show security ike security-associations
Syntax
show security ike security-associations
<peer-address>
<brief | detail>
<family (inet | inet6)>
<fpc slot-number>
<index SA-index-number>
<kmd-instance (all | kmd-instance-name)>
<node-local>
<pic slot-number>
<sa-type shortcut >
<srg-id id-number>
<ha-link-encryption>
Description
Display information about Internet Key Exchange security associations (IKE SAs).
Options
-
none—Display standard information about existing IKE SAs, including index numbers.
-
peer-address
—(Optional) Display details about a particular SA based on the IPv4 or IPv6 address of the destination peer. This option andindex
provide the same level of output. -
brief
—(Optional) Display standard information about all existing IKE SAs. (Default) -
detail
—(Optional) Display detailed information about all existing IKE SAs. -
family
—(Optional) Display IKE SAs by family. This option is used to filter the output.-
inet
—IPv4 address family. -
inet6
—IPv6 address family.
-
-
fpc slot-number
—(Optional) Display information about existing IKE SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter the output.In a chassis cluster, when you execute the CLI command
show security ike security-associations pic <slot-number> fpc <slot-number>
in operational mode, only the primary node information about the existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot is displayed.Starting Junos OS Release 23.4R1, this option is not available when
junos-ike
package is installed for running IPsec VPN usingIKED
process. -
index SA-index-number
—(Optional) Display information for a particular SA based on the index number of the SA. For a particular SA, display the list of existing SAs by using the command with no options. This option andpeer-address
provide the same level of output.
-
kmd-instance
—(Optional) Display information about existing IKE SAs in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number. This option is used to filter the output.-
all
—All KMD instances running on the Services Processing Unit (SPU). -
kmd-instance-name
—Name of the KMD instance running on the SPU.
Starting Junos OS Release 23.4R1, this option is not available when
junos-ike
package is installed for running IPsec VPN usingIKED
process. -
node-local |
—(Optional) Display information about IKE SAs for node-local tunnels in a Multinode High Availability setup. |
-
pic slot-number
—(Optional) Display information about existing IKE SAs in this PIC slot. This option is used to filter the output.Starting Junos OS Release 23.4R1, this option is not available when
junos-ike
package is installed for running IPsec VPN usingIKED
process. -
sa-type shortcut
—(Optional) It's applicable for ADVPN. Display information about IKE SAs by typeshortcut
.
-
ha-link-encryption
—(Optional) Display information related to interchassis link tunnel only. See ipsec (High Availability) and show security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800).
-
srg-id
—(Optional) Display information related to a specific services redundancy group (SRG).
Required Privilege Level
view
Output Fields
Table 1 lists the output fields for the show security ike security-associations
command. Output fields are listed in the approximate order in which
they appear.
Field Name |
Field Description |
---|---|
|
IP address of the destination peer with which the local peer communicates. |
|
Index number of an SA. This number is an internally generated number you can use to display information about a single SA. |
|
Name of the IKE gateway. |
|
|
|
Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder. |
|
State of the IKE SAs:
|
|
Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered. |
|
Random number generated by the remote node and sent back to the initiator as a verification that the packets were received. A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity. |
|
Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between one another. Each exchange type or mode determines the number of messages and the payload types that are contained in each message. The modes are:
IKEv2 protocol does not use the mode configuration for negotiation. Therefore, the mode displays the version number of the security association. |
|
Method used to authenticate the source of IKE messages, which can be either
|
|
Address of the local peer. |
|
Address of the remote peer. |
|
Number of seconds remaining until the IKE SA expires. |
|
When enabled, number of seconds remaining until reauthentication triggers a new IKEv2 SA negotiation. |
|
|
|
IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:
|
|
|
|
Notification to the key management process of the status of the IKE negotiation:
