show security ipsec security-associations
语法
show security ipsec security-associations <brief | detail | extensive> <family (inet | inet6)> <fpc slot-number pic slot-number> <index SA-index-number> <kmd-instance (all | kmd-instance-name)> <node-local> <pic slot-number fpc slot-number> <sa-type shortcut> <traffic-selector traffic-selector-name> <srg-id id-number> <vpn-name vpn-name> <ha-link-encryption>
描述
显示有关 IPsec 安全关联 (SA) 的信息。
在 Junos OS 20.1R2、20.2R2、20.3R2、20.3R1 及更高版本中,当您执行命令 show security ipsec security-associations detail
时,每个 IPsec SA 信息下都会显示与隧道内每个 IPsec SA 对应的新输出字段 IKE SA Index
。请参阅 显示安全 IPsec 安全关联详细信息(SRX5400、SRX5600、SRX5800)。
选项
none | 显示有关所有 SA 的信息。 |
brief | detail | extensive |
(可选)显示指定的输出级别。默认值为 |
family |
(可选)按系列显示 SA。此选项用于筛选输出。
|
fpc slot-number pic slot-number |
(可选)显示有关指定灵活 PIC 集中器 (FPC) 插槽和 PIC 插槽中现有 IPsec SA 的信息。 在机箱群集中,在操作模式下执行 CLI 命令 |
index SA-index-number |
(可选)显示有关此索引号标识的指定 SA 的详细信息。若要获取包含其索引号的所有 SA 的列表,请使用不带选项的命令。 |
kmd-instance |
(可选)显示有关由 FPC 和 PIC slot-number slot-number标识的密钥管理进程(在本例中为 KMD)中现有 IPsec SA 的信息。 当您具有
|
node-local | —(可选)显示有关多节点高可用性设置中节点本地隧道的 IPsec SA 的信息。 |
pic slot-number fpc slot-number |
(可选)显示有关指定 PIC 插槽和 FPC 插槽中现有 IPsec SA 的信息。 |
sa-type shortcut |
(可选)它适用于 ADVPN。按类型 |
traffic-selector traffic-selector-name |
(可选)显示有关指定流量选择器的信息。 |
vpn-name vpn-name |
(可选)显示有关指定 VPN 的信息。 |
ha-link-encryption | (可选)仅显示与机箱间链路隧道相关的信息。请参阅 ipsec(高可用性),显示安全 IPsec 安全关联 ha-link 加密(SRX5400、SRX5600、SRX5800)和显示安全 IPsec SA 详细信息 ha-link-加密(SRX5400、SRX5600、SRX5800)。 |
srg-id | (可选)显示与多节点高可用性设置中的特定服务冗余组 (SRG) 相关的信息。 |
所需权限级别
视图
输出字段
表 1 列出了命令的 show security ipsec security-associations
输出字段, 表 2 列出了命令的 show security ipsec sa
输出字段, 表 3. 列出了 的 show security ipsec sa detail
输出字段。输出字段按其出现的大致顺序列出。
字段名称 |
字段说明 |
输出级别 |
---|---|---|
|
活动 IPsec 隧道总数。 |
|
|
SA 的索引号。您可以使用此号码获取有关 SA 的其他信息。 |
所有级别 |
|
在 IKE 协商期间,用于保护对等方之间交换的加密包括:
|
|
|
安全参数索引 (SPI) 标识符。SA 由 SPI 唯一标识。每个条目都包含 VPN 的名称、远程网关地址、每个方向的 SPI、加密和身份验证算法以及密钥。每个对等网关都有两个 SA,一个由两个协商阶段(IKE 和 IPsec)产生。 |
|
|
SA 的生存期(在此之后过期)以秒或千字节表示。 |
|
|
Mon 字段是指 VPN 监控状态。如果启用了 VPN 监控,则此字段将显示 |
|
|
根系统。 |
|
|
如果使用网络地址转换 (NAT),则此值为 4500。否则,它是标准 IKE 端口 500。 |
所有级别 |
|
远程网关的 IP 地址。 |
|
|
逻辑系统的名称。 |
|
|
VPN 的 IPsec 名称。 |
|
|
状态有两个选项,
|
|
|
本地系统的网关地址。 |
|
|
远程系统的网关地址。 |
|
|
流量选择器的名称。 |
|
|
本地对等方的标识,以便其合作伙伴目标网关可以与其通信。该值指定为 IP 地址、完全限定域名、电子邮件地址或可分辨名称 (DN)。 |
|
|
目标对等网关的 IP 地址。 |
|
|
定义本地 IP 范围、远程 IP 范围、源端口范围、目标端口范围和协议。 |
|
|
为术语配置的源端口范围。 |
|
|
为术语配置的目标端口范围。 |
|
|
IKE 版本, |
|
|
不分段位的状态: |
|
|
|
|
|
隧道事件和事件发生的次数。有关隧道事件的描述和可以采取的措施,请参阅 隧道事件 。
|
|
|
SA 的锚点线程 ID(适用于带选项的 |
|
|
SA的方向;它可以是入站或出站。 |
|
|
辅助安全参数索引 (SPI) 的值。
|
|
|
SA 模式:
|
|
|
SA 的类型:
|
|
|
南非州:
|
|
|
支持的协议。
|
|
|
使用的身份验证类型。 |
