show security ipsec security-associations
Syntax
show security ipsec security-associations <brief | detail | extensive> <family (inet | inet6)> <fpc slot-number pic slot-number> <index SA-index-number> <kmd-instance (all | kmd-instance-name)> <node-local> <pic slot-number fpc slot-number> <sa-type shortcut> <traffic-selector traffic-selector-name> <srg-id id-number> <vpn-name vpn-name> <ha-link-encryption>
Description
Display information about the IPsec security associations (SAs).
In Junos OS Releases 20.1R2, 20.2R2, 20.3R2, 20.3R1, and later, when you execute the
show security ipsec security-associations detail
command, a new output
field IKE SA Index
corresponding to every IPsec SA within a tunnel is
displayed under each IPsec SA information. See show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800).
Options
none |
Display information about all SAs. |
brief | detail |
extensive |
(Optional) Display the specified level of output. The default is
|
family |
(Optional) Display SAs by family. This option is used to filter the output.
|
fpc slot-number pic
slot-number |
(Optional) Display information about existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot. In a chassis cluster, when you execute the CLI command |
index SA-index-number |
(Optional) Display detailed information about the specified SA identified by this index number. To obtain a list of all SAs that includes their index numbers, use the command with no options. |
kmd-instance |
(Optional) Display information about existing IPsec SAs in the key management process (in this case, it is KMD) identified by the FPC slot-number and PIC slot-number. This option is applicable when you have
|
node-local |
—(Optional) Display information about IPsec SAs for node-local tunnels in a Multinode High Availability setup. |
pic slot-number fpc
slot-number |
(Optional) Display information about existing IPsec SAs in the specified PIC slot and FPC slot. |
sa-type shortcut |
(Optional) It's applicable for ADVPN. Display information about IPsec SAs by type
|
traffic-selector traffic-selector-name |
(Optional) Display information about the specified traffic selector. |
vpn-name vpn-name |
(Optional) Display information about the specified VPN. |
ha-link-encryption |
(Optional) Display information related to interchassis link tunnel only. See ipsec (High Availability), show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800), and show security ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800). |
srg-id |
(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup. |
Required Privilege Level
view
Output Fields
Table 1 lists the
output fields for the show security ipsec security-associations
command,
Table 2 lists the
output fields for the show security ipsec sa
command and Table 3. lists
the output fields for the show security ipsec sa detail
. Output fields are
listed in the approximate order in which they appear.
Field Name |
Field Description |
Level of Output |
---|---|---|
|
Total number of active IPsec tunnels. |
|
|
Index number of the SA. You can use this number to get additional information about the SA. |
All levels |
|
Cryptography used to secure exchanges between peers during the IKE negotiations includes:
|
|
|
Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: IKE and IPsec. |
|
|
The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes. |
|
|
The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then
this field displays |
|
|
The root system. |
|
|
If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500. |
All levels |
|
IP address of the remote gateway. |
|
|
Name of the logical system. |
|
|
IPsec name for VPN. |
|
|
State has two options,
|
|
|
Gateway address of the local system. |
|
|
Gateway address of the remote system. |
|
|
Name of the traffic selector. |
|
|
Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). |
|
|
IP address of the destination peer gateway. |
|
|
Defines local IP range, remote IP range, source port range, destination port range, and protocol. |
|
|
Source port range configured for a term. |
|
|
Destination port range configured for a term. |
|
|
IKE version, either |
|
|
State of the don't fragment bit: |
|
|
|
|
|
Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take.
|
|
|
Anchor thread ID for the SA (for SRX4600 Series devices with the
|
|
|
Direction of the SA; it can be inbound or outbound. |
|
|
Value of the auxiliary security parameter index(SPI).
|
|
|
Mode of the SA:
|
|
|
Type of the SA:
|
|
|
State of the SA:
|
|
|
Protocol supported.
|
|
|
Type of authentication used. |
|
|
Type of encryption used. Starting in Junos OS Release 19.4R2, when you configure
|
|
|
The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.
|
|
|
The hard lifetime specifies the lifetime of the SA.
