show security ike security-associations

IP address of the destination peer with which the local peer communicates.

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Name of the IKE gateway.

• FPC—Flexible PIC Concentrator (FPC) slot number.

• PIC—PIC slot number.

• KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances are running on each SPU, and any particular IKE negotiation is carried out by a single KMD instance.

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State of the IKE SAs:

• DOWN—SA has not been negotiated with the peer.

• UP—SA has been negotiated with the peer.

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between one another. Each exchange type or mode determines the number of messages and the payload types that are contained in each message. The modes are:

• main—The exchange is done with six messages. This mode encrypts the payload, protecting the identity of the neighbor.

• aggressive—The exchange is done with three messages. This mode does not encrypt the payload, leaving the identity of the neighbor unprotected.

IKEv2 protocol does not use the mode configuration for negotiation. Therefore, the mode displays the version number of the security association.

Method used to authenticate the source of IKE messages, which can be either Pre-shared-keys or digital certificates, such as DSA-signatures, ECDSA-signatures-256, ECDSA-signatures-384, or RSA-signatures.

Address of the local peer.

Address of the remote peer.

Number of seconds remaining until the IKE SA expires.

When enabled, number of seconds remaining until reauthentication triggers a new IKEv2 SA negotiation.

Enabled means that both the IKEv2 initiator and responder support message fragmentation and have negotiated the support during the IKE_SA_INIT message exchange.

Size shows the maximum size of an IKEv2 message before it is fragmented.

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

• Authentication—Type of authentication algorithm used:

  • sha1—Secure Hash Algorithm 1 authentication.

  • md5—MD5 authentication.

• Encryption—Type of encryption algorithm used:

  • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.

  • aes-192-cbc— AES192-bit encryption.

  • aes-128-cbc—AES 128-bit encryption.

  • 3des-cbc—3 Data Encryption Standard (DES) encryption.

  • aes-128-gcm—Advanced Encryption Standard (AES) 256-bit encryption.

  • chacha20-poly1305—ChaCha20-Poly1305 authenticated encryption.

  • des-cbc—DES encryption.

  Starting in Junos OS Release 19.4R2, when you configure aes-128-gcm or aes-256-gcm as an encryption algorithm at the [edit security ipsec proposalproposal-name] hierarchy level, the authentication algorithm field of the show security ikesecurity-associations detail command displays the same configured encryption algorithm.

• Pseudo random function—Function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

• Diffie-Hellman group—Specifies the type of Diffie-Hellman group when performing the new Diffie-Hellman exchange. It can be one of the following:

  • group1—768-bit Modular Exponential (MODP) algorithm.

  • group2—1024-bit MODP algorithm.

  • group14—2048-bit MODP group.

  • group15—3072-bit MODP algorithm.

  • group16—4096-bit MODP algorithm.

  • group19—256-bit random Elliptic Curve Groups modulo a prime (ECP group) algorithm.

  • group20—384-bit random ECP group algorithm.

  • group21—521-bit random ECP group algorithm.

  • group24—2048-bit MODP group with 256-bit prime order subgroup.

• Input bytes—Number of bytes received.

• Output bytes—Number of bytes transmitted.

• Input packets—Number of packets received.

• Output packets—Number of packets transmitted.

• Input fragmented packets—Number of IKEv2 fragmented packets received.

• Output fragmented packets—Number of IKEv2 fragmented packets transmitted.

Notification to the key management process of the status of the IKE negotiation:

• caller notification sent—Caller program notified about the completion of the IKE negotiation.

• waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

• waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

• waiting for policy manager—Negotiation is waiting for a response from the policy manager.

• number created: The number of SAs created.

• number deleted: The number of SAs deleted.

Number of Phase 2 IKE negotiations in progress and status information:

• Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.

• Message ID—Unique identifier for a Phase 2 negotiation.

• Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

• Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

• Flags—Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.

  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

Interface name of the local gateway.

Name of the local gateway routing instance.

Indicates the list of child IPsec tunnel IDs