|
|
|
|
Number of Phase 2 IKE negotiations in progress and status information:
|
|
Interface name of the local gateway. |
|
Name of the local gateway routing instance. |
|
Indicates the list of child IPsec tunnel IDs |
Sample Output
- show security ike security-associations (IPv4)
- show security ike security-associations (IPv6)
- show security ike security-associations detail (SRX300, SRX320, SRX340, SRX345, and SRX550HM Devices)
- show security ike security-associations detail (SRX5400, SRX5600, and SRX5800 Devices)
- command-name
- show security ike security-associations family inet6
- show security ike security-associations index 222075191 detail
- show security ike security-associations index 788674 detail
- show security ike security-associations 192.168.1.2
- show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)
- show security ike security-associations detail (ADVPN Suggester, Static Tunnel)
- show security ike security-associations detail (ADVPN Partner, Static Tunnel)
- show security ike security-associations detail (ADVPN Partner, Shortcut)
- show security ike security-associations sa-type shortcut (ADVPN)
- show security ike security-associations sa-type shortcut detail (ADVPN)
- show security ike security-associations detail (IKEv2 Reauthentication)
- show security ike security-associations detail (IKEv2 Fragmentation)
- show security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
- show security ike security-associations srg-id
- show security ike security-associations node-local
- show security ike security-associations node-local detail
- show security ike security-associations detail (ChaCha20-Poly1305)
- show security ike security-associations detail (IKEv2 digital signature authentication method and signature hash algorithm)
show security ike security-associations (IPv4)
user@host> show security ike security-associations Index Remote Address State Initiator cookie Responder cookie Mode 8 192.168.1.2 UP 3a895f8a9f620198 9040753e66d700bb Main Index Remote Address State fInitiator cookie Responder cookie Mode 9 192.168.1.3 UP 5ba96hfa9f65067 70890755b65b80b Main
show security ike security-associations (IPv6)
user@host> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 5 UP e48efd6a444853cf 0d09c59aafb720be Aggressive 2001:db8::1112
show security ike security-associations detail (SRX300, SRX320, SRX340, SRX345, and SRX550HM Devices)
user@host> show security ike security-associations detail IKE peer 192.168.134.245, Index 2577565, Gateway Name: tropic Role: Initiator, State: UP Initiator cookie: b869b3424513340a, Responder cookie: 4cb3488cb19397c3 Exchange type: Main, Authentication method: Pre-shared-keys Trusted CA group: xyz_ca_grp Local: 192.168.134.241:500, Remote: 192.168.134.245:500 Local gateway interface: ge-0/0/0 Routing instance: default Lifetime: Expires in 169 seconds Peer ike-id: 192.168.134.245 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes-128-gcm Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1012 Output bytes : 1196 Input packets: 4 Output packets: 5 Flags: IKE SA is created IPSec security associations: 1 created, 0 deleted Phase 2 negotiations in progress: 0 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 192.168.134.241:500, Remote: 192.168.134.245:500 Local identity: 192.168.134.241 Remote identity: 192.168.134.245 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 0 Response In : 1 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
show security ike security-associations detail (SRX5400, SRX5600, and SRX5800 Devices)
user@host> show security ike security-associations detail IKE peer 2.0.0.2, Index 2068, Gateway Name: IKE_GW Role: Responder, State: DOWN Initiator cookie: aa08091f3d4f1fb6, Responder cookie: 08c89a7add5f9332 Exchange type: IKEv2, Authentication method: Pre-shared-keys Local gateway interface: ge-0/0/3 Routing instance: default Local: 2.0.0.1:500, Remote: 2.0.0.2:500 Lifetime: Expires in 186 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 2.0.0.2 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha256-128 Encryption : aes128-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 704 Output bytes : 1408 Input packets: 4 Output packets: 4 Input fragmented packets: 0 Output fragmented packets: 0 IPSec security associations: 4 created, 2 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500766, 500767 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 2.0.0.1:500, Remote: 2.0.0.2:500 Local identity: 2.0.0.1 Remote identity: 2.0.0.2 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
command-name
The show security ike stats topic lists the
output fields for the show security ike security-associations detail
command.