|
|
使用的加密类型。 从 Junos OS 19.4R2 版开始,在层次结构级别将 |
|
|
软生存期通知 IPsec 密钥管理系统 SA 即将过期。 SA 的每个生存期都有两个显示选项:硬显示选项和软显示选项,动态 SA 必须存在其中一个显示选项。这允许密钥管理系统在硬生存期到期之前协商新的 SA。
|
|
|
硬生存期指定 SA 的生存期。
|
|
|
剩余生存大小指定使用限制(以 KB 为单位)。如果未指定生存大小,则显示无限制。
|
|
|
阻止数据包重播的服务状态。它可以是 |
|
|
防重放服务窗口的大小,为 64 位。 |
|
|
基于路由的 VPN 绑定到的隧道接口。 |
|
|
指示系统是否将外部 DSCP 值从 IP 报头复制到内部 IP 报头。 |
|
|
指示如何激活 IKE。 |
|
|
指示父 IKE 安全关联的列表。 |
|
字段名称 |
字段说明 |
---|---|
|
活动 IPsec 隧道总数。 |
|
SA 的索引号。您可以使用此号码获取有关 SA 的其他信息。 |
|
在 IKE 第 2 阶段协商期间,用于保护对等方之间交换的加密包括:
|
|
安全参数索引 (SPI) 标识符。SA 由 SPI 唯一标识。每个条目都包含 VPN 的名称、远程网关地址、每个方向的 SPI、加密和身份验证算法以及密钥。每个对等网关都有两个 SA,一个由协商的两个阶段(阶段 1 和第 2 阶段)产生。 |
|
SA 的生存期(在此之后过期)以秒或千字节表示。 |
|
Mon 字段是指 VPN 监控状态。如果启用了 VPN 监控,则此字段将显示 U(向上)或 D(向下)。连字符 (-) 表示未为此 SA 启用 VPN 监控。V 表示正在进行 IPSec 数据路径验证。 |
|
根系统。 |
|
如果使用网络地址转换 (NAT),则此值为 4500。否则,它是标准 IKE 端口 500。 |
|
系统的网关地址。 |
字段名称 |
字段说明 |
---|---|
|
SA 的索引号。您可以使用此号码获取有关 SA 的其他信息。 |
|
虚拟系统名称。 |
|
VPN 的 IPSec 名称。 |
|
本地系统的网关地址。 |
|
远程系统的网关地址。 |
|
本地对等方的标识,以便其合作伙伴目标网关可以与其通信。该值指定为 IP 地址、完全限定域名、电子邮件地址或可分辨名称 (DN)。 |
|
目标对等网关的 IP 地址。 |
|
IKE 版本。例如,IKEv1、IKEv2。 |
|
格式错误的数据包的 IPsec 隧道。您可以启用或禁用该选项。 |
|
不分段位的状态: |
|
基于路由的 VPN 绑定到的隧道接口。 |
隧道事件 | |
|
SA的方向;它可以是入站或出站。 |
|
辅助安全参数索引 (SPI) 的值。
|
|
如果启用了 VPN 监控,则该 从 Junos OS 23.4R1 版开始,当防火墙使用 iked 进程运行 IPsec VPN 服务时,将显示输出 |
|
硬生存期指定 SA 的生存期。
|
|
剩余生存大小指定使用限制(以 KB 为单位)。如果未指定生存大小,则显示无限制。 |
|
软生存期通知 IPsec 密钥管理系统 SA 即将过期。SA 的每个生存期都有两个显示选项:硬显示选项和软显示选项,动态 SA 必须存在其中一个显示选项。这允许密钥管理系统在硬生存期到期之前协商新的 SA。
|
|
SA 模式:
|
|
SA 的类型:
|
|
南非州:
对于传输模式,“状态”的值始终为“已安装”。 |
|
支持的协议。
|
|
阻止数据包重播的服务状态。它可以是 |
|
已配置的防重放服务窗口大小。它可以是 32 或 64 个数据包。如果重放窗口大小为 0,则禁用防重放服务。 防重放窗口大小通过拒绝旧数据包或重复数据包来保护接收方免受重放攻击。 |
机箱间链路通道 |
|
HA 链路加密模式 |
支持高可用性模式。在启用多节点高可用性功能时显示 |
示例输出
为简洁起见,show 命令输出不显示配置的所有值。仅显示配置的子集。系统上的其余配置已替换为省略号 (...)。
- 显示安全 IPsec 安全关联 (IPv4)
- 显示安全 IPsec 安全关联 (IPv6)
- 显示安全 IPsec 安全关联索引511672
- 显示安全 IPsec 安全关联索引131073详细信息
- 显示安全 IPsec SA
- 显示安全 IPsec SA 详细信息
- 显示安全 IPsec SA 详细信息 (MX-SPC3)
- 显示使用被动模式隧道的安全 IPsec SA 详细信息 (MX-SPC3)
- 显示安全 IPsec 安全关联
- 显示安全 IPsec 安全关联简介
- 显示安全 IPsec 安全关联详细信息
- 显示启用了 VPN 监控的安全 IPsec 安全关联
- 显示启用了 VPN 监控时的安全 IPsec 安全关联详细信息
- 显示安全 IPsec 安全关联系列 INET6
- 显示安全 IPsec 安全关联 FPC 6 PIC 1 kmd 实例全部(SRX 系列防火墙)
- 显示安全 IPsec 安全关联详细信息(ADVPN 建议器、静态隧道)
- 显示安全 IPsec 安全关联详细信息(ADVPN 伙伴,静态隧道)
- 显示安全 IPsec 安全关联 SA 类型快捷方式 (ADVPN)
- 显示安全 IPsec 安全关联 SA 类型快捷方式详细信息 (ADVPN)
- 显示安全 IPsec 安全关联家族 inet 详细信息
- 显示安全 IPsec 安全关联详细信息 (SRX4600)
- 显示安全 IPsec 安全关联详细信息(SRX5400、SRX5600、SRX5800)
- 显示安全 IPsec 安全关联 HA-Link 加密(SRX5400、SRX5600、SRX5800)
- 显示安全 IPsec SA 详细信息 HA-链路加密(SRX5400、SRX5600、SRX5800)
显示安全 IPsec 安全关联 (IPv4)
