Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Junos CLI Reference CLI Reference S

Junos CLI Reference

keyboard_arrow_up
close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

show security ike security-associations

date_range 06-Sep-24
arrow_backward
arrow_forward

Syntax

content_copy zoom_out_map
show security ike security-associations
<peer-address>
<brief | detail>
<family (inet  | inet6)>
<fpc slot-number>
<index SA-index-number>
<kmd-instance (all | kmd-instance-name)>
<node-local>
<pic slot-number>
<sa-type shortcut >
<srg-id id-number>
<ha-link-encryption>

Description

Display information about Internet Key Exchange security associations (IKE SAs).

Options

  • none—Display standard information about existing IKE SAs, including index numbers.

  • peer-address—(Optional) Display details about a particular SA based on the IPv4 or IPv6 address of the destination peer. This option and index provide the same level of output.

  • brief—(Optional) Display standard information about all existing IKE SAs. (Default)

  • detail—(Optional) Display detailed information about all existing IKE SAs.

  • family—(Optional) Display IKE SAs by family. This option is used to filter the output.

    • inet—IPv4 address family.

    • inet6—IPv6 address family.

  • fpc slot-number—(Optional) Display information about existing IKE SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter the output.

    In a chassis cluster, when you execute the CLI command show security ike security-associations pic <slot-number> fpc <slot-number> in operational mode, only the primary node information about the existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot is displayed.

    Starting Junos OS Release 23.4R1, this option is not available when junos-ike package is installed for running IPsec VPN using IKED process.

  • index SA-index-number—(Optional) Display information for a particular SA based on the index number of the SA. For a particular SA, display the list of existing SAs by using the command with no options. This option and peer-address provide the same level of output.

  • kmd-instance —(Optional) Display information about existing IKE SAs in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number. This option is used to filter the output.

    • all—All KMD instances running on the Services Processing Unit (SPU).

    • kmd-instance-name—Name of the KMD instance running on the SPU.

    Starting Junos OS Release 23.4R1, this option is not available when junos-ike package is installed for running IPsec VPN using IKED process.

node-local

—(Optional) Display information about IKE SAs for node-local tunnels in a Multinode High Availability setup.

  • pic slot-number—(Optional) Display information about existing IKE SAs in this PIC slot. This option is used to filter the output.

    Starting Junos OS Release 23.4R1, this option is not available when junos-ike package is installed for running IPsec VPN using IKED process.

  • sa-type shortcut—(Optional) It's applicable for ADVPN. Display information about IKE SAs by type shortcut.

  • srg-id—(Optional) Display information related to a specific services redundancy group (SRG).

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ike security-associations Output Fields

Field Name

Field Description

IKE Peer or Remote Address

IP address of the destination peer with which the local peer communicates.

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Gateway Name

Name of the IKE gateway.

Location

  • FPC—Flexible PIC Concentrator (FPC) slot number.

  • PIC—PIC slot number.

  • KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances are running on each SPU, and any particular IKE negotiation is carried out by a single KMD instance.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State

State of the IKE SAs:

  • DOWN—SA has not been negotiated with the peer.

  • UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between one another. Each exchange type or mode determines the number of messages and the payload types that are contained in each message. The modes are:

  • main—The exchange is done with six messages. This mode encrypts the payload, protecting the identity of the neighbor.

  • aggressive—The exchange is done with three messages. This mode does not encrypt the payload, leaving the identity of the neighbor unprotected.

IKEv2 protocol does not use the mode configuration for negotiation. Therefore, the mode displays the version number of the security association.

Authentication method

Method used to authenticate the source of IKE messages, which can be either Pre-shared-keys or digital certificates, such as DSA-signatures, ECDSA-signatures-256, ECDSA-signatures-384, RSA-signatures, or digital-signature.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Reauth Lifetime

When enabled, number of seconds remaining until reauthentication triggers a new IKEv2 SA negotiation.

IKE Fragmentation

Enabled means that both the IKEv2 initiator and responder support message fragmentation and have negotiated the support during the IKE_SA_INIT message exchange.

Size shows the maximum size of an IKEv2 message before it is fragmented.

Algorithms

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Authentication—Type of authentication algorithm used:

    • sha1—Secure Hash Algorithm 1 authentication.

    • md5—MD5 authentication.

  • Encryption—Type of encryption algorithm used:

    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.

