| IKE Security Associations |
|
IKE SA Index
|
Index number of an SA.
|
This number is an internally generated number you can use to
display information about a single SA.
|
|
Remote Address
|
IP address of the destination peer with which the local peer
communicates.
| |
|
State
|
State of the IKE security associations:
-
DOWN—SA has not been negotiated
with the peer.
-
UP—SA has been negotiated with
the peer.
| |
|
Initiator cookie
|
Random number, called a cookie, which is sent to the remote
node when the IKE negotiation is triggered.
| |
|
Responder cookie
|
Random number generated by the remote node and sent back to
the initiator as a verification that the packets were received.
|
A cookie is aimed at protecting the computing resources from
attack without spending excessive CPU resources to determine the cookie’s
authenticity.
|
|
Mode
|
Negotiation method agreed on by the two IPsec endpoints, or
peers, used to exchange information between themselves. Each exchange
type determines the number of messages and the payload types that
are contained in each message. The modes, or exchange types, are
-
Main—The exchange is done with six messages.
This mode, or exchange type, encrypts the payload, protecting the
identity of the neighbor. The authentication method used is displayed:
preshared keys or certificate.
-
Aggressive—The exchange is done with three
messages. This mode, or exchange type, does not encrypt the payload,
leaving the identity of the neighbor unprotected.
| |
| IKE Security Association (SA) Index |
|
IKE Peer
|
IP address of the destination peer with which the local peer
communicates.
| |
|
IKE SA Index
|
Index number of an SA.
|
This number is an internally generated number you can use to
display information about a single SA.
|
|
Role
|
Part played in the IKE session. The device triggering the IKE
negotiation is the initiator, and the device accepting the first IKE
exchange packets is the responder.
| |
|
State
|
State of the IKE security associations:
-
DOWN—SA has not been negotiated
with the peer.
-
UP—SA has been negotiated with
the peer.
| |
|
Initiator cookie
|
Random number, called a cookie, which is sent to the remote
node when the IKE negotiation is triggered.
| |
|
Responder cookie
|
Random number generated by the remote node and sent back to
the initiator as a verification that the packets were received.
|
A cookie is aimed at protecting the computing resources from
attack without spending excessive CPU resources to determine the cookie’s
authenticity.
|
|
Exchange Type
|
Negotiation method agreed on by the two IPsec endpoints, or
peers, used to exchange information between themselves. Each exchange
type determines the number of messages and the payload types that
are contained in each message. The modes, or exchange types, are
-
Main—The exchange is done with six messages.
This mode, or exchange type, encrypts the payload, protecting the
identity of the neighbor. The authentication method used is displayed:
preshared keys or certificate.
-
Aggressive—The exchange is done with three
messages. This mode, or exchange type, does not encrypt the payload,
leaving the identity of the neighbor unprotected.
| |
|
Authentication Method
|
Path chosen for authentication.
| |
|
Local
|
Address of the local peer.
| |
|
Remote
|
Address of the remote peer.
| |
|
Lifetime
|
Number of seconds remaining until the IKE SA expires.
| |
|
Algorithm
|
IKE algorithms used to encrypt and secure exchanges between
the peers during the IPsec Phase 2 process:
-
Authentication—Type of authentication algorithm
used.
-
sha1—Secure Hash Algorithm 1 (SHA-1) authentication.
-
md5—MD5 authentication.
-
Encryption—Type of encryption algorithm
used.
-
aes-256-cbc—Advanced Encryption Standard
(AES) 256-bit encryption.
-
aes-192-cbc—Advanced Encryption Standard
(AES) 192-bit encryption.
-
aes-128-cbc—Advanced Encryption Standard
(AES) 128-bit encryption.
-
3des-cbc—3 Data Encryption Standard (DES)
encryption.
-
des-cbc—Data Encryption Standard (DES)
encryption.
-
Pseudo random function—Cryptographically
secure pseudo random function family.
| |
|
Traffic Statistics
|
Traffic statistics include the following:
-
Input bytes—The number of bytes presented
for processing by the device.
-
Output bytes— The number of bytes actually
processed by the device.
-
Input packets— The number of packets presented
for processing by the device.
-
Output packets— The number of packets actually
processed by the device.
| |
|
IPsec security associations
|
-
number created—The
number of SAs created.
-
number deleted—The
number of SAs deleted.
| |
|
Role
|
Part played in the IKE session. The device triggering the IKE
negotiation is the initiator, and the device accepting the first IKE
exchange packets is the responder.
| |
|
Message ID
|
Message identifier.
| |
|
Local identity
|
Specifies the identity of the local peer so that its partner
destination gateway can communicate with it. The value is specified
as any of the following: IPv4 address, fully qualified domain name,
e-mail address, or distinguished name.
| |
|
Remote identity
|
IPv4 address of the destination peer gateway.
| |