|
|
|
The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.
|
|
|
State of the service that prevents packets from being replayed. It can be
|
|
|
Size of the antireplay service window, which is 64 bits. |
|
|
The tunnel interface to which the route-based VPN is bound. |
|
|
Indicates if the system copies the outer DSCP value from the IP header to the inner IP header. |
|
|
Indicates how the IKE is activated. |
|
|
Indicates the list of parent IKE security associations. |
|
Field Name |
Field Description |
---|---|
|
Total number of active IPsec tunnels. |
|
Index number of the SA. You can use this number to get additional information about the SA. |
|
Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes:
|
|
Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2. |
|
The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes. |
|
The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPSec datapath verification is in progress. |
|
The root system. |
|
If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500. |
|
Gateway address of the system. |
Field Name |
Field Description |
---|---|
|
Forwarding class (FC) name for the child security association. |
|
Index number of the SA. You can use this number to get additional information about the SA. |
|
The virtual system name. |
|
IPSec name for VPN. |
|
Gateway address of the local system. |
|
Gateway address of the remote system. |
|
Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN). |
|
IP address of the destination peer gateway. |
|
IKE version. For example, IKEv1, IKEv2. |
|
IPsec tunneling of malformed packets. You can either enable or disable the option. |
|
State of the don't fragment bit: |
|
The tunnel interface to which the route-based VPN is bound. |
identity-management |
Count for the VPN tunnel create, delete, and rekey events when push to identity management is enabled. |
Tunnel Events | |
|
Direction of the SA; it can be inbound or outbound. |
|
Value of the auxiliary security parameter index(SPI).
|
|
If VPN monitoring is enabled, then the Starting Junos OS release 23.4R1 , the output displays |
|
The hard lifetime specifies the lifetime of the SA.
|
|
The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited. |
|
The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.
|
|
Mode of the SA:
|
|
Type of the SA:
|
|
State of the SA:
For transport mode, the value of State is always Installed. |
|
Protocol supported.
|
|
State of the service that prevents packets from being replayed. It can be
|
|
Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled. The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets. |
Interchassis Link Tunnel |
|
HA Link Encryption Mode |
High availability mode supported. Displays |
Sample Output
For brevity, the show command outputs does not display all the values of the configuration. Only a subset of the configuration is displayed. Rest of the configuration on the system has been replaced with ellipses (...).
- show security ipsec security-associations (IPv4)
- show security ipsec security-associations (IPv6)
- show security ipsec security-associations index 511672
- show security ipsec security-associations index 131073 detail
- show security ipsec sa
- show security ipsec sa detail
- show security ipsec sa detail (MX-SPC3)
- show security ipsec sa detail (MX-SPC3 and SRX4600) with passive mode tunneling
- show security ipsec security-association
- show security ipsec security-associations brief
- show security ipsec security-associations detail
- show security ipsec security-associations with VPN monitoring enabled
- show security ipsec security-associations detail with VPN monitoring enabled
- show security ipsec security-associations family inet6
- show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)
- show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel)
- show security ipsec security-associations detail (ADVPN Partner, Static Tunnel)
- show security ipsec security-associations sa-type shortcut (ADVPN)
- show security ipsec security-associations sa-type shortcut detail (ADVPN)
- show security ipsec security-associations family inet detail
- show security ipsec security-associations detail (SRX4600)
- show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)
- show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
- show security ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800)
- show security ipsec security-associations detail (identity-management)
- show security ipsec security-associations detail (multi-sa with forwarding class details)
- show security ipsec security-associations detail (SRX Series Firewalls and MX Series Routers)
- show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)
- show security ipsec security-associations srg-id
- show security ipsec security-associations node-local
- show security ipsec security-associations node-local detail
show security ipsec security-associations (IPv4)
user@host> show security ipsec security-associations Total active tunnels: 14743 Total Ipsec sas: 14743 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <511672 ESP:aes-cbc-128/sha1 0x071b8cd2 - root 500 10.21.45.152 >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 10.21.12.255 <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 10.21.12.255 >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 10.21.50.96 <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 10.21.50.96 >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 10.21.54.57
show security ipsec security-associations (IPv6)
user@host> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway 131074 ESP:aes256/sha256 14caf1d9 3597/ unlim - root 500 2001:db8::1112 131074 ESP:aes256/sha256 9a4db486 3597/ unlim - root 500 2001:db8::1112
show security ipsec security-associations index 511672
user@host> show security ipsec security-associations index 511672 ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn Local Gateway: 10.20.0.1, Remote Gateway: 10.21.45.152 Traffic Selector Name: ts Local Identity: ipv4(10.191.151.0-10.191.151.255) Remote Identity: ipv4(10.40.151.0-10.40.151.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 10 Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1639 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1257 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations index 131073 detail
user@host> show security ipsec security-associations index 131073 detail ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1 Local Gateway: 10.4.0.1, Remote Gateway: 10.5.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39 Multi-sa, Configured SAs# 9, Negotiated SAs#: 9 Tunnel events: Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times) Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times) Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times) Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times) Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times) Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1563 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: default Direction: inbound, SPI: 5d227e19, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Multi-sa FC Name: best-effort Direction: outbound, SPI: 5490da, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1930 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1551 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 ...