show security ike security-associations family inet6
user@host> show security ike security-associations family inet6 IKE peer 2001:db8:1212::1112, Index 5, Gateway Name: tropic Role: Initiator, State: UP Initiator cookie: e48efd6a444853cf, Responder cookie: 0d09c59aafb720be Exchange type: Aggressive, Authentication method: Pre-shared-keys Local: 2001:db8:1212::1111:500, Remote: 2001:db8:1212::1112:500 Lifetime: Expires in 19518 seconds Peer ike-id: not valid AAA assigned IP: 0.0.0.0 Algorithms: Authentication : sha1 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1568 Output bytes : 2748 Input packets: 6 Output packets: 23 Flags: Caller notification sent IPSec security associations: 5 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Initiator, Message ID: 2900338624 Local: 2001:db8:1212::1111:500, Remote: 2001:db8:1212::1112:500 Local identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Flags: Caller notification sent, Waiting for done
show security ike security-associations index 222075191 detail
user@host> show security ike security-associations index 222075191 detail node0: - IKE peer 192.168.1.2, Index 222075191, Gateway Name: ZTH_HUB_GW Location: FPC 0, PIC 3, KMD-Instance 2 Auto Discovery VPN: Type: Static, Local Capability: Suggester, Peer Capability: Partner Suggester Shortcut Suggestions Statistics: Suggestions sent : 2 Suggestions accepted: 4 Suggestions declined: 1 Role: Responder, State: UP Initiator cookie: 7b996b4c310d2424, Responder cookie: 5724c5882a212157 Exchange type: IKEv2, Authentication method: RSA-signatures Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Lifetime: Expires in 828 seconds Peer ike-id: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=cssvk36-d Xauth user-name: not available Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 20474 Output bytes : 21091 Input packets: 237 Output packets: 237 IPSec security associations: 2 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.1.1:500, Remote: 192.168.1.2:500 Local identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host1 Remote identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host2 Flags: IKE SA is created
show security ike security-associations index 788674 detail
user@host> show security ike security-associations index 788674 detail IKE peer 192.168.1.1, Index 788674, Gateway Name: ZTH_SPOKE_GW Auto Discovery VPN: Type: Static, Local Capability: Partner, Peer Capability: Suggester Partner Shortcut Suggestions Statistics: Suggestions received: 2 Suggestions accepted: 2 Suggestions declined: 0 Role: Initiator, State: UP Initiator cookie: 7b996b4c310d2424, Responder cookie: 5724c5882a212157 Exchange type: IKEv2, Authentication method: RSA-signatures Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Lifetime: Expires in 734 seconds Peer ike-id: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=test Xauth user-name: not available Xauth assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 22535 Output bytes : 21918 Input packets: 256 Output packets: 256 IPSec security associations: 2 created, 0 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 192.168.1.2:500, Remote: 192.168.1.1:500 Local identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host1 Remote identity: C=US, DC=example, ST=CA, L=Sunnyvale, O=example, OU=engineering, CN=host2 Flags: IKE SA is created
show security ike security-associations 192.168.1.2
user@host> show security ike security-associations 192.168.1.2 Index State Initiator cookie Responder cookie Mode Remote Address 8 UP 3a895f8a9f620198 9040753e66d700bb Main 192.168.1.2
show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)
user@host> show security ike security-associations fpc 6 pic 1 kmd-instance all Index Remote Address State Initiator cookie Responder cookie Mode 1728053250 192.168.1.2 UP fc959afd1070d10b bdeb7e8c1ea99483 Main
show security ike security-associations detail (ADVPN Suggester, Static Tunnel)
user@host> show security ike security-associations detail IKE peer 192.168.0.105, Index 13563297, Gateway Name: zth_hub_gw Location: FPC 0, PIC 0, KMD-Instance 1 Auto Discovery VPN: Type: Static, Local Capability: Suggester, Peer Capability: Partner Suggester Shortcut Suggestions Statistics: Suggestions sent : 12 Suggestion response accepted: 12 Suggestion response declined: 0 Role: Responder, State: UP Initiator cookie: 4d3f4e4b2e75d727, Responder cookie: 81ab914e13cecd21 Exchange type: IKEv2, Authentication method: RSA-signatures Local: 192.168.0.154:500, Remote: 192.168.0.105:500 Lifetime: Expires in 26429 seconds Peer ike-id: DC=example, CN=host02, L=Sunnyvale, ST=CA, C=US
