Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show ike security-associations

Syntax

show ike security-associations<brief | detail> <peer-address>

Release Information

Command introduced before Junos OS Release 7.4.

Description

(Encryption interface on M Series and T Series routers only) Display information about Internet Key Exchange (IKE) security associations.

Options

none

Display standard information about all IKE security associations.

brief | detail

(Optional) Display the specified level of output.

peer-address

(Optional) Display IKE security associations for the specified peer address.

Required Privilege Level

view

 

Related Documentation

 

List of Sample Output

show ike security-associations
show ike security-associations detail

Output Fields

Table 1 lists the output fields for the show ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show ike security-associations Output Fields

Field Name

Field Description

Level of Output

IKE peer

Remote end of the IKE negotiation.

detail

Role

Part played in the IKE session. The router triggering the IKE negotiation is the initiator, and the router accepting the first IKE exchange packets is the responder.

detail

Remote Address

Responder's address.

none specified

State

State of the IKE security association:

  • Matured—The IKE security association is established.
  • Not matured—The IKE security association is in the process of negotiation.

none specified

Initiator cookie

When the IKE negotiation is triggered, a random number is sent to the remote node.

All levels

Responder cookie

The remote node generates its own random number and sends it back to the initiator as a verification that the packets were received.

Of the numerous security services available, protection against denial of service (DoS) is one of the most difficult to address. A “cookie” or anticlogging token (ACT) is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity. An exchange prior to CPU-intensive public key operations can thwart some DoS attempts (such as simple flooding with invalid IP source addresses).

All levels

Exchange type

Specifies the number of messages in an IKE exchange, and the payload types that are contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. Junos OS supports two types of exchanges:

  • Main—The exchange is done with six messages. Main encrypts the payload, protecting the identity of the neighbor.
  • Aggressive—The exchange is done with three messages. Aggressive does not encrypt the payload, leaving the identity of the neighbor unprotected.

All Levels

Authentication method

Type of authentication determines which payloads are exchanged and when they are exchanged. The Junos OS supports only pre-shared keys.

detail

Local

Prefix and port number of the local end.

detail

Remote

Prefix and port number of the remote end.

detail

Lifetime

Number of seconds remaining until the IKE security association expires.

detail

Algorithms

Header for the IKE algorithms output.

  • Authentication—Type of authentication algorithm used:md5 or sha1.
  • Encryption—Type of encryption algorithm used: des-cbc, 3des-cbc, or None.
  • Pseudo random function—Function that generates highly unpredictable random numbers:hmac-md5 orhmac-sha1.

detail

Traffic statistics

Number of bytes and packets received and transmitted on the IKE security association.

  • Input bytes, Output bytes—Number of bytes received and transmitted on the IKE security association.
  • Input packets, Output packets—Number of packets received and transmitted on the IKE security association.

detail

Flags

Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.
  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

detail

IPsec security associates

Number of IPsec security associations created and deleted with this IKE security association.

detail

Phase 2 negotiations in progress

Number of phase 2 IKE negotiations in progress and status information:

  • Negotiation type—Type of phase 2 negotiation. The Junos OS currently supports quick mode.
  • Message ID—Unique identifier for a phase 2 negotiation.
  • Local identity—Identity of the local phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Remote identity—Identity of the remote phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Flags—Notification to the key management process of the status of the IKE negotiation:
    • caller notification sent—Caller program notified about the completion of the IKE negotiation.
    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

detail

Sample Output

show ike security-associations

user@host> show ike security-associations 
Remote Address  State         Initiator cookie  Responder cookie  Exchange type
4.4.4.4         Matured       93870456fa000011  723a20713700003e  Main

show ike security-associations detail

user@host> show ike security-associations detail 
IKE peer 4.4.4.4
  Role: Initiator, State: Matured
  Initiator cookie: cf22bd81a7000001, Responder cookie: fe83795c2800002e
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 4.4.4.5:500, Remote: 4.4.4.4:500
  Lifetime: Expires in 187 seconds
  Algorithms:
   Authentication        : md5
   Encryption            : 3des-cbc
   Pseudo random function: hmac-md5
  Traffic statistics:
   Input  bytes  :                 1000
   Output bytes  :                 1280
   Input  packets:                    5
   Output packets:                    9
  Flags: Caller notification sent
  IPsec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Initiator, Message ID: 3582889153
    Local: 4.4.4.5:500, Remote: 4.4.4.4:500
    Local identity: ipv4_subnet(tcp:80,[0..7]=10.1.1.0/24)
    Remote identity: ipv4_subnet(tcp:100,[0..7]=10.1.2.0/24)
    Flags: Caller notification sent, Waiting for done

Published: 2013-03-14

Supported Platforms

 

Related Documentation

 

Published: 2013-03-14

Previous Page Next Page