Starting with Junos OS Release 18.2R1, the CLI show security ipsec
security-associations index index-number detail
output
displays all the child SA details including forwarding class name.
show security ipsec sa
user@host> show security ipsec sa Total active tunnels: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway >67108885 ESP:aes-gcm-256/None fdef4dab 2918/ unlim - root 500 2001:db8:3000::2 >67108885 ESP:aes-gcm-256/None e785dadc 2918/ unlim - root 500 2001:db8:3000::2 >67108887 ESP:aes-gcm-256/None 34a787af 2971/ unlim - root 500 2001:db8:5000::2 >67108887 ESP:aes-gcm-256/None cf57007f 2971/ unlim - root 500 2001:db8:5000::2
show security ipsec sa detail
user@host> show security ipsec sa detail ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 91 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 44 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 tunnel-establishment: establish-tunnels-responder-only-no-rekey ...
Starting with Junos OS Release 19.1R1, a new field
tunnel-establishment in the output of the CLI show
security ipsec sa detail
displays the option configured under ipsec vpn
establish-tunnels
hierarchy.
Starting with Junos OS Release 21.3R1, a new field Tunnel MTU in the
output of the CLI show security ipsec sa detail
displays the option
configured under ipsec vpn hub-to-spoke-vpn tunnel-mtu
hierarchy.
Starting in Junos OS Release 22.1R3, on SRX5000 line of devices, the Tunnel MTU is not displayed in the CLI output if the tunnel MTU is not configured.
show security ipsec sa detail (MX-SPC3)
user@host> show security ipsec sa detail ID: 500055 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 1420 Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0x229b998e, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately Direction: outbound, SPI: 0xb2e843a3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 23904 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 23288 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-immediately
show security ipsec sa detail (MX-SPC3 and SRX4600) with passive mode tunneling
user@host> show security ipsec sa detail ID: 500054 Virtual-system: root, VPN Name: TUN_3 Local Gateway: 100.0.0.3, Remote Gateway: 200.0.0.3 Traffic Selector Name: ts1 Local Identity: ipv4(11.0.0.3-11.0.0.3) Remote Identity: ipv4(75.0.0.3-75.0.0.3) TS Type: traffic-selector Version: IKEv2 Quantum Secured: No PFS group: N/A SRG ID: 0 Passive mode tunneling: Enabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.3, Policy-name: IPSEC_POLICY Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Mon Sep 19 2022 19:27:44: IPsec SA negotiation succeeds (1 times) Location: FPC 3, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: vms-3/1/0 Direction: inbound, SPI: 0x25c03740, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expired Lifesize Remaining: Expired Soft lifetime: Expires in 2920 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 512 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 122 Direction: outbound, SPI: 0x8e8f2009, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expired Lifesize Remaining: Expired Soft lifetime: Expires in 2920 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 512 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 122
show security ipsec security-association
user@host>show security ipsec security-association Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500006 ESP:aes-gcm-128/aes128-gcm 0x782b233c 1432/ unlim - root 500 10.2.0.2
show security ipsec security-associations brief
user@host> show security ipsec security-associations brief Total active tunnels: 2 Total Ipsec sas: 18 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes256/sha256 89e5098 1569/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 f3117676 1609/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 6050109f 1609/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 606c90f6 1616/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim - root 500 10.5.0.1 <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim - root 500 10.5.0.1 >131073 ESP:aes256/sha256 af8984b6 1619/ unlim - root 500 10.5.0.1 ...
