[an error occurred while processing this directive][an error occurred while processing this directive]

IP Security Operational Mode Commands

Table 1 summarizes the command-line interface (CLI) commands you can use to monitor and troubleshoot IP Security (IPsec) services. In the table, the commands are grouped by the interfaces on which they are supported. In the remainder of this chapter, the commands are listed in alphabetical order.

  • Adaptive Services Interfaces:
    • J Series routers—sp-pim/0/slot.
    • M Series and T Series routers—sp-fpc/pic/port. IPsec is also supported on the redundant adaptive services interface (rspnumber).
  • Encryption Interfaces (M Series and T Series routers only) es-fpc/pic/port.

Table 1: IPsec Services Operational Mode Commands

Task

Command

Adaptive Services Interface

Delete certificate authority (CA) digital certificates from the router.

clear security pki ca-certificate

Delete manually generated local digital certificate requests from the router.

clear security pki certificate-request

Delete all CRLs from the router.

clear security pki crl

Delete local digital certificates, certificate requests, and the corresponding public/private key pairs from the router.

clear security pki local-certificate

Delete local and remote certificates from the IPsec configuration memory cache.

clear services ipsec-vpn certificates

Clear IPsec statistics.

clear services ipsec-vpn ipsec statistics

Clear either Internet Key Exchange (IKE) or IPsec VPN security associations.

clear services ipsec-vpn ike security-associations
clear services ipsec-vpn ipsec security-associations

Request a digital certificate from a CA online by using the Simple Certificate Enrollment Protocol (SCEP).

request security pki ca-certificate enroll

Manually load a CA digital certificate from a specified location.

request security pki ca-certificate load

Manually install a CRL on the router.

request security pki crl load

Manually generate a local digital certificate request in the Public-Key Cryptography Standards #10 (PKCS-10) format.

request security pki generate-certificate-request

Generate a Public Key Infrastructure (PKI) public and private key pair for a local digital certificate.

request security pki generate-key-pair

Request a CA to enroll and install a local digital certificate online by using the SCEP.

request security pki local-certificate enroll

Manually load a local digital certificate from a specified location.

request security pki local-certificate load

Switch between the primary and backup IPsec VPN tunnels.

request services ipsec-vpn ipsec switch tunnel

Display information about certificate authority (CA) digital certificates installed in the router.

show security pki ca-certificate

Display information about manually generated local digital certificate requests that are stored in the router.

show security pki certificate-request

Display information about the local digital certificates and the corresponding public keys installed in the router.

show security pki local-certificate

Display local and remote certificates installed in the IPsec configuration memory cache that are used for the IKE negotiation.

show services ipsec-vpn certificates

Display IKE VPN security associations for service sets.

show services ipsec-vpn ike security-associations

Display IPsec VPN security associations for service sets.

show services ipsec-vpn ipsec security-associations

Display IPsec VPN statistics for service sets.

show services ipsec-vpn ipsec statistics

Encryption Interface

Clear Internet Key Exchange (IKE) security associations.

clear ike security-associations

Clear IPsec security associations.

clear ipsec security-associations

Switch between primary and backup interfaces and tunnels.

request ipsec switch

Obtain a public key certificate from a certification authority.

request security certificate (signed)

request security certificate (unsigned)

Generate a public and private key pair.

request security key-pair

Add a certificate provided by the Juniper Networks certificate authority.

request system certificate add

Display IKE security association information.

show ike security-associations

Display the IPsec certificate database.

show ipsec certificates

Display primary and backup interface and tunnel information.

show ipsec redundancy

Display IPsec security association information.

show ipsec security-associations

Display installed certificates signed by the Juniper Networks certificate authority.

show system certificate

Note: For information about how to configure IPsec services, see the JUNOS Services Interfaces Configuration Guide for adaptive services interfaces and the JUNOS System Basics Configuration Guide for encryption interfaces.


Published: 2010-04-28

[an error occurred while processing this directive]