Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show security ipsec security-associations

Syntax

show security ipsec security-associationsbrief | detailfpc slot-numberindex SA-index-numberkmd-instance (all | kmd-instance-name)pic slot-number>family (inet | inet6)vpn-name vpn-name <traffic-selector traffic-selector-name>

Release Information

Command introduced in Junos OS Release 8.5. Support for the fpc, pic, and kmd-instance options added in Junos OS Release 9.3. Support for the family option added in Junos OS Release 11.1. Support for the vpn-name option added in Junos OS Release 11.4R3. Support for the traffic-selector option and traffic selector field added in Junos OS Release 12.1X46-D10.

Description

Display information about the IPsec security associations (SAs).

Options

  • none—Display information about all SAs.
  • brief | detail—(Optional) Display the specified level of output.
  • fpc slot-number—(Optional) Specific to SRX Series devices. Display information about existing IPsec SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter the output.
  • index SA-index-number—(Optional) Display detailed information about the specified SA identified by this index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.
  • kmd-instance—(Optional) Specific to SRX Series devices. Display information about existing IPsec SAs in the key management process (in this case, it is KMD) identified by the FPC slot-number and PIC slot-number. This option is used to filter the output.
    • all—All KMD instances running on the Services Processing Unit (SPU).
    • kmd-instance-name—Name of the KMD instance running on the SPU.
  • pic slot-number—(Optional) Specific to SRX Series devices. Display information about existing IPsec SAs in this PIC slot. This option is used to filter the output.
    • family—(Optional) Display SAs by family. This option is used to filter the output.
      • inet—IPv4 address family.
      • inet6—IPv6 address family.
  • vpn-name vpn-name—Name of the VPN. If configured, traffic-selector traffic-selector-name can optionally be specified.

Required Privilege Level

view

 

Related Documentation

 

List of Sample Output

show security ipsec security-associations (IPv4)
show security ipsec security-associations (IPv6)
show security ipsec security-associations index 5
show security ipsec security-associations brief
show security ipsec security-associations detail
show security ipsec security-associations detail (SRX Series Devices)
show security ipsec security-associations family inet6
show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)

Output Fields

Table 1 lists the output fields for the show security ipsec security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec security-associations

Field Name

Field Description

Total active tunnels

Total number of active IPsec tunnels.

ID

Index number of the SA. You can use this number to get additional information about the SA.

VPN name

IPsec name for VPN.

Gateway

IP address of the remote gateway.

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes:

  • An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-95, hmac-sha1-96, or ESP.
  • An encryption algorithm used to encrypt data traffic. Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, or des-cbc.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

Life: sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Sta

State has two options, Installed and Not Installed.

  • Installed—The SA is installed in the SA database.
  • Not Installed—The SA is not installed in the SA database.

    For transport mode, the value of State is always Installed.

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA.

vsys or Virtual-system

The root system.

Tunnel index

Numeric identifier of the specific IPsec tunnel for the SA.

Local gateway

Gateway address of the local system.

Remote gateway

Gateway address of the remote system.

Traffic selector

Name of the traffic selector.

Local identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Remote identity

IP address of the destination peer gateway.

DF-bit

State of the don't fragment bit: set or cleared.

Bind interface

The tunnel interface to which VPN is bound.

Policy-name

Name of the applicable policy.

Location

FPC—Flexible PIC Concentrator (FPC) slot number.

PIC—PIC slot number.

KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances running on each SPU, and any particular IPsec negotiation is carried out by a single KMD instance.

Direction

Direction of the SA; it can be inbound or outbound.

AUX-SPI

Value of the auxiliary security parameter index(SPI).

  • When the value is AH or ESP, AUX-SPI is always 0.
  • When the value is AH+ESP, AUX-SPI is always a positive integer.

Mode

Mode of the SA:

  • transport—Protects host-to-host connections.
  • tunnel—Protects connections between security gateways.

Type

Type of the SA:

  • manual—Security parameters require no negotiation. They are static and are configured by the user.
  • dynamic—Security parameters are negotiated by the IKE protocol. Dynamic SAs are not supported in transport mode.

State

State of the SA:

  • Installed—The SA is installed in the SA database.
  • Not Installed—The SA is not installed in the SA database.

    For transport mode, the value of State is always Installed.

Protocol

Protocol supported.

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).
  • Tunnel mode supports ESP and AH.
    • Authentication—Type of authentication used.
    • Encryption—Type of encryption used.

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire.

Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds—Number of seconds left until the SA expires.

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds—Number of seconds left until the SA expires.

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

  • Expires in kilobytes—Number of kilobytes left until the SA expires.

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

Replay window size

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets.

Bind-interface

The tunnel interface to which the route-based VPN is bound.