    • aes-192-cbc— AES192-bit encryption.

    • aes-128-cbc—AES 128-bit encryption.

    • 3des-cbc—3 Data Encryption Standard (DES) encryption.

    • aes-128-gcm—Advanced Encryption Standard (AES) 256-bit encryption.

    • chacha20-poly1305—ChaCha20-Poly1305 authenticated encryption.

    • des-cbc—DES encryption.

    Starting in Junos OS Release 19.4R2, when you configure aes-128-gcm or aes-256-gcm as an encryption algorithm at the [edit security ipsec proposalproposal-name] hierarchy level, the authentication algorithm field of the show security ikesecurity-associations detail command displays the same configured encryption algorithm.

  • Pseudo random function—Function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

  • Diffie-Hellman group—Specifies the type of Diffie-Hellman group when performing the new Diffie-Hellman exchange. It can be one of the following:

    • group1—768-bit Modular Exponential (MODP) algorithm.

    • group2—1024-bit MODP algorithm.

    • group14—2048-bit MODP group.

    • group15—3072-bit MODP algorithm.

    • group16—4096-bit MODP algorithm.

    • group19—256-bit random Elliptic Curve Groups modulo a prime (ECP group) algorithm.

    • group20—384-bit random ECP group algorithm.

    • group21—521-bit random ECP group algorithm.

    • group24—2048-bit MODP group with 256-bit prime order subgroup.

  • Signature hash algo—Specifies the signature hash algorithm used by the local and remote endpoints.

Traffic statistics

  • Input bytes—Number of bytes received.

  • Output bytes—Number of bytes transmitted.

  • Input packets—Number of packets received.

  • Output packets—Number of packets transmitted.

  • Input fragmented packets—Number of IKEv2 fragmented packets received.

  • Output fragmented packets—Number of IKEv2 fragmented packets transmitted.

Flags

Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.

  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

IPSec security associations

  • number created: The number of SAs created.

  • number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of Phase 2 IKE negotiations in progress and status information:

  • Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.

  • Message ID—Unique identifier for a Phase 2 negotiation.

  • Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

  • Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

  • Flags—Notification to the key management process of the status of the IKE negotiation:

    • caller notification sent—Caller program notified about the completion of the IKE negotiation.

    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

Local gateway interface

Interface name of the local gateway.

Routing instance

Name of the local gateway routing instance.

IPsec Tunnel IDs

Indicates the list of child IPsec tunnel IDs

Sample Output

show security ike security-associations (IPv4)

content_copy zoom_out_map
user@host> show security ike security-associations
Index		Remote Address		State		Initiator cookie        Responder cookie	Mode
8		192.168.1.2		UP		3a895f8a9f620198	9040753e66d700bb	Main
Index		Remote Address		State		fInitiator cookie	Responder cookie	Mode
9		192.168.1.3 		UP		5ba96hfa9f65067		70890755b65b80b		Main

show security ike security-associations (IPv6)

content_copy zoom_out_map
user@host> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address   
5       UP     e48efd6a444853cf  0d09c59aafb720be  Aggressive     2001:db8::1112

show security ike security-associations detail (SRX300, SRX320, SRX340, SRX345, and SRX550HM Devices)

content_copy zoom_out_map
user@host> show security ike security-associations detail
IKE peer 192.168.134.245, Index 2577565, Gateway Name: tropic  
  Role: Initiator, State: UP
  Initiator cookie: b869b3424513340a, Responder cookie: 4cb3488cb19397c3
  Exchange type: Main, Authentication method: Pre-shared-keys Trusted CA group: xyz_ca_grp 
  Local: 192.168.134.241:500, Remote: 192.168.134.245:500
  Local gateway interface: ge-0/0/0
  Routing instance: default
  Lifetime: Expires in 169 seconds
  Peer ike-id: 192.168.134.245
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes-128-gcm
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 1012
   Output bytes  :                 1196
   Input  packets:                    4
   Output packets:                    5
  Flags: IKE SA is created
  IPSec security associations: 1 created, 0 deleted
  Phase 2 negotiations in progress: 0