show security ike security-associations detail (ADVPN Partner, Static Tunnel)
user@host> show security ike security-associations detail IKE peer 192.168.0.154, Index 4980720, Gateway Name: zth_spoke_gw Location: FPC 0, PIC 0, KMD-Instance 1 Auto Discovery VPN: Type: Static, Local Capability: Partner, Peer Capability: Suggester Partner Shortcut Suggestions Statistics: Suggestions received: 12 Suggestions accepted: 12 Suggestions declined: 0 Role: Initiator, State: UP Initiator cookie: 4d3f4e4b2e75d727, Responder cookie: 81ab914e13cecd21 Exchange type: IKEv2, Authentication method: RSA-signatures Local: 192.168.0.105:500, Remote: 192.168.0.154:500 Lifetime: Expires in 26252 seconds Peer ike-id: DC=example, CN=host01, OU=SBU, O=example, L=Sunnyvale, ST=CA, C=US
show security ike security-associations detail (ADVPN Partner, Shortcut)
user@host> show security ike security-associations detail IKE peer 192.168.0.106, Index 4980737, Gateway Name: GW-ADVPN-GT-ADVPN-zth_spoke_vpn-268173323 Location: FPC 0, PIC 0, KMD-Instance 1 Auto Discovery VPN: Type: Shortcut, Local Capability: Partner, Peer Capability: Partner Role: Responder, State: UP Initiator cookie: e1ed0c655929debc, Responder cookie: 437de6ed784ba63e Exchange type: IKEv2, Authentication method: RSA-signatures Local: 192.168.0.105:500, Remote: 192.168.0.106:500 Lifetime: Expires in 28796 seconds Peer ike-id: DC=example, CN=paulyd, L=Sunnyvale, ST=CA, C=US
show security ike security-associations sa-type shortcut (ADVPN)
user@host> show security ike security-associations sa-type shortcut Index State Initiator cookie Responder cookie Mode Remote Address 4980742 UP vb56fbe694eaee5b6 064dbccbfa3b2aab IKEv2 192.168.0.106
show security ike security-associations sa-type shortcut detail (ADVPN)
user@host> show security ike security-associations sa-type shortcut detail IKE peer 192.168.0.106, Index 4980742, Gateway Name: GW-ADVPN-GT-ADVPN-zth_spoke_vpn-268173327 Location: FPC 0, PIC 0, KMD-Instance 1 Auto Discovery VPN: Type: Shortcut, Local Role: Partner, Peer Role: Partner Role: Responder, State: UP
show security ike security-associations detail (IKEv2 Reauthentication)
user@host> show security ike security-associations detail IKE peer 10.1.2.11, Index 6009224, Gateway Name: GW Role: Responder, State: UP Initiator cookie: 2c74d14c798a9d70, Responder cookie: 83cbb49bfbcb80cb Exchange type: IKEv2, Authentication method: RSA-signatures Local: 10.1.1.11:500, Remote: 10.1.2.11:500 Lifetime: Expires in 173 seconds Reauth Lifetime: Expires in 600 seconds Peer ike-id: vsrx@example.net AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes128-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 1782 Output bytes : 1743 Input packets: 2
show security ike security-associations detail (IKEv2 Fragmentation)
user@host> show security ike security-associations detail IKE peer 172.24.23.157, Index 11883008, Gateway Name: routebased_s2s_gw-552_1 Role: Responder, State: UP Initiator cookie: f3255e720f162e3a, Responder cookie: 17555e3ff7451841 Exchange type: Main, Authentication method: Pre-shared-keys Trusted CA group: xyz_ca_grp Local: 192.168.254.1:500, Remote: 172.24.23.157:500 Lifetime: Expires in 530 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Peer ike-id: 172.24.23.157 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : 3des-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-5 Traffic statistics: Input bytes : 1004 Output bytes : 756 Input packets: 6 Output packets: 4 Input fragmented packets: 3 Output fragmented packets: 3 IPSec security associations: 1 created, 1 deleted Phase 2 negotiations in progress: 1 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 192.168.254.1:500, Remote: 172.24.23.157:500 Local identity: 192.168.254.1 Remote identity: 172.24.23.157 Flags: IKE SA is created
show security ike security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details. The following command displays only the link encryption SAs on both nodes.