Sample Output

show security ipsec security-associations (IPv4)

user@host> show security ipsec security-associations
Total active tunnels: 1
ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys
  131075 11.0.28.241    500   ESP:3des/sha1   86758ff0 6918/ unlim   -   0 
  131075 11.0.28.241    500   ESP:3des/sha1   3183ff26 6918/ unlim   -   0

Sample Output

show security ipsec security-associations (IPv6)

user@host> show security ipsec security-associations
Total active tunnels: 1
ID    Algorithm       SPI      Life:sec/kb  Mon vsys Port  Gateway   
  131074 ESP:3des/sha1 14caf1d9 3597/ unlim   -   root 500   1212::1112      
  131074 ESP:3des/sha1 9a4db486 3597/ unlim   -   root 500   1212::1112

Sample Output

show security ipsec security-associations index 5

user@host> show security ipsec security-associations index 5
ID: 131073 Virtual-system: root, VPN Name: tropic
Local gateway: 1.1.1.1, Remote gateway: 1.1.1.2
Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote identity: ipv4_subnet(any:0,[0...7]=0.0.0.0/0)
Version: IKEv2
DF-bit: clear
Bind-interface: st0.3
Policy-name: my-policy

Direction: inbound, SPI: 494001027, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expired
Hard lifetime: Expired in 130 seconds
Lifesize Remaining: Unlimited
Anti-replay service: Enabled, Replay window size: 64

Direction: inbound, SPI: 1498711950, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 40 seconds
Hard lifetime: Expires in 175 seconds
Lifesize Remaining: Unlimited
Anti-replay service: Enabled, Replay window size: 64

Direction: outbound, SPI: 4038397695, AUX-SPI: 0
Mode: tunnel, Type: dynamic, State: Installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Soft lifetime: Expires in 40 seconds
Hard lifetime: Expires in 175 seconds
Lifesize Remaining: Unlimited
Anti-replay service: Enabled, Replay window size: 64

Sample Output

show security ipsec security-associations brief

user@host> show security ipsec security-associations brief
Total active tunnels: 2
ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys
<16384 1.1.1.1 500 ESP:3des/sha1 af88baa 28795/unlim D 0 
>16384 1.1.1.1 500 ESP:3des/sha1 f4e3e5f4 28795/unlim D 0

Sample Output

show security ipsec security-associations detail

user@host> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: tropic
Local Gateway: 1.1.1.2, Remote Gateway: 1.1.1.1
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv2
DF-bit: clear
Bind-interface: st0.3
Direction: inbound, SPI: 184060842, AUX-SPI: 0
Hard lifetime: Expires in 28785 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expired
Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: DOWN
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: enabled, Replay window size: 32

Direction: outbound, SPI: 4108576244, AUX-SPI: 0
Hard lifetime: Expires in 28785 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expired
Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: DOWN
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
Anti-replay service: enabled, Replay window size: 32

Sample Output

show security ipsec security-associations detail (SRX Series Devices)

user@host> show security ipsec security-associations detail
  ID: 268173313 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx
  Local Gateway: 2000::1, Remote Gateway: 2000::2
  Traffic Selector Name: TS1-ipv6
  Local Identity: ipv6(10::-10::ffff:ffff:ffff:ffff)
  Remote Identity: ipv6(20::-20::ffff:ffff:ffff:ffff)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 3d75aeff, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2976 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2354 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: a468fece, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 2976 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2354 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 268173316 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx
  Local Gateway: 2000::1, Remote Gateway: 2000::2
  Traffic Selector Name: TS2-ipv4
  Local Identity: ipv4(10.1.1.0-10.1.1.255)
  Remote Identity: ipv4(20.1.0.0-20.1.255.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: 417f3cea, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3586 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2948 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: a4344027, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3586 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2948 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

  ID: 268173317 Virtual-system: root, VPN Name: ipsec-vpn-to-he-srx
  Local Gateway: 2000::1, Remote Gateway: 2000::2
  Traffic Selector Name: TS3-ipv4
  Local Identity: ipv4(10.1.1.0-10.1.1.255)
  Remote Identity: ipv4(20.1.1.0-20.1.1.255)
  Version: IKEv1
    DF-bit: clear
    Bind-interface: st0.1

  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: c608b29
  Tunnel Down Reason: SA not initiated
    Direction: inbound, SPI: cc9fb573, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3548 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2925 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: a4bde69b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3548 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2925 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

Sample Output

show security ipsec security-associations family inet6

user@host> show security ipsec security-associations family inet6
  Virtual-system: root
  Local Gateway: 1212::1111, Remote Gateway: 1212::1112
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    DF-bit: clear
    Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3440 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2813 seconds
    Mode: tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 9a4db486, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3440 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2813 seconds
    Mode: tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

Sample Output

show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Devices)

user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all
  Total active tunnels: 1

ID    Gateway          Port  Algorithm       SPI      Life:sec/kb  Mon vsys

<2    1.1.1.2          500   ESP:3des/sha1   67a7d25d 28280/unlim   -   0

>2    1.1.1.2          500   ESP:3des/sha1   a23cbcdc 28280/unlim   -   0

Modified: 2013-09-20

Previous Page Next Page