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 192.168.134.241:500, Remote: 192.168.134.245:500
    Local identity: 192.168.134.241
    Remote identity: 192.168.134.245
    Flags: IKE SA is created
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
   Initiator stats:                                  Responder stats:
    Request Out             : 1                       Request In             : 0
    Response In             : 1                       Response Out           : 0
    No Proposal Chosen In   : 0                       No Proposal Chosen Out : 0
    Invalid KE In           : 0                       Invalid KE Out         : 0
    TS Unacceptable In      : 0                       TS Unacceptable Out    : 0
    Res DH Compute Key Fail : 0                       Res DH Compute Key Fail: 0
    Res Verify SA Fail      : 0
    Res Verify DH Group Fail: 0
    Res Verify TS Fail      : 0

show security ike security-associations detail (SRX5400, SRX5600, and SRX5800 Devices)

content_copy zoom_out_map
user@host> show security ike security-associations detail
IKE peer 2.0.0.2, Index 2068, Gateway Name: IKE_GW
  Role: Responder, State: DOWN
  Initiator cookie: aa08091f3d4f1fb6, Responder cookie: 08c89a7add5f9332
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local gateway interface: ge-0/0/3
  Routing instance: default
  Local: 2.0.0.1:500, Remote: 2.0.0.2:500
  Lifetime: Expires in 186 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Remote Access Client Info: Unknown Client
  Peer ike-id: 2.0.0.2
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha256-128
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                  704
   Output bytes  :                 1408
   Input  packets:                    4
   Output packets:                    4
   Input  fragmented packets:       0
   Output fragmented packets:       0
  IPSec security associations: 4 created, 2 deleted
  Phase 2 negotiations in progress: 1
  IPSec Tunnel IDs:  500766, 500767
 
 
Negotiation type: Quick mode, Role: Responder, Message ID: 0
Local: 2.0.0.1:500, Remote: 2.0.0.2:500
Local identity: 2.0.0.1
Remote identity: 2.0.0.2
Flags: IKE SA is created
 
IPsec SA Rekey CREATE_CHILD_SA exchange stats:
   Initiator stats:                                  Responder stats:
    Request Out             : 0                       Request In             : 0
    Response In             : 0                       Response Out           : 0
    No Proposal Chosen In   : 0                       No Proposal Chosen Out : 0
    Invalid KE In           : 0                       Invalid KE Out         : 0
    TS Unacceptable In      : 0                       TS Unacceptable Out    : 0
    Res DH Compute Key Fail : 0                       Res DH Compute Key Fail: 0
    Res Verify SA Fail      : 0
    Res Verify DH Group Fail: 0
    Res Verify TS Fail      : 0

command-name

The show security ike stats topic lists the output fields for the show security ike security-associations detail command.

show security ike security-associations family inet6

content_copy zoom_out_map
user@host> show security ike security-associations family inet6
  IKE peer 2001:db8:1212::1112, Index 5, Gateway Name: tropic 
  Role: Initiator, State: UP
  Initiator cookie: e48efd6a444853cf, Responder cookie: 0d09c59aafb720be
  Exchange type: Aggressive, Authentication method: Pre-shared-keys
  Local: 2001:db8:1212::1111:500, Remote: 2001:db8:1212::1112:500
  Lifetime: Expires in 19518 seconds
  Peer ike-id: not valid
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : sha1 
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 1568
   Output bytes  :                 2748
   Input  packets:                    6
   Output packets:                   23
  Flags: Caller notification sent 
  IPSec security associations: 5 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 2900338624
    Local: 2001:db8:1212::1111:500, Remote: 2001:db8:1212::1112:500
    Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    Flags: Caller notification sent, Waiting for done

show security ike security-associations index 222075191 detail

content_copy zoom_out_map
user@host> show security ike security-associations index 222075191 detail 
node0:
-
IKE peer 192.168.1.2, Index 222075191, Gateway Name: ZTH_HUB_GW
  Location: FPC 0, PIC 3, KMD-Instance 2
  Auto Discovery VPN:
   Type: Static, Local Capability: Suggester, Peer Capability: Partner
   Suggester Shortcut Suggestions Statistics:
     Suggestions sent    :    2
     Suggestions accepted:    4
     Suggestions declined:    1
  Role: Responder, State: UP
  Initiator cookie: 7b996b4c310d2424, Responder cookie: 5724c5882a212157
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 192.168.1.1:500, Remote: 192.168.1.2:500
  Lifetime: Expires in 828 seconds
  Peer ike-id: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=cssvk36-d
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                20474
   Output bytes  :                21091
   Input  packets:                  237
   Output packets:                  237
  IPSec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 192.168.1.1:500, Remote: 192.168.1.2:500
    Local identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host1
    Remote identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host2
    Flags: IKE SA is created