user@host> show security ipsec security-associations Total active tunnels: 14743 Total Ipsec sas: 14743 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <511672 ESP:aes-cbc-128/sha1 0x071b8cd2 - root 500 10.21.45.152 >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 10.21.12.255 <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 10.21.12.255 >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 10.21.50.96 <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 10.21.50.96 >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 10.21.54.57 <513881 ESP:aes-cbc-128/sha1 0x0a57860c 1696/ unlim - root 500 10.21.54.57 >505835 ESP:aes-cbc-128/sha1 0xf827b5c6 1598/ unlim - root 500 10.21.22.204 <505835 ESP:aes-cbc-128/sha1 0x0f43bf3f 1598/ unlim - root 500 10.21.22.204 >506531 ESP:aes-cbc-128/sha1 0x01694572 1602/ unlim - root 500 10.21.25.131 <506531 ESP:aes-cbc-128/sha1 0x0a578143 1602/ unlim - root 500 10.21.25.131 >512802 ESP:aes-cbc-128/sha1 0xdc292de4 1668/ unlim - root 500 10.21.50.1 <512802 ESP:aes-cbc-128/sha1 0x0a578558 1668/ unlim - root 500 10.21.50.1 >512413 ESP:aes-cbc-128/sha1 0xbe2c52d5 1660/ unlim - root 500 10.21.48.125 <512413 ESP:aes-cbc-128/sha1 0x1129580c 1660/ unlim - root 500 10.21.48.125 >505075 ESP:aes-cbc-128/sha1 0x2aae6647 1593/ unlim - root 500 10.21.19.213 <505075 ESP:aes-cbc-128/sha1 0x02dc5c50 1593/ unlim - root 500 10.21.19.213 >514055 ESP:aes-cbc-128/sha1 0x2b8adfcb 1704/ unlim - root 500 10.21.54.238 <514055 ESP:aes-cbc-128/sha1 0x0f43c49a 1704/ unlim - root 500 10.21.54.238 >508898 ESP:aes-cbc-128/sha1 0xbcced4d6 1619/ unlim - root 500 10.21.34.194 <508898 ESP:aes-cbc-128/sha1 0x1492035a 1619/ unlim - root 500 10.21.34.194 >505328 ESP:aes-cbc-128/sha1 0x2a8d2b36 1594/ unlim - root 500 10.21.20.208 <505328 ESP:aes-cbc-128/sha1 0x14920107 1594/ unlim - root 500 10.21.20.208 >500815 ESP:aes-cbc-128/sha1 0xdd86c89a 1573/ unlim - root 500 10.21.3.47 <500815 ESP:aes-cbc-128/sha1 0x1129507f 1573/ unlim - root 500 10.21.3.47 >503758 ESP:aes-cbc-128/sha1 0x64cc490e 1586/ unlim - root 500 10.21.14.172 <503758 ESP:aes-cbc-128/sha1 0x14920001 1586/ unlim - root 500 10.21.14.172 >504004 ESP:aes-cbc-128/sha1 0xde0b63ee 1587/ unlim - root 500 10.21.15.164 <504004 ESP:aes-cbc-128/sha1 0x071b87d4 1587/ unlim - root 500 10.21.15.164 >508816 ESP:aes-cbc-128/sha1 0x2703b7a5 1618/ unlim - root 500 10.21.34.112 <508816 ESP:aes-cbc-128/sha1 0x071b8af6 1618/ unlim - root 500 10.21.34.112 >511341 ESP:aes-cbc-128/sha1 0x828f3330 1644/ unlim - root 500 10.21.44.77 <511341 ESP:aes-cbc-128/sha1 0x02dc6064 1644/ unlim - root 500 10.21.44.77 >500456 ESP:aes-cbc-128/sha1 0xa6f1515d 1572/ unlim - root 500 10.21.1.200 <500456 ESP:aes-cbc-128/sha1 0x1491fddb 1572/ unlim - root 500 10.21.1.200 >512506 ESP:aes-cbc-128/sha1 0x4108f3a3 1662/ unlim - root 500 10.21.48.218 <512506 ESP:aes-cbc-128/sha1 0x071b8d5d 1662/ unlim - root 500 10.21.48.218 >504657 ESP:aes-cbc-128/sha1 0x27a6b8b3 1591/ unlim - root 500 10.21.18.41 <504657 ESP:aes-cbc-128/sha1 0x112952fe 1591/ unlim - root 500 10.21.18.41 >506755 ESP:aes-cbc-128/sha1 0xc0afcff0 1604/ unlim - root 500 10.21.26.100 <506755 ESP:aes-cbc-128/sha1 0x149201f5 1604/ unlim - root 500 10.21.26.100 >508023 ESP:aes-cbc-128/sha1 0xa1a90af8 1612/ unlim - root 500 10.21.31.87 <508023 ESP:aes-cbc-128/sha1 0x02dc5e3b 1612/ unlim - root 500 10.21.31.87 >509190 ESP:aes-cbc-128/sha1 0xee52074d 1621/ unlim - root 500 10.21.35.230 <509190 ESP:aes-cbc-128/sha1 0x0f43c16e 1621/ unlim - root 500 10.21.35.230 >505051 ESP:aes-cbc-128/sha1 0x24130b1c 1593/ unlim - root 500 10.21.19.188 <505051 ESP:aes-cbc-128/sha1 0x149200d9 1593/ unlim - root 500 10.21.19.188 >513214 ESP:aes-cbc-128/sha1 0x2c4752d1 1676/ unlim - root 500 10.21.51.158 <513214 ESP:aes-cbc-128/sha1 0x071b8dd3 1676/ unlim - root 500 10.21.0.51.158 >510808 ESP:aes-cbc-128/sha1 0x4acd94d3 1637/ unlim - root 500 10.21.42.56 <510808 ESP:aes-cbc-128/sha1 0x071b8c42 1637/ unlim - root 500 10.21.42.56
显示安全 IPsec 安全关联 (IPv6)
user@host> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:aes256/sha256 14caf1d9 3597/ unlim - root 500 2001:db8::1112 131074 ESP:aes256/sha256 9a4db486 3597/ unlim - root 500 2001:db8::1112
显示安全 IPsec 安全关联索引511672
user@host> show security ipsec security-associations index 511672 ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn Local Gateway: 10.20.0.1, Remote Gateway: 10.21.45.152 Traffic Selector Name: ts Local Identity: ipv4(10.191.151.0-10.191.151.255) Remote Identity: ipv4(10.40.151.0-10.40.151.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 10 Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
显示安全 IPsec 安全关联索引131073详细信息
user@host> show security ipsec security-associations index 131073 detail ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1 Local Gateway: 10.4.0.1, Remote Gateway: 10.5.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39 Multi-sa, Configured SAs# 9, Negotiated SAs#: 9 Tunnel events: Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times) Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times) Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times) Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times) Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: inbound, SPI: 5d227e19, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: best-effort Direction: outbound, SPI: 5490da, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ...