show security ipsec security-associations detail
user@host> show security ipsec security-associations detail ID: 500009 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 10.2.0.2, Remote Gateway: 10.2.0.1 Local Identity: ipv4(10.0.0.0-255.255.255.255) Remote Identity: ipv4(10.0.0.0-255.255.255.255) Version: IKEv1 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 0 Distribution-Profile: default-profile IKE SA Index: 2068 Direction: inbound, SPI: 0xba7bb1f2, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic Direction: outbound, SPI: 0x41650a1b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 146 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 101 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-on-traffic
show security ipsec security-associations with VPN monitoring enabled
user@host> show security ipsec security-associations Total active tunnels: 1 Total Ipsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <131073 ESP:aes-gcm-256/None 15e8de2c 2086/ unlim U root 500 3.0.0.1 >131073 ESP:aes-gcm-256/None 2a1f46fb 2086/ unlim U root 500 3.0.0.1 VPN Monitoring: UP
show security ipsec security-associations detail with VPN monitoring enabled
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: SPK_VPN1 Local Gateway: 3.0.0.2, Remote Gateway: 3.0.0.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1 Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 Direction: inbound, SPI: 15e8de2c, AUX-SPI: 0 , VPN Monitoring: UP Mode: optimized Interval:10sec Threshold: 3 Hard lifetime: Expires in 1314 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 708 seconds Mode: Tunnel(10 5), Type: dynamic, State: installed Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 2a1f46fb, AUX-SPI: 0 , VPN Monitoring: UP Mode: optimized Interval:10sec Threshold: 3 Hard lifetime: Expires in 1313 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 707 seconds Mode: Tunnel(10 5), Type: dynamic, State: installed Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations family inet6
user@host> show security ipsec security-associations family inet6 Virtual-system: root Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) DF-bit: clear Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 9a4db486, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3440 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2813 seconds Mode: tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all Total active tunnels: 1 ID Gateway Port Algorithm SPI Life:sec/kb Mon vsys <2 192.168.1.2 500 ESP:aes256/sha256 67a7d25d 28280/unlim - 0 >2 192.168.1.2 500 ESP:aes256/sha256 a23cbcdc 28280/unlim - 0
show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel)
user@host> show security ipsec security-associations detail ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear Bind-interface: st0.1 Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 Tunnel events: Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times) Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times) Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Location: FPC 0, PIC 3, KMD-Instance 2 Direction: inbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 3, KMD-Instance 2 Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 1335 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 996 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail (ADVPN Partner, Static Tunnel)
user@host> show security ipsec security-associations detail ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 Tunnel events: Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times) Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times) Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times) Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times) Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: 43de5d65, AUX-SPI: 0 Hard lifetime: Expires in 941 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 556 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations sa-type shortcut (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111 >268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111
show security ipsec security-associations sa-type shortcut detail (ADVPN)
user@host> show security ipsec security-associations sa-type shortcut detail node0: -------------------------------------------------------------------------- ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Auto Discovery VPN: Type: Shortcut, Shortcut Role: Initiator Version: IKEv2 DF-bit: clear, Bind-interface: st0.1 Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29 Tunnel events: Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times) Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times) Direction: inbound, SPI: b7a5518, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: b7e0268, AUX-SPI: 0 Hard lifetime: Expires in 1766 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1381 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations family inet detail
user@host> show security ipsec security-associations family inet detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear , Copy-Outer-DSCP Enabled Bind-interface: st0.99 Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times) Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times) Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times) Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times) Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times) Location: FPC 0, PIC 1, KMD-Instance 1 Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64 Location: FPC 0, PIC 1, KMD-Instance 1 Direction: outbound, SPI: 727f629d, AUX-SPI: 0 Hard lifetime: Expires in 1713 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1090 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled , Replay window size: 64
show security ipsec security-associations detail (SRX4600)
user@host> show security ipsec security-associations detail ID: 131073 Virtual-system: root, VPN Name: ike-vpn Local Gateway: 10.62.1.3, Remote Gateway: 10.62.1.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv2 DF-bit: clear, Bind-interface: st0.0 Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 Tunnel events: Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 6 Direction: inbound, SPI: 812c9c01, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 7 Direction: outbound, SPI: c4de0972, AUX-SPI: 0 Hard lifetime: Expires in 2224 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1598 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64
show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)
A new output field IKE SA Index
corresponding to every IPsec SA within a
tunnel is displayed under each IPsec SA information.