show security ike security-associations index 788674 detail

content_copy zoom_out_map
user@host> show security ike security-associations index 788674 detail 
IKE peer 192.168.1.1, Index 788674, Gateway Name: ZTH_SPOKE_GW
  Auto Discovery VPN:
   Type: Static, Local Capability: Partner, Peer Capability: Suggester
   Partner Shortcut Suggestions Statistics:
     Suggestions received:    2
     Suggestions accepted:    2
     Suggestions declined:    0
  Role: Initiator, State: UP
  Initiator cookie: 7b996b4c310d2424, Responder cookie: 5724c5882a212157
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 192.168.1.2:500, Remote: 192.168.1.1:500
  Lifetime: Expires in 734 seconds
  Peer ike-id: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=test
  Xauth user-name: not available
  Xauth assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96 
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                22535
   Output bytes  :                21918
   Input  packets:                  256
   Output packets:                  256
  IPSec security associations: 2 created, 0 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 192.168.1.2:500, Remote: 192.168.1.1:500
    Local identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host1
    Remote identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host2
    Flags: IKE SA is created

show security ike security-associations 192.168.1.2

content_copy zoom_out_map
user@host> show security ike security-associations 192.168.1.2
Index     State  Initiator cookie  Responder cookie  Mode Remote Address
   8        UP     3a895f8a9f620198  9040753e66d700bb  Main 192.168.1.2

show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)

content_copy zoom_out_map
user@host> show security ike security-associations fpc 6 pic 1 kmd-instance all
Index      Remote Address  State  Initiator cookie  Responder cookie  Mode

1728053250 192.168.1.2     UP     fc959afd1070d10b  bdeb7e8c1ea99483  Main

show security ike security-associations detail (ADVPN Suggester, Static Tunnel)

content_copy zoom_out_map
user@host> show security ike security-associations detail
IKE peer 192.168.0.105, Index 13563297, Gateway Name: zth_hub_gw
  Location: FPC 0, PIC 0, KMD-Instance 1
  Auto Discovery VPN:
 Type: Static, Local Capability: Suggester, Peer Capability: Partner
   Suggester Shortcut Suggestions Statistics:
     Suggestions sent            :  12
     Suggestion response accepted:  12
     Suggestion response declined:   0
  Role: Responder, State: UP
  Initiator cookie: 4d3f4e4b2e75d727, Responder cookie: 81ab914e13cecd21
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 192.168.0.154:500, Remote: 192.168.0.105:500
  Lifetime: Expires in 26429 seconds
  Peer ike-id: DC=example, CN=host02, L=Sunnyvale, ST=CA, C=US

show security ike security-associations detail (ADVPN Partner, Static Tunnel)

content_copy zoom_out_map
user@host> show security ike security-associations detail
IKE peer 192.168.0.154, Index 4980720, Gateway Name: zth_spoke_gw
  Location: FPC 0, PIC 0, KMD-Instance 1
  Auto Discovery VPN:
 Type: Static, Local Capability: Partner, Peer Capability: Suggester
   Partner Shortcut Suggestions Statistics:
     Suggestions received:  12
     Suggestions accepted:  12
     Suggestions declined:   0
  Role: Initiator, State: UP
  Initiator cookie: 4d3f4e4b2e75d727, Responder cookie: 81ab914e13cecd21
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 192.168.0.105:500, Remote: 192.168.0.154:500
  Lifetime: Expires in 26252 seconds
  Peer ike-id: DC=example, CN=host01, OU=SBU, O=example, L=Sunnyvale, ST=CA, C=US

show security ike security-associations detail (ADVPN Partner, Shortcut)

content_copy zoom_out_map
user@host> show security ike security-associations detail
IKE peer 192.168.0.106, Index 4980737, Gateway Name: GW-ADVPN-GT-ADVPN-zth_spoke_vpn-268173323
  Location: FPC 0, PIC 0, KMD-Instance 1
  Auto Discovery VPN:
   Type: Shortcut, Local Capability: Partner, Peer Capability: Partner
  Role: Responder, State: UP
  Initiator cookie: e1ed0c655929debc, Responder cookie: 437de6ed784ba63e
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 192.168.0.105:500, Remote: 192.168.0.106:500
  Lifetime: Expires in 28796 seconds
  Peer ike-id: DC=example, CN=paulyd, L=Sunnyvale, ST=CA, C=US