user@host> show security ike security-associations ha-link-encryption Index State Initiator cookie Responder cookie Mode Remote Address 4294966287 UP 7b77b4e2fd5a87e5 ab4a398e6a28687a IKEv2 23.0.0.2
show security ike security-associations srg-id
user@host> show security ike security-associations srg-id 1 Index State Initiator cookie Responder cookie Mode Remote Address 16778113 UP 16d1f4efae91608c 53f234767bdd0b9b IKEv2 10.112.0.1
show security ike security-associations node-local
user@host> show security ike security-associations node-local Index State Initiator cookie Responder cookie Mode Remote Address 24 UP c982a43f5dd03bf0 c37ae96722a0e1bc IKEv2 6.0.0.2
show security ike security-associations node-local detail
user@host> show security ike security-associations node-local IKE peer 6.0.0.2, Index 25, Gateway Name: IKEv1_GW Role: Responder, State: UP Initiator cookie: 34b2b16c3dd35442, Responder cookie: 91fc9975f83e932d Exchange type: IKEv2, Authentication method: RSA-signatures Local gateway interface: xe-0/0/2.0 Routing instance: default Local: 4.0.0.1:500, Remote: 6.0.0.2:500 Lifetime: Expires in 1159 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us AAA assigned IP: 0.0.0.0 PPK-profile: None Algorithms: Authentication : hmac-sha384-192 Encryption : aes256-cbc Pseudo random function: hmac-sha384 Diffie-Hellman group : DH-group-19 Traffic statistics: Input bytes : 3434 Output bytes : 3427 Input packets: 15 Output packets: 15 Input fragmented packets: 4 Output fragmented packets: 4 IPSec security associations: 4 created, 1 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 500003 Negotiation type: Quick mode, Role: Responder, Message ID: 0 Local: 4.0.0.1:500, Remote: 6.0.0.2:500 Local identity: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Remote identity: DC=juniper, CN=r0, OU=marketing, O=juniper, L=sunnyvale, ST=california, C=us Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 0 Request In : 0 Response In : 0 Response Out : 0 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
show security ike security-associations detail (ChaCha20-Poly1305)
user@host> show security ike security-associations detail IKE peer 10.1.1.10, Index 1, Gateway Name: ike_gw Role: Responder, State: UP Initiator cookie: 26b772950a8bea9c, Responder cookie: be644ff0068a0e05 Exchange type: IKEv2, Authentication method: Pre-shared-keys Local gateway interface: ge-0/0/1.0 Routing instance: default Local: 192.168.1.20:500, Remote: 10.1.1.10:500 Lifetime: Expires in 28790 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 10.1.1.10 AAA assigned IP: 0.0.0.0 PPK-profile: None Algorithms: Authentication : chacha20-poly1305 Encryption : chacha20-poly1305 Pseudo random function: hmac-sha384 Diffie-Hellman group : DH-group-2
show security ike security-associations detail (IKEv2 digital signature authentication method and signature hash algorithm)
user@host> show security ike security-associations detail IKE peer 10.0.0.1, Index 83, Gateway Name: SPK_GW1 Role: Initiator, State: UP Initiator cookie: 4c5c36dc34e24093, Responder cookie: 69abe1c4b45a2a9f Exchange type: Main, Authentication method: digital-signature(ECDSA) Local gateway interface: ge-0/0/2.0 Routing instance: default Local: 192.168.1.2:500, Remote: 10.0.0.1:500 Lifetime: Expires in 28515 seconds Reauth Lifetime: Disabled IKE Fragmentation: Disabled, Size: 0 Remote Access Client Info: Unknown Client Peer ike-id: 10.0.0.1 AAA assigned IP: 0.0.0.0 PPK-profile: None Algorithms: Authentication : hmac-sha256-128 Encryption : aes256-cbc Pseudo random function: hmac-sha256 Diffie-Hellman group : DH-group-14 Signature hash algo : sha256(local), sha1(remote)
Release Information
Command introduced in Junos OS Release 8.5. Support for the fpc
,
pic
, and kmd-instance
options added in Junos OS Release
9.3. Support for the family
option added in Junos OS Release 11.1. Support
for Auto Discovery VPN added in Junos OS Release 12.3X48-D10. Support for IKEv2
reauthentication added in Junos OS Release 15.1X49-D60. Support for IKEv2 fragmentation
added in Junos OS Release 15.1X49-D80.
Support for the ha-link-encryption
option added in Junos OS Release
20.4R1.
Support for the srg-id
option added in Junos OS Release 22.4R1.
Support for the node-local
option added in Junos OS Release 23.2R1.
Support for the chacha20-poly1305
option added in Junos OS Release
24.2R1.
Support for the digital-signature
and Signature hash algo
options added in Junos OS Release 24.4R1.