从 Junos OS 18.2R1 版开始,CLI show security ipsec security-associations index index-number detail
输出显示所有子 SA 详细信息,包括转发类名称。
显示安全 IPsec SA
user@host> show security ipsec sa Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway >67108885 ESP:aes-gcm-256/None fdef4dab 2918/ unlim - root 500 2001:db8:3000::2 >67108885 ESP:aes-gcm-256/None e785dadc 2918/ unlim - root 500 2001:db8:3000::2 >67108887 ESP:aes-gcm-256/None 34a787af 2971/ unlim - root 500 2001:db8:5000::2 >67108887 ESP:aes-gcm-256/None cf57007f 2971/ unlim - root 500 2001:db8:5000::2
显示安全 IPsec SA 详细信息
user@host> show security ipsec sa detail ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey ...
从 Junos OS 19.1R1 版开始,CLI show security ipsec sa detail
输出中的新字段隧道建立会显示在层次结构下ipsec vpn establish-tunnels
配置的选项。
从 Junos OS 21.3R1 版开始,CLI show security ipsec sa detail
输出中的新字段隧道 MTU 会显示在层次结构下ipsec vpn hub-to-spoke-vpn tunnel-mtu
配置的选项。
从 Junos OS 版本 22.1R3 开始,如果未配置隧道 MTU,则SRX5000系列设备上,隧道 MTU 不会显示在 CLI 输出中。
显示安全 IPsec SA 详细信息 (MX-SPC3)
user@host> show security ipsec sa detail ID: 500055 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 1420 Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0x229b998e, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately Direction: outbound, SPI: 0xb2e843a3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately
显示使用被动模式隧道的安全 IPsec SA 详细信息 (MX-SPC3)
user@host> show security ipsec sa detail ID: 500054 Virtual-system: root, VPN Name: TUN_3 Local Gateway: 100.0.0.3, Remote Gateway: 200.0.0.3 Traffic Selector Name: ts1 Local Identity: ipv4(11.0.0.3-11.0.0.3) Remote Identity: ipv4(75.0.0.3-75.0.0.3) TS Type: traffic-selector Version: IKEv2 Quantum Secured: No PFS group: N/A SRG ID: 0 Passive mode tunneling: Enabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.3, Policy-name: IPSEC_POLICY Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Mon Sep 19 2022 19:27:44: IPsec SA negotiation succeeds (1 times) Location: FPC 3, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: vms-3/1/0 Direction: inbound, SPI: 0x25c03740, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expired Lifesize Remaining: Expired Soft lifetime: Expires in 2920 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 512 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 122 Direction: outbound, SPI: 0x8e8f2009, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expired Lifesize Remaining: Expired Soft lifetime: Expires in 2920 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 512 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 122
显示安全 IPsec 安全关联
user@host>show security ipsec security-association Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500006 ESP:aes-gcm-128/aes128-gcm 0x782b233c 1432/ unlim - root 500 10.2.0.2
显示安全 IPsec 安全关联简介
user@host> show security ipsec security-associations brief Total active tunnels: 2 Total Ipsec sas: 18 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes256/sha256 89e5098 1569/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 f3117676 1609/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 6050109f 1609/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 606c90f6 1616/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 af8984b6 1619/ unlim - root 500 10.5.0.1 ...
