show security ipsec security-associations detail ID: 500024 Virtual-system: root, VPN Name: S2S_VPN2 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: ts1 Local Identity: ipv4(10.20.20.0-10.20.20.255) Remote Identity: ipv4(10.10.10.0-10.10.10.255) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:43:49: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xf8642fae, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 Direction: outbound, SPI: 0xb2a26969, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 ID: 500025 Virtual-system: root, VPN Name: S2S_VPN1 Local Gateway: 10.7.0.1, Remote Gateway: 10.2.0.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:44:41: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe293762a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18 Direction: outbound, SPI: 0x7aef9d7f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18
- show security ipsec security-associations detail(SRX5400, SRX5600, SRX5800)
- 보안 ipsec 보안 연결 srg-id 표시
show security ipsec security-associations detail(SRX5400, SRX5600, SRX5800)
릴리스 21.1R1 Junos OS 로컬 ID, 원격 ID, 프로토콜, 소스 포트 범위, IPsec SA에 정의된 여러 용어에 대한 대상 포트 범위를 포함하는 트래픽 선택기 세부 정보를 볼 수 있습니다.
이전 Junos 릴리스에서 특정 SA에 대한 트래픽 선택은 IP 주소 또는 넷마스크를 사용하여 정의된 기존 IP 범위를 사용하여 수행됩니다. Junos OS 릴리스 21.1R1 이후부터 을(를) 사용하여 protocol_name지정된 프로토콜을 통해 추가 트래픽이 선택됩니다. 또한 소스 및 대상 포트 번호에 대해 지정된 낮고 높은 포트 범위도 지정됩니다.
user@host> show security ipsec security-associations detail ID: 500075 Virtual-system: root, VPN Name: pkn-r0-r1-ipsec-vpn-1 Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2 Traffic Selector Name: ts1 Local Identity: Protocol Port IP 17/UDP 100-200 198.51.100.0-198.51.100.255 6/TCP 250-300 198.51.100.0-198.51.100.255 Remote Identity: Protocol Port IP 17/UDP 150-200 10.80.0.1-10.80.0.1 6/TCP 250-300 10.80.1.1-10.80.1.1 Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: pkn-r0-r1-ipsec-policy Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: ……… Direction: outbound, SPI: …………
보안 ipsec 보안 연결 srg-id 표시
user@host> show security ipsec security-associations srg-id 1 Total active tunnels: 1 Total IPsec sas: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <17277217 ESP:aes-cbc-256/sha256 0xc7faee3e 1440/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0x7921d472 1440/ unlim - root 500 10.112.0.1 <17277217 ESP:aes-cbc-256/sha256 0xf1a01dd4 1498/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0xa0b77273 1498/ unlim - root 500 10.112.0.1
출시 정보
Junos OS 릴리스 8.5에서 소개된 명령입니다. 옵션에 family
대한 지원이 Junos OS 릴리스 11.1에 추가되었습니다.
옵션에 대한 vpn-name
지원이 Junos OS 릴리스 11.4R3에 추가되었습니다. 옵션 및 트래픽 선택기 필드에 대한 traffic-selector
지원이 Junos OS 릴리스 12.1X46-D10에 추가되었습니다.
자동 검색 VPN(ADVPN)에 대한 지원이 Junos OS 릴리스 12.3X48-D10에 추가되었습니다.
Junos OS 릴리스 15.1X49-D70에 IPsec datapath 검증을 위한 지원이 추가되었습니다.
Junos OS 릴리스 17.4R1에 스레드 앵커십에 대한 지원이 추가되었습니다.
릴리스 18.2R2 show security ipsec security-assocations detail
Junos OS 시작 시 명령 출력에는 보안 연결(SA)에 대한 스레드 앵커 정보가 포함됩니다.
릴리스 19.4R1 Junos OS 표시 명령 show security ipsec sa
아래에 보안 연결(SA)을 표시하는 새로운 iked 프로세스에서 CLI 옵션 fc-name
(COS 포워드 클래스 이름)이 더 이상 사용되지 않습니다.
옵션에 대한 ha-link-encryption
지원이 Junos OS 릴리스 20.4R1에 추가되었습니다.
옵션에 대한 srg-id
지원이 Junos OS 릴리스 22.4R1에 추가되었습니다.