show security ike security-associations sa-type shortcut (ADVPN)

content_copy zoom_out_map
user@host> show security ike security-associations sa-type shortcut
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address 
4980742 UP     vb56fbe694eaee5b6 064dbccbfa3b2aab  IKEv2          192.168.0.106

show security ike security-associations sa-type shortcut detail (ADVPN)

content_copy zoom_out_map
user@host> show security ike security-associations sa-type shortcut detail
IKE peer 192.168.0.106, Index 4980742, Gateway Name: GW-ADVPN-GT-ADVPN-zth_spoke_vpn-268173327
  Location: FPC 0, PIC 0, KMD-Instance 1
  Auto Discovery VPN:
   Type: Shortcut, Local Role: Partner, Peer Role: Partner
  Role: Responder, State: UP

show security ike security-associations detail (IKEv2 Reauthentication)

content_copy zoom_out_map
user@host> show security ike security-associations detail 
IKE peer 10.1.2.11, Index 6009224, Gateway Name: GW
  Role: Responder, State: UP
  Initiator cookie: 2c74d14c798a9d70, Responder cookie: 83cbb49bfbcb80cb
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local: 10.1.1.11:500, Remote: 10.1.2.11:500
  Lifetime: Expires in 173 seconds
  Reauth Lifetime: Expires in 600 seconds
  Peer ike-id: vsrx@example.net
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes128-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :                 1782
   Output bytes  :                 1743
   Input  packets:                    2

show security ike security-associations detail (IKEv2 Fragmentation)

content_copy zoom_out_map
user@host> show security ike security-associations detail 
IKE peer 172.24.23.157, Index 11883008, Gateway Name: routebased_s2s_gw-552_1
  Role: Responder, State: UP
  Initiator cookie: f3255e720f162e3a, Responder cookie: 17555e3ff7451841
  Exchange type: Main, Authentication method: Pre-shared-keys Trusted CA group: xyz_ca_grp 
  Local: 192.168.254.1:500, Remote: 172.24.23.157:500
  Lifetime: Expires in 530 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Peer ike-id: 172.24.23.157
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : 3des-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-5
  Traffic statistics:
   Input  bytes  :                 1004
   Output bytes  :                  756
   Input  packets:                    6
   Output packets:                    4
   Input  fragmented packets:  3  
   Output fragmented packets: 3 
  IPSec security associations: 1 created, 1 deleted
  Phase 2 negotiations in progress: 1

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 192.168.254.1:500, Remote: 172.24.23.157:500
    Local identity: 192.168.254.1
    Remote identity: 172.24.23.157
    Flags: IKE SA is created

show security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)

Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details. The following command displays only the link encryption SAs on both nodes.

content_copy zoom_out_map
user@host> show security ike security-associations ha-link-encryption

Index      State  Initiator cookie    Responder cookie  Mode   Remote Address
4294966287  UP    7b77b4e2fd5a87e5    ab4a398e6a28687a  IKEv2   23.0.0.2

show security ike security-associations srg-id

content_copy zoom_out_map
user@host> show security ike security-associations srg-id 1
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
16778113 UP    16d1f4efae91608c  53f234767bdd0b9b  IKEv2          10.112.0.1

show security ike security-associations node-local

content_copy zoom_out_map
user@host> show security ike security-associations node-local
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
24      UP     c982a43f5dd03bf0  c37ae96722a0e1bc  IKEv2          6.0.0.2

show security ike security-associations node-local detail

content_copy zoom_out_map
user@host> show security ike security-associations node-local
IKE peer 6.0.0.2, Index 25, Gateway Name: IKEv1_GW
  Role: Responder, State: UP
  Initiator cookie: 34b2b16c3dd35442, Responder cookie: 91fc9975f83e932d
  Exchange type: IKEv2, Authentication method: RSA-signatures
  Local gateway interface: xe-0/0/2.0
  Routing instance: default
  Local: 4.0.0.1:500, Remote: 6.0.0.2:500
  Lifetime: Expires in 1159 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Remote Access Client Info: Unknown Client
  Peer ike-id: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us
  AAA assigned IP: 0.0.0.0
  PPK-profile: None
  Algorithms:
   Authentication        : hmac-sha384-192
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha384
   Diffie-Hellman group  : DH-group-19
  Traffic statistics:
   Input  bytes  :                 3434
   Output bytes  :                 3427
   Input  packets:                   15
   Output packets:                   15
   Input  fragmented packets:       4
   Output fragmented packets:       4
  IPSec security associations: 4 created, 1 deleted
  Phase 2 negotiations in progress: 1
  IPSec Tunnel IDs: 500003              