显示安全 IPsec 安全关联详细信息
user@host> show security ipsec security-associations detail ID: 500009 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.2, Remote Gateway: 10.2.0.1 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 0 Distribution-Profile: default-profile IKE SA Index: 2068 Direction: inbound, SPI: 0xba7bb1f2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic Direction: outbound, SPI: 0x41650a1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic
显示启用了 VPN 监控的安全 IPsec 安全关联
user@host> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None 15e8de2c 2086/ unlim U root 500 3.0.0.1 >131073 ESP:aes-gcm-256/None 2a1f46fb 2086/ unlim U root 500 3.0.0.1 VPN Monitoring: UP
显示启用了 VPN 监控时的安全 IPsec 安全关联详细信息
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: SPK_VPN1 Local Gateway: 3.0.0.2, Remote Gateway: 3.0.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 Direction: inbound, SPI: 15e8de2c, AUX-SPI: 0 , VPN Monitoring: UP Mode: optimized Interval:10sec Threshold: 3 Hard lifetime: Expires in 1314 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 708 seconds Mode: Tunnel(10 5), Type: dynamic, State: installed Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 2a1f46fb, AUX-SPI: 0 , VPN Monitoring: UP Mode: optimized Interval:10sec Threshold: 3 Hard lifetime: Expires in 1313 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 707 seconds Mode: Tunnel(10 5), Type: dynamic, State: installed Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
显示安全 IPsec 安全关联系列 INET6
user@host> show security ipsec security-associations family inet6 Virtual-system: root Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64
显示安全 IPsec 安全关联 FPC 6 PIC 1 kmd 实例全部(SRX 系列防火墙)
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 192.168.1.2 500 ESP:aes256/sha256 67a7d25d 28280/unlim - 0 >2 192.168.1.2 500 ESP:aes256/sha256 a23cbcdc 28280/unlim - 0
显示安全 IPsec 安全关联详细信息(ADVPN 建议器、静态隧道)
user@host> show security ipsec security-associations detail ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times) Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Location: FPC 0, PIC 3, KMD-Instance 2 Direction: inbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 3, KMD-Instance 2 Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
显示安全 IPsec 安全关联详细信息(ADVPN 伙伴,静态隧道)
user@host> show security ipsec security-associations detail ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 Tunnel events: Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times) Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times) Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
显示安全 IPsec 安全关联 SA 类型快捷方式 (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111 >268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111
显示安全 IPsec 安全关联 SA 类型快捷方式详细信息 (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut detail node0: -------------------------------------------------------------------------- ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Auto Discovery VPN: Type: Shortcut, Shortcut Role: Initiator Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29 Tunnel events: Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: b7a5518, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: b7e0268, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
显示安全 IPsec 安全关联家族 inet 详细信息
user@host> show security ipsec security-associations family inet detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear , Copy-Outer-DSCP Enabled Bind-interface: st0.99 Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times) Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times) Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times) Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times) Location: FPC 0, PIC 1, KMD-Instance 1 Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 1 Direction: outbound, SPI: 727f629d, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
显示安全 IPsec 安全关联详细信息 (SRX4600)
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 10.62.1.3, Remote Gateway: 10.62.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 6 Direction: inbound, SPI: 812c9c01, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 7 Direction: outbound, SPI: c4de0972, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
显示安全 IPsec 安全关联详细信息(SRX5400、SRX5600、SRX5800)
与隧道中的每个 IPsec SA 对应的新输出字段 IKE SA Index
将显示在每个 IPsec SA 信息下。
user@host> show security ipsec security-associations detail ID: 500005 Virtual-system: root, VPN Name: 85BX5-OAM Local Gateway: 10.217.0.4, Remote Gateway: 10.200.254.118 Traffic Selector Name: TS_DEFAULT Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(10.181.235.224-10.181.235.224) Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: MACRO-IPSEC-POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 7, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe2eb3838, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: outbound, SPI: 0x4f7c3101, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: inbound, SPI: 0x30b6d66f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40 Direction: outbound, SPI: 0xd2db4108, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40
显示安全 IPsec 安全关联 HA-Link 加密(SRX5400、SRX5600、SRX5800)
从 Junos OS 20.4R1 版开始,配置高可用性 (HA) 功能时,可以使用此 show 命令仅查看机箱间链路隧道详细信息。
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 91 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495001 ESP:aes-gcm-256/aes256-gcm 0x0047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2446c5cd 298/ unlim - root 500 10.23.0.2 ...
