show security group-vpn member kek security-associations

Syntax

Description

Display Group VPNv2 security associations (SAs) for a group member. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 Series Firewalls and vSRX Virtual Firewall instances.

Group VPNv2 is the name of the Group VPN technology on MX5, MX10, MX40, MX80, MX240, MX480, and MX960 routers. Group VPNv2 is different from the Group VPN technology implemented on SRX Security Gateways.

For more information about Group VPN on SRX Security Gateway devices, see Group VPNv2 Overview.

Options

none—Display information about all Group VPNv2 SAs for the group member.
brief—(Optional) Display summary output.
detail—(Optional) Display detailed output.
display xml—(Optional) Display xml.
index sa-index—(Optional) Display detailed information about the specified SA identified by index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.
peer-ipaddress—(Optional) Display information about the SA with the specified peer.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security group-vpn member kek security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show security group-vpn member kek security-associations
Field Name	Field Description
`Index`	Index number of an SA. This number is an internally generated number you can use to display information about a single SA.
`Remote Address`	IP address of the destination peer with which the local peer communicates.
`State`	State of the KEK security associations: `DOWN`—SA is not active. `UP`—SA is active.
`Initiator cookie`	Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.
`Responder cookie`	Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.
`SPI`	Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.
`GroupID`	Group identifier.
`KEK Peer`	IP address of the destination peer with which the local peer communicates.
`Role`	For the member, it is always responder.
`State`	State of the KEK security associations, which is always up.
`Authentication method`	RSA is the supported authentication method.
`Local`	Address of the local peer.
`Remote`	Address of the remote peer.
`Lifetime`	Number of seconds remaining until the IKE SA expires.
`Algorithms`	Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process: `Sig-hash`—Type of authentication algorithm used. `sha-256`–Secure Hash Algorithm 256 (sha-256) authentication. `sha-384`–Secure Hash Algorithm 394 (sha-384) authentication. `Sig key length (bits)`—Size of signature key in bits. `Encryption`—Type of encryption algorithm used. `aes-256-cbc`—Advanced Encryption Standard (AES) 256-bit encryption. `aes-192-cbc`— AES192-bit encryption `aes-128-cbc`—AES 128-bit encryption. `3des-cbc`—3 Data Encryption Standard (DES) encryption. `des-cbc`—DES encryption.
`Traffic statistics`	`Input bytes—`Number of bytes received. `Output bytes—`Number of bytes transmitted. `Input packets—`Number of packets received. `Output packets—`Number of packets transmitted.
`Server Info Version`	Identify the latest set of information maintained in the server.
`Server Heartbeat Interval`	Interval in seconds at which the server sends heartbeats to group members.
`Member Heartbeat Threshold`	The heartbeat threshold configured on the group member for the IPsec VPN. If this number of heartbeats is missed on the member, the member reregisters with the server.
`Heartbeat Timeout Left`	Number of heartbeats until the heartbeat threshold is reached, at which time the member reregisters with the server. When this number reaches 0, reregistration happens within 60 seconds.
`Server Activation Delay`	Number of seconds before a group member can use a new key when the member reregisters with the server.
`Server Multicast Group`	Multicast IP address to which the server sends rekey messages.
`Server Replay Window`	Antireplay time window value in milliseconds. 0 means antireplay is disabled.
`Group Key Push sequence number`	Sequence number of the KEK SA groupkey-push message. This number is incremented with every groupkey-push message.