show security group-vpn member ipsec security-associations

Total number of active IPsec tunnels.

Index number of the SA. You can use this number to get additional information about the SA.

IP address of the group server (remote gateway).

If Network Address Translation-Traversal (NAT-T) is used, this value is 4500. Otherwise it is the standard IKE port, 500.

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes

• An authentication algorithm used to authenticate exchanges between the peers. Options are sha-256 or sha-384

• An encryption algorithm used to encrypt data traffic. Options are aes-128, aes-192, and aes-256.

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Group identifier.

The root system.

Gateway address of the local system.

IP address of the group server.

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IPv4 address, fully qualified domain name, e-mail address, or distinguished name.

IPv4 address of the destination peer gateway.

State of the don't fragment bit: set or cleared.

Enable the support for forwarding policy-mismatched packets

Name of the applicable policy.

Direction of the security association; it can be inbound or outbound.

Value of the auxiliary security parameter index.

• When the value is AH or ESP, AUX-SPI is always 0.

• When the value is AH+ESP, AUX-SPI is always a positive integer.

The hard lifetime specifies the lifetime of the SA.

• Expires in seconds—Number of seconds left until the SA expires.

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

• Expires in kilobytes—Number of kilobytes left until the SA expires.

The soft lifetime informs the IPsec key management system that the SA is about to expire.

Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. This allows the key management system to negotiate a new SA before the hard lifetime expires.

• Expires in seconds—Number of seconds left until the SA expires.

Mode of the security association:

• transport—Protects host-to-host connections.

• tunnel—Protects connections between security gateways.

Protocol supported. Transport mode supports Encapsulation Security Protocol (ESP).

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.