显示安全 IPsec SA 详细信息 HA-链路加密(SRX5400、SRX5600、SRX5800)
从 Junos OS 20.4R1 版开始,配置高可用性 (HA) 功能时,可以使用此 show 命令仅查看机箱间链路隧道详细信息。它显示为机箱间链路加密隧道创建的多个 SA。
user@host> show security ipsec sa detail ha-link-encryption ID: 495001 Virtual-system: root, VPN Name: L3HA_IPSEC_VPN Local Gateway: 10.23.0.1, Remote Gateway: 10.23.0.2 Traffic Selector Name: __L3HA_IPSEC_VPN__multi_node__ Local Identity: ipv4(180.100.1.1-180.100.1.1) Remote Identity: ipv4(180.100.1.2-180.100.1.2) Version: IKEv2 PFS group: DH-Group-24 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Policy-name: L3HA_IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: Multi-Node Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x00439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x004cfceb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: inbound, SPI: 0x04439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 16 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x044cfceb, AUX-SPI: 0 , VPN Monitoring: - ...
在 Junos OS 22.3R1 及更高版本中,配置机箱群集 HA 控制链路加密功能时,可以执行 show security ike sa ha-link-encryption detail
、 show security ipsec sa ha-link-encryption detail
和 show security ipsec sa ha-link-encryption
命令来查看机箱群集控制链路加密隧道详细信息。
显示安全 IKE SA HA-LINK-加密详细信息
user@host> show security ike sa ha-link-encryption detail IKE peer 10.2.0.1, Index 4294966274, Gateway Name: IKE_GW_HA_0 Role: Initiator, State: UP Initiator cookie: ae5bcb5540d388a1, Responder cookie: 28bbae629ceb727f Exchange type: IKEv2, Authentication method: Pre-shared-keys Local gateway interface: em0 Routing instance: __juniper_private1__ Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Lifetime: Expires in 24856 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 10.2.0.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 200644 Output bytes : 200644 Input packets: 2635 Output packets: 2635 Input fragmented packets: 0 Output fragmented packets: 0 IPSec security associations: 6 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 495002 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Local identity: 10.7.0.2 Remote identity: 10.2.0.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 1 Response In : 1 Response Out : 1 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
显示安全 IPsec SA HA-链路加密详细信息
user@host> show security ipsec sa ha-link-encryption detail ID: 495002 Virtual-system: root, VPN Name: IPSEC_VPN_HA_0 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: __IPSEC_VPN_HA_0__l2_chassis_clu Local Identity: ipv4(10.7.0.2-10.7.0.2) Remote Identity: ipv4(10.2.0.1-10.2.0.1) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-24 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: IPSEC_POL_HA_0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: L2 Chassis Cluster Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x35fae26b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274 Direction: outbound, SPI: 0x0a2b9927, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274
显示安全 IPsec SA HA-链路加密
user@host> show security ipsec sa ha-link-encryption Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495002 ESP:aes-cbc-256/sha1 0x35fae26b 3484/ unlim - root 500 10.2.0.1 >495002 ESP:aes-cbc-256/sha1 0x0a2b9927 3484/ unlim - root 500 10.2.0.1
显示安全 IPsec 安全关联详细信息(SRX 系列防火墙和 MX 系列路由器)
在 Junos OS 20.4R2、21.1R1 及更高版本中,您可以执行 show security ipsec security-associations detail
命令来查看 VPN 的流量选择器类型。
user@host> show security ipsec security-associations detail ID: 500024 Virtual-system: root, VPN Name: S2S_VPN2 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: ts1 Local Identity: ipv4(10.20.20.0-10.20.20.255) Remote Identity: ipv4(10.10.10.0-10.10.10.255) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:43:49: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xf8642fae, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 Direction: outbound, SPI: 0xb2a26969, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 ID: 500025 Virtual-system: root, VPN Name: S2S_VPN1 Local Gateway: 10.7.0.1, Remote Gateway: 10.2.0.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:44:41: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe293762a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18 Direction: outbound, SPI: 0x7aef9d7f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18
