Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security group-vpn server kek security-associations

Syntax

Description

Display configured server-member communications. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 Series Firewalls and vSRX Virtual Firewall instances.

Options

  • none—Display server-member communications configured for all groups.

  • brief—(Optional) Display summary output.

  • detail—(Optional) Display detailed output.

  • group—(Optional) Display server-member communications configured for the specified group.

  • group-id—(Optional) Display server-member communications configured for the specified group.

  • index—(Optional) Display information for a particular SA based on the index number of the SA. To obtain the index number for a particular SA, display the list of existing SAs by using the command with no options.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security group-vpn server kek security-assocations command. Output fields are listed in the approximate order in which they appear.

Table 1: show security group-vpn server kek security-associations Output Fields

Field Name

Field Description

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Remote Address

Identifier of the remote/peer. Because there could be multiple members, the remote address always contains the IP address 0.0.0.0.

State

State of the KEK security associations:

  • DOWN—SA is not active.

  • UP—SA is active.

Initiator cookie

Random number generated by the server. This is used when the server needs to push data to a member, or a member needs to reply to the server.

Responder cookie

Random number generated by the server. This is used when the server needs to push data to a member, or a member needs to reply to the server.

GroupId

Group identifier.

KEK Peer

IP address of the destination peer with which the local peer communicates. For KEK SAs, it always contains 0.0.0.0 which means any IP address.

Role

For the server, it is always initiator.

Authentication method

RSA is the supported authentication method.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Algorithms

Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the Phase 2 process:

  • Sig-hash—Type of authentication algorithm used.

    • sha-256—Secure Hash Algorithm 256 authentication.

    • sha-384—Secure Hash Algorithm 384 authentication.

  • Encryption—Type of encryption algorithm used.

    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.

    • aes-192-cbc— AES192-bit encryption

    • aes-128-cbc—AES 128-bit encryption.

Traffic statistics

  • Input bytes—Number of bytes received.

  • Output bytes—Number of bytes transmitted.

  • Input packets—Number of packets received.

  • Output packets—Number of packets transmitted.

Server Info Version

Identify the latest set of information maintained in the server.

The following fields are the configured server-member-communication options:

Server Replay Window

Antireplay time in milliseconds. This is 0 if antireplay is disabled.

Retransmission Period

Number of seconds between a rekey transmission and the first retransmission when there is no reply from the member.

Number of Retransmissions

For unicast communications, the number of times the server retransmits rekey messages to a member when there is no reply.

Lifetime Seconds

Configured lifetime, in seconds, for the KEK.

Group Key Push sequence number

Sequence number of the KEK SA groupkey-push message. This number is incremented with every groupkey-push message.

Sample Output

show security group-vpn server kek security-associations

Sample Output

show security group-vpn server kek security-associations detail

Release Information

Command introduced in Junos OS Release 10.2.