Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

show services ipsec-vpn ike security-associations

Syntax

show services ipsec-vpn ike security-associations <brief | detail><peer-address>

Release Information

Command introduced before Junos OS Release 7.4.

Statistics for Internet Key Exchange (IKE) security associations for each services PIC introduced in Junos OS Release 12.1.

Description

(Adaptive services interface only) Display information for Internet Key Exchange (IKE) security associations. If no security association is specified, the information for all security associations is displayed.

Options

none

(same as brief) Display standard information for all IPsec security associations.

brief | detail

(Optional) Display the specified level of output.

peer-address

(Optional) Display information about a particular security association address.

Required Privilege Level

view

List of Sample Output

show services ipsec-vpn ike security-associations
show services ipsec-vpn ike security-associations detail

Output Fields

Table 1 lists the output fields for the show services ipsec-vpn ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show services ipsec-vpn ike security-associations Output Fields

Field Name

Field Description

Level of Output

IKE peer

Remote end of the IKE negotiation.

detail

Role

Part played in the IKE session. The router triggering the IKE negotiation is the initiator, and the router accepting the first IKE exchange packets is the responder.

detail

Remote Address

Responder's address.

none specified

State

State of the IKE security association:

  • Matured—IKE security association is established.
  • Not matured—The IKE security association is in the process of negotiation.

none specified

Initiator cookie

When the IKE negotiation is triggered, a random number is sent to the remote node.

All levels

Responder cookie

The remote node generates its own random number and sends it back to the initiator as a verification that the packets were received.

Of the numerous security services available, protection against denial of service (DoS) is one of the most difficult to address. A “cookie” or anticlogging token (ACT) is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity. An exchange prior to CPU-intensive public key operations can thwart some DoS attempts (such as simple flooding with invalid IP source addresses).

All levels

Exchange type

Specifies the number of messages in an IKE exchange, and the payload types that are contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. Junos OS supports two types of exchanges:

  • Main—The exchange is done with six messages. Main encrypts the payload, protecting the identity of the neighbor.
  • Aggressive—The exchange is done with three messages. Aggressive does not encrypt the payload, leaving the identity of the neighbor unprotected.
  • IKEv2—The exchange is negotiated using IKE version 2.

All levels

PIC

The services PIC for which the IKE security associations are displayed.

All levels

Authentication method

Type of authentication determines which payloads are exchanged and when they are exchanged. The Junos OS supports only pre-shared keys.

detail

Local

Prefix and port number of the local end.

detail

Remote

Prefix and port number of the remote end.

detail

Lifetime

Number of seconds remaining until the IKE security association expires.

detail

Algorithms

Header for the IKE algorithms output.

  • Authentication—(detail output only) Type of authentication algorithm used: md5 or sha1
  • Encryption—(detail output only) Type of encryption algorithm used: des-cbc, 3des-cbc, or None.
  • Pseudo random function—Function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

detail

Traffic statistics

Number of bytes and packets received and transmitted on the IKE security association.

  • Input bytes, Output bytes—Number of bytes received and transmitted on the IKE security association.
  • Input packets, Output packets—Number of packets received and transmitted on the IKE security association.

detail

Flags

Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.
  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

detail

IPsec security associates

Number of IPsec security associations created and deleted with this IKE security association.

detail

Phase 2 negotiations in progress

Number of phase 2 negotiations in progress and status information:

  • Negotiation type—Type of phase 2 negotiation. The Junos OS currently supports quick mode.
  • Message ID—Unique identifier for a phase 2 negotiation.
  • Local identity—Identity of the local phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).
  • Remote identity—Identity of the remote phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)
  • Flags—Notification to the key management process of the status of the IKE negotiation:
    • caller notification sent—Caller program notified about the completion of the IKE negotiation.
    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.
    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.
    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

detail

Sample Output

show services ipsec-vpn ike security-associations

user@host> show services ipsec-vpn ike security-associations 
Remote Address  State         Initiator cookie  Responder cookie  Exchange type

6.6.6.1         Matured       062d291d21275fc7  82ef00e3d1f1c981  Main         

6.6.6.2         Matured       cd6d581d7bb1664d  88a707779f3ad8d1  Main         

6.6.6.3         Matured       86621051e3e78360  6bc5cc83fd67baa4  IKEv2         

PIC: sp-0/3/0

6.6.6.7         Matured       565e2813075e6fdb  67886757a74edcd6  IKEv2

show services ipsec-vpn ike security-associations detail

user@host> show services ipsec-vpn ike security-associations detail 
IKE peer 3.1.0.2
      Role: Responder, State: Matured
      Initiator cookie: d91c9f20f78e1d4e, Responder cookie: 727a04ed8d5021a1
      Exchange type: IKEv2, Authentication method: Pre-shared-keys
      Local: 4.1.0.2:500, Remote: 3.1.0.2:500
      Lifetime: Expires in 1357 seconds
      Algorithms:
       Authentication        : sha1
       Encryption            : 3des-cbc
       Pseudo random function: hmac-sha1
      Traffic statistics:
       Input  bytes  :                22244
       Output bytes  :                22236
       Input  packets:                  263
       Output packets:                  263
      Flags: Caller notification sent
      IPSec security associations: 0 created, 0 deleted
      Phase 2 negotiations in progress: 0

IKE peer 4.4.4.4
  Role: Initiator, State: Matured
  Initiator cookie: cf22bd81a7000001, Responder cookie: fe83795c2800002e
  Exchange type: Main, Authentication method: Pre-shared-keys
  Local: 4.4.4.5:500, Remote: 4.4.4.4:500
  Lifetime: Expires in 187 seconds
  Algorithms:
   Authentication        : md5
   Encryption            : 3des-cbc
   Pseudo random function: hmac-md5
  Traffic statistics:
   Input  bytes  :                 1000
   Output bytes  :                 1280
   Input  packets:                    5
   Output packets:                    9
  Flags: Caller notification sent
  IPsec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

Negotiation type: Quick mode, Role: Initiator, Message ID: 3582889153
    Local: 4.4.4.5:500, Remote: 4.4.4.4:500
    Local identity: ipv4_subnet(tcp:80,[0..7]=10.1.1.0/24)
    Remote identity: ipv4_subnet(tcp:100,[0..7]=10.1.2.0/24)
    Flags: Caller notification sent, Waiting for done

Published: 2013-08-29

Supported Platforms

Published: 2013-08-29

Previous Page Next Page