- 显示安全 IPsec 安全关联详细信息(SRX5400、SRX5600、SRX5800)
- 显示安全 IPsec 安全关联 SRG-ID
- 显示安全 IPsec 安全关联节点本地
- 显示安全 IPsec 安全关联节点本地详细信息
显示安全 IPsec 安全关联详细信息(SRX5400、SRX5600、SRX5800)
从 Junos OS 21.1R1 版开始,您可以查看流量选择器详细信息,包括本地身份、远程身份、协议、源端口范围、为 IPsec SA 定义的多个术语的目标端口范围。
在早期的 Junos 版本中,特定 SA 的流量选择是使用使用 IP 地址或网络掩码定义的现有 IP 范围执行的。从 Junos OS 21.1R1 版开始,还可以通过使用 指定的 protocol_name协议选择流量。此外,还为源端口号和目标端口号指定的低端口范围和高端口范围。
user@host> show security ipsec security-associations detail ID: 500075 Virtual-system: root, VPN Name: pkn-r0-r1-ipsec-vpn-1 Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2 Traffic Selector Name: ts1 Local Identity: Protocol Port IP 17/UDP 100-200 198.51.100.0-198.51.100.255 6/TCP 250-300 198.51.100.0-198.51.100.255 Remote Identity: Protocol Port IP 17/UDP 150-200 10.80.0.1-10.80.0.1 6/TCP 250-300 10.80.1.1-10.80.1.1 Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: pkn-r0-r1-ipsec-policy Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: ……… Direction: outbound, SPI: …………
显示安全 IPsec 安全关联 SRG-ID
user@host> show security ipsec security-associations srg-id 1 Total active tunnels: 1 Total IPsec sas: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <17277217 ESP:aes-cbc-256/sha256 0xc7faee3e 1440/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0x7921d472 1440/ unlim - root 500 10.112.0.1 <17277217 ESP:aes-cbc-256/sha256 0xf1a01dd4 1498/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0xa0b77273 1498/ unlim - root 500 10.112.0.1
显示安全 IPsec 安全关联节点本地
user@host> show security ipsec security-associations node-local Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500001 ESP:aes-cbc-256/sha256 0x5f2fdf60 3093/ unlim - root 500 6.0.0.2 >500001 ESP:aes-cbc-256/sha256 0x293e67e0 3093/ unlim - root 500 6.0.0.2
显示安全 IPsec 安全关联节点本地详细信息
user@host> show security ipsec security-associations node-local ID: 500003 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 4.0.0.1, Remote Gateway: 6.0.0.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 Quantum Secured: No PFS group: DH-group-19 Passive mode tunneling: Disabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Sun Apr 09 2023 22:22:27: IPsec SA negotiation succeeds (1 times) Location: FPC 1, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x8c8c3761, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3564 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2884 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 25 Direction: outbound, SPI: 0x0e798f8c, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3564 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2884 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 25
发布信息
在 Junos OS 8.5 版中引入的命令。支持 Junos OS 11.1 版中添加的选项 family
。
支持 Junos OS 11.4R3 版中添加的选项 vpn-name
。支持 Junos OS 12.1X46-D10 版中添加的选项 traffic-selector
和流量选择器字段。
支持 Junos OS 版本 12.3X48-D10 中添加的自动发现 VPN (ADVPN)。
Junos OS 版本 15.1X49-D70 中添加了对 IPsec 数据路径验证的支持。
支持 Junos OS 17.4R1 版中添加的线程锚定。
从 Junos OS 18.2R2 版开始, show security ipsec security-assocations detail
命令输出将包括安全关联 (SA) 的线程锚点信息。
从 Junos OS 19.4R1 版开始,我们弃用了在 show 命令show security ipsec sa
下显示安全关联 (SA) 的新 iked 进程中的 CLI 选项fc-name
(COS 转发类名)。
ha-link-encryption
支持 Junos OS 20.4R1 版中添加的选项。
支持 Junos OS 22.4R1 版中添加的选项 srg-id
。
Junos OS 23.1R1 版中引入了对 passive-mode-tunneling
MX-SPC3 上的支持。
Junos OS 23.2R1 版中添加了对 node-local
选项的支持。
从 Junos OS 版本 23.4R1 开始, kmd-instance
仅当您具有 kmd
IPsec VPN 进程时,选项才可用。使用 iked
包启用 junos-iked
进程时,此选项不可用。
Junos OS 23.4R1 版中添加了对运行 iked 进程的 IPsec VPN 命令输出中的生命大小(以千字节为单位)、剩余生存大小和 VPN 监控信息的支持。