    Negotiation type: Quick mode, Role: Responder, Message ID: 0
    Local: 4.0.0.1:500, Remote: 6.0.0.2:500
    Local identity: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us
    Remote identity: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us
    Flags: IKE SA is created

  IPsec SA Rekey CREATE_CHILD_SA exchange stats:
   Initiator stats:                                  Responder stats:
    Request Out             : 0                       Request In             : 0                   
    Response In             : 0                       Response Out           : 0                   
    No Proposal Chosen In   : 0                       No Proposal Chosen Out : 0                   
    Invalid KE In           : 0                       Invalid KE Out         : 0                   
    TS Unacceptable In      : 0                       TS Unacceptable Out    : 0                   
    Res DH Compute Key Fail : 0                       Res DH Compute Key Fail: 0                   
    Res Verify SA Fail      : 0                   
    Res Verify DH Group Fail: 0                   
    Res Verify TS Fail      : 0

show security ike security-associations detail (ChaCha20-Poly1305)

content_copy zoom_out_map
user@host> show security ike security-associations detail
IKE peer 10.1.1.10, Index 1, Gateway Name: ike_gw
  Role: Responder, State: UP
  Initiator cookie: 26b772950a8bea9c, Responder cookie: be644ff0068a0e05
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local gateway interface: ge-0/0/1.0
  Routing instance: default
  Local: 192.168.1.20:500, Remote: 10.1.1.10:500
  Lifetime: Expires in 28790 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Remote Access Client Info: Unknown Client
  Peer ike-id: 10.1.1.10
  AAA assigned IP: 0.0.0.0
  PPK-profile: None
  Algorithms:
   Authentication        : chacha20-poly1305
   Encryption            : chacha20-poly1305
   Pseudo random function: hmac-sha384
   Diffie-Hellman group  : DH-group-2

show security ike security-associations detail (IKEv2 digital signature authentication method and signature hash algorithm)

content_copy zoom_out_map
user@host> show security ike security-associations detail
  IKE peer 10.0.0.1, Index 83, Gateway Name: SPK_GW1
  Role: Initiator, State: UP
  Initiator cookie: 4c5c36dc34e24093, Responder cookie: 69abe1c4b45a2a9f
  Exchange type: Main, Authentication method: digital-signature(ECDSA)
  Local gateway interface: ge-0/0/2.0
  Routing instance: default
  Local: 192.168.1.2:500, Remote: 10.0.0.1:500
  Lifetime: Expires in 28515 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Disabled, Size: 0
  Remote Access Client Info: Unknown Client
  Peer ike-id: 10.0.0.1
  AAA assigned IP: 0.0.0.0
  PPK-profile: None
  Algorithms:
   Authentication        : hmac-sha256-128
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha256
   Diffie-Hellman group  : DH-group-14
   Signature hash algo   : sha256(local), sha1(remote)

Release Information

Command introduced in Junos OS Release 8.5. Support for the fpc, pic, and kmd-instance options added in Junos OS Release 9.3. Support for the family option added in Junos OS Release 11.1. Support for Auto Discovery VPN added in Junos OS Release 12.3X48-D10. Support for IKEv2 reauthentication added in Junos OS Release 15.1X49-D60. Support for IKEv2 fragmentation added in Junos OS Release 15.1X49-D80.

Support for the ha-link-encryption option added in Junos OS Release 20.4R1.

Support for the srg-id option added in Junos OS Release 22.4R1.

Support for the node-local option added in Junos OS Release 23.2R1.

Support for the chacha20-poly1305 option added in Junos OS Release 24.2R1.

Support for the digital-signature and Signature hash algo options added in Junos OS Release 24.4R1.

Related Documentation

arrow_backward PREVIOUS show security ike pre-shared-key
NEXT arrow_forward show security ike stats
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top