close

keyboard_arrow_left

Table of Contents Expand all

list Table of Contents

English

show security group-vpn member ipsec security-associations

date_range 19-Nov-23

arrow_backward

arrow_forward

Syntax

content_copy zoom_out_map
show security group-vpn member ipsec security-associations [brief | detail] [index sa-index]

Description

Display group VPN security associations (SAs) for a group member. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 Series Firewalls and vSRX Virtual Firewall instances.

Options

none—Display information about all group VPN SAs for the group member.
brief—(Optional) Display summary output.
detail—(Optional) Display detailed output.
index sa-index—(Optional) Display detailed information about the specified SA identified by index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security group-vpn member ipsec security-associationscommand. Output fields are listed in the approximate order in which they appear.

Table 1: show security group-vpn member ipsec security-associations
Field Name	Field Description
`Total active tunnels`	Total number of active IPsec tunnels.
`ID`	Index number of the SA. You can use this number to get additional information about the SA.
`Server`	IP address of the group server (remote gateway).
`Port`	If Network Address Translation-Traversal (NAT-T) is used, this value is 4500. Otherwise it is the standard IKE port, 500.
`Algorithm`	Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes An authentication algorithm used to authenticate exchanges between the peers. Options are `sha-256` or `sha-384` An encryption algorithm used to encrypt data traffic. Options are `aes-128`, `aes-192`, and `aes-256`.
`SPI`	Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI.
`Life: sec/kb`	The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.
`GId`	Group identifier.
`vsys or Virtual-system`	The root system.
`Local Gateway`	Gateway address of the local system.
`GDOI Server`	IP address of the group server.
`Local Identity`	Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IPv4 address, fully qualified domain name, e-mail address, or distinguished name.
`Remote Identity`	IPv4 address of the destination peer gateway.
`DF-bit`	State of the don't fragment bit: set or cleared.
Forward-policy-mismatch	Enable the support for forwarding policy-mismatched packets
`Policy name`	Name of the applicable policy.
`Direction`	Direction of the security association; it can be inbound or outbound.
`AUX-SPI`	Value of the auxiliary security parameter index. When the value is AH or ESP, AUX-SPI is always 0. When the value is AH+ESP, AUX-SPI is always a positive integer.
`Hard lifetime`	The hard lifetime specifies the lifetime of the SA. `Expires in seconds`—Number of seconds left until the SA expires.
`Lifesize Remaining`	The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited. `Expires in kilobytes`—Number of kilobytes left until the SA expires.
`Soft lifetime`	The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of a security association has two display options, hard and soft, one of which must be present for a dynamic security association. This allows the key management system to negotiate a new SA before the hard lifetime expires. `Expires in seconds`—Number of seconds left until the SA expires.
`Mode`	Mode of the security association: transport—Protects host-to-host connections. tunnel—Protects connections between security gateways.
`Protocol`	Protocol supported. Transport mode supports Encapsulation Security Protocol (ESP).
`Anti-replay service`	State of the service that prevents packets from being replayed. It can be `Enabled` or `Disabled`.

Sample Output