user@host> show security ipsec security-associations detail ID: 500005 Virtual-system: root, VPN Name: 85BX5-OAM Local Gateway: 10.217.0.4, Remote Gateway: 10.200.254.118 Traffic Selector Name: TS_DEFAULT Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(10.181.235.224-10.181.235.224) Version: IKEv2 PFS group: N/A DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: MACRO-IPSEC-POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 7, PIC 1, KMD-Instance 0 Anchorship: Thread 15 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe2eb3838, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: outbound, SPI: 0x4f7c3101, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 644 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 159 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 22 Direction: inbound, SPI: 0x30b6d66f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40 Direction: outbound, SPI: 0xd2db4108, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1771 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1391 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits) Anti-replay service: disabled Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 40
show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)
Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details.
user@host> show security ipsec security-associations ha-link-encryption Total active tunnels: 1 Total IPsec sas: 91 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495001 ESP:aes-gcm-256/aes256-gcm 0x0047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x0c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x0c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1446c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1847658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1846c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x1c47658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x1c46c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2047658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2046c5cd 298/ unlim - root 500 10.23.0.2 <495001 ESP:aes-gcm-256/aes256-gcm 0x2447658d 298/ unlim - root 500 10.23.0.2 >495001 ESP:aes-gcm-256/aes256-gcm 0x2446c5cd 298/ unlim - root 500 10.23.0.2 ...
show security ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800)
Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details. It displays the multi SAs created for interchassis link encryption tunnel.
user@host> show security ipsec sa detail ha-link-encryption ID: 495001 Virtual-system: root, VPN Name: L3HA_IPSEC_VPN Local Gateway: 10.23.0.1, Remote Gateway: 10.23.0.2 Traffic Selector Name: __L3HA_IPSEC_VPN__multi_node__ Local Identity: ipv4(180.100.1.1-180.100.1.1) Remote Identity: ipv4(180.100.1.2-180.100.1.2) Version: IKEv2 PFS group: DH-Group-24 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Policy-name: L3HA_IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: Multi-Node Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x00439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x004cfceb, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 15 IKE SA Index: 4294966297 Direction: inbound, SPI: 0x04439cf8, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 294 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 219 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately Location: FPC 1, PIC 0, KMD-Instance 0 Anchorship: Thread 16 IKE SA Index: 4294966297 Direction: outbound, SPI: 0x044cfceb, AUX-SPI: 0 , VPN Monitoring: - ...
In Junos OS Release 22.3R1 and later, when you configure the Chassis Cluster HA control
link encryption feature, you can execute the show security ike sa ha-link-encryption
detail
, show security ipsec sa ha-link-encryption detail
, and
show security ipsec sa ha-link-encryption
commands to view the Chassis
cluster control link encryption tunnel details.
