show security group-vpn server kek security-associations
Syntax
show security group-vpn server kek security-associations [brief | detail] [group group-name | group-id group-id | index sa-index]
Description
Display configured server-member communications. Group VPNv2 is supported on SRX300, SRX320, SRX340, SRX345, SRX550HM, SRX1500, SRX4100, SRX4200, and SRX4600 Series Firewalls and vSRX Virtual Firewall instances.
Options
none—Display server-member communications configured for all groups.
brief—(Optional) Display summary output.detail—(Optional) Display detailed output.group—(Optional) Display server-member communications configured for the specified group.group-id—(Optional) Display server-member communications configured for the specified group.index—(Optional) Display information for a particular SA based on the index number of the SA. To obtain the index number for a particular SA, display the list of existing SAs by using the command with no options.
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show security group-vpn
server kek security-assocations command. Output fields are listed
in the approximate order in which they appear.
Field Name |
Field Description |
|---|---|
|
Index number of an SA. This number is an internally generated number you can use to display information about a single SA. |
|
Identifier of the remote/peer. Because there could be multiple members, the remote address always contains the IP address 0.0.0.0. |
|
State of the KEK security associations:
|
|
Random number generated by the server. This is used when the server needs to push data to a member, or a member needs to reply to the server. |
|
Random number generated by the server. This is used when the server needs to push data to a member, or a member needs to reply to the server. |
|
Group identifier. |
|
IP address of the destination peer with which the local peer communicates. For KEK SAs, it always contains 0.0.0.0 which means any IP address. |
|
For the server, it is always initiator. |
|
RSA is the supported authentication method. |
|
Address of the local peer. |
|
Address of the remote peer. |
|
Number of seconds remaining until the IKE SA expires. |
|
Internet Key Exchange (IKE) algorithms used to encrypt and secure exchanges between the peers during the Phase 2 process:
|
|
|
|
Identify the latest set of information maintained in the server. |
The following fields are the configured |
|
|
Antireplay time in milliseconds. This is 0 if antireplay is disabled. |
|
Number of seconds between a rekey transmission and the first retransmission when there is no reply from the member. |
|
For unicast communications, the number of times the server retransmits rekey messages to a member when there is no reply. |
|
Configured lifetime, in seconds, for the KEK. |
|
Sequence number of the KEK SA groupkey-push message. This number is incremented with every groupkey-push message. |
Sample Output
show security group-vpn server kek security-associations
user@host> show security group-vpn server kek security-associations Index Life:sec Initiator cookie Responder cookie GroupId 739031 18995 7e17278bf0a65975 0616de443d1beb77 200
Sample Output
show security group-vpn server kek security-associations detail
user@host> show security group-vpn server kek security-associations detail Index 738879, Group Name: GROUP_ID-0001, Group Id: 1 Initiator cookie: 114e4a214891e42f, Responder cookie: 4b2848d14372e5bd Authentication method: RSA Lifetime: Expires in 4186 seconds, Activated Rekey in 3614 seconds Algorithms: Sig-hash : sha256 Encryption : aes256-cbc Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Server Member Communication: Unicast Retransmission Period: 10, Number of Retransmissions: 2 Group Key Push sequence number: 0 PUSH negotiations in progress: 0
Release Information
Command introduced in Junos OS Release 10.2.