show security group-vpn server ike security-associations

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

IP address of the destination peer with which the local peer communicates.

State of the IKE security associations:

• DOWN—SA has not been negotiated with the peer.

• UP—SA has been negotiated with the peer.

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

• main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.

• aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

IP address of the destination peer with which the local peer communicates.

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between themselves. Each exchange type determines the number of messages and the payload types that are contained in each message. The modes, or exchange types, are

• main—The exchange is done with six messages. This mode or exchange type encrypts the payload, protecting the identity of the neighbor. The authentication method used is displayed: preshared keys or certificate.

• aggressive—The exchange is done with three messages. This mode or exchange type does not encrypt the payload, leaving the identity of the neighbor unprotected.

Method the server uses to authenticate the source of IKE messages:

• pre-shared-keys—Preshared key for encryption and decryption that both participants must have before beginning tunnel negotiations.

rsa-signatures—Digital signature, a certificate that confirms the identity of the certificate holder.

Address of the local peer.

Address of the remote peer.

Number of seconds remaining until the IKE SA expires.

Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

• Authentication—Type of authentication algorithm used.

  • sha-256—Secure Hash Algorithm 256 authentication.

  • sha-384—Secure Hash Algorithm 384 authentication..

• Encryption—Type of encryption algorithm used.

  • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.

  • aes-192-cbc— AES192-bit encryption

  • aes-128-cbc—AES 128-bit encryption.

• Input bytes—Number of bytes received.

• Output bytes—Number of bytes transmitted.

• Input packets—Number of packets received.

• Output packets—Number of packets transmitted.

• number created: The number of SAs created.

• number deleted: The number of SAs deleted.

Number of Phase 2 IKE negotiations in progress and status information:

• Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.

• Message ID—Unique identifier for a Phase 2 negotiation.

• Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)

• Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)

• Flags—Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.

  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.