show security ike sa ha-link-encryption detail
user@host> show security ike sa ha-link-encryption detail IKE peer 10.2.0.1, Index 4294966274, Gateway Name: IKE_GW_HA_0 Role: Initiator, State: UP Initiator cookie: ae5bcb5540d388a1, Responder cookie: 28bbae629ceb727f Exchange type: IKEv2, Authentication method: Pre-shared-keys Local gateway interface: em0 Routing instance: __juniper_private1__ Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Lifetime: Expires in 24856 seconds Reauth Lifetime: Disabled IKE Fragmentation: Enabled, Size: 576 Remote Access Client Info: Unknown Client Peer ike-id: 10.2.0.1 AAA assigned IP: 0.0.0.0 Algorithms: Authentication : hmac-sha1-96 Encryption : aes256-cbc Pseudo random function: hmac-sha1 Diffie-Hellman group : DH-group-2 Traffic statistics: Input bytes : 200644 Output bytes : 200644 Input packets: 2635 Output packets: 2635 Input fragmented packets: 0 Output fragmented packets: 0 IPSec security associations: 6 created, 3 deleted Phase 2 negotiations in progress: 1 IPSec Tunnel IDs: 495002 Negotiation type: Quick mode, Role: Initiator, Message ID: 0 Local: 10.7.0.2:500, Remote: 10.2.0.1:500 Local identity: 10.7.0.2 Remote identity: 10.2.0.1 Flags: IKE SA is created IPsec SA Rekey CREATE_CHILD_SA exchange stats: Initiator stats: Responder stats: Request Out : 1 Request In : 1 Response In : 1 Response Out : 1 No Proposal Chosen In : 0 No Proposal Chosen Out : 0 Invalid KE In : 0 Invalid KE Out : 0 TS Unacceptable In : 0 TS Unacceptable Out : 0 Res DH Compute Key Fail : 0 Res DH Compute Key Fail: 0 Res Verify SA Fail : 0 Res Verify DH Group Fail: 0 Res Verify TS Fail : 0
show security ipsec sa ha-link-encryption detail
user@host> show security ipsec sa ha-link-encryption detail ID: 495002 Virtual-system: root, VPN Name: IPSEC_VPN_HA_0 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: __IPSEC_VPN_HA_0__l2_chassis_clu Local Identity: ipv4(10.7.0.2-10.7.0.2) Remote Identity: ipv4(10.2.0.1-10.2.0.1) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-24 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: IPSEC_POL_HA_0 Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 HA Link Encryption Mode: L2 Chassis Cluster Location: FPC -, PIC -, KMD-Instance - Anchorship: Thread - Distribution-Profile: default-profile Direction: inbound, SPI: 0x35fae26b, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274 Direction: outbound, SPI: 0x0a2b9927, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3435 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2818 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 4294966274
show security ipsec sa ha-link-encryption
user@host> show security ipsec sa ha-link-encryption Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <495002 ESP:aes-cbc-256/sha1 0x35fae26b 3484/ unlim - root 500 10.2.0.1 >495002 ESP:aes-cbc-256/sha1 0x0a2b9927 3484/ unlim - root 500 10.2.0.1
show security ipsec security-associations (ChaCha20-Poly1305)
user@host> show security ipsec security-associations Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500001 ESP:chacha20-poly1305/chacha20-poly1305 0x8db47f67 86372/ unlim - root 500 30.1.1.10 >500001 ESP:chacha20-poly1305/chacha20-poly1305 0x6bfe4971 86372/ unlim - root 500 30.1.1.10
show security ipsec security-associations detail (ChaCha20-Poly1305)
user@host> show security ipsec security-associations detail ID: 500001 Virtual-system: root, VPN Name: ipsec_vpn Local Gateway: 30.1.1.20, Remote Gateway: 30.1.1.10 Traffic Selector Name: ts1 Local Identity: ipv4(40.1.1.0-40.1.1.255) Remote Identity: ipv4(20.1.1.0-20.1.1.255) TS Type: traffic-selector Version: IKEv2 Quantum Secured: No PFS group: N/A Passive mode tunneling: Disabled DF-bit: clear, Copy-Outer-DSCP: Disabled, Bind-interface: st0.0, Policy-name: ipsec_pol Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Sun Sep 10 2023 23:41:25: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x8db47f67, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 86367 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 85755 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: chacha20-poly1305, Encryption: chacha20-poly1305 Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Enabled tunnel-establishment: establish-tunnels-responder-only-no-rekey
show security ipsec security-associations detail (identity-management)
user@host> show security ipsec sa detail ID: 500008 Virtual-system: root, VPN Name: juniper-vpn Local Gateway: 5.0.0.254, Remote Gateway: 5.0.0.1 Traffic Selector Name: TS1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(80.1.1.8-80.1.1.8) TS Type: traffic-selector Version: IKEv1 Quantum Secured: No PFS group: DH-group-2 Passive mode tunneling: Disabled DF-bit: clear, Copy-Outer-DSCP: Disabled, Bind-interface: st0.1, Policy-name: juniper-ipsec-policy Port: 10952, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Fri Jan 12 2024 04:37:27: IPSec SA is deleted because received DEL notification from peer (1 times) Mon Apr 05 2021 12:35:32: IPsec SA identity-management tunnel create event sent (1 times) Mon Apr 05 2021 12:35:32: IPsec SA identity-management tunnel rekey event sent (3 times)
show security ipsec security-associations detail (multi-sa with forwarding class details)
user@host> show security ipsec sa detail ID: 67108933 Virtual-system: root, VPN Name: v2 Local Gateway: 2.2.2.1, Remote Gateway: 3.3.3.3 Traffic Selector Name: ts1 Local Identity: ipv4(1.1.1.0-1.1.1.255) Remote Identity: ipv4(4.4.4.0-4.4.4.255) Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0 Port: 500, Nego#: 5353, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29 Multi-sa, pending SAs:1 Direction: inbound, SPI: 1b37340d, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 107 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 15 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 FC-name:voip-data Direction: outbound, SPI: 40c545e3, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 107 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 15 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 FC-name:voip-data
show security ipsec security-associations detail (SRX Series Firewalls and MX Series Routers)
In Junos OS Release 20.4R2, 21.1R1, and later, you can execute the show security
ipsec security-associations detail
command to view the traffic selector type
for a VPN.
user@host> show security ipsec security-associations detail ID: 500024 Virtual-system: root, VPN Name: S2S_VPN2 Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1 Traffic Selector Name: ts1 Local Identity: ipv4(10.20.20.0-10.20.20.255) Remote Identity: ipv4(10.10.10.0-10.10.10.255) TS Type: traffic-selector Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:43:49: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xf8642fae, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 Direction: outbound, SPI: 0xb2a26969, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1798 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1397 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 17 ID: 500025 Virtual-system: root, VPN Name: S2S_VPN1 Local Gateway: 10.7.0.1, Remote Gateway: 10.2.0.1 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 PFS group: DH-group-14 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Tue Jan 19 2021 04:44:41: IPsec SA negotiation succeeds (1 times) Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0xe293762a, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18 Direction: outbound, SPI: 0x7aef9d7f, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 1755 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 1339 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-immediately IKE SA Index: 18
show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)
Starting in Junos OS Release 21.1R1, you can view the traffic selector details, that includes, local identity, remote identity, protocol, source-port range, destination port range for multiple terms defined for an IPsec SA.
In the earlier Junos Releases, traffic selection for a particular SA is performed using existing IP range defined using IP address or netmask. From Junos OS Release 21.1R1 onwards, additionally traffic is selected through protocol specified using protocol_name. And also, low and high port range specified for source and destination port numbers.
user@host> show security ipsec security-associations detail ID: 500075 Virtual-system: root, VPN Name: pkn-r0-r1-ipsec-vpn-1 Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2 Traffic Selector Name: ts1 Local Identity: Protocol Port IP 17/UDP 100-200 198.51.100.0-198.51.100.255 6/TCP 250-300 198.51.100.0-198.51.100.255 Remote Identity: Protocol Port IP 17/UDP 150-200 10.80.0.1-10.80.0.1 6/TCP 250-300 10.80.1.1-10.80.1.1 Version: IKEv2 DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: pkn-r0-r1-ipsec-policy Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Location: FPC 0, PIC 0, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: ……… Direction: outbound, SPI: …………
show security ipsec security-associations srg-id
user@host> show security ipsec security-associations srg-id 1 Total active tunnels: 1 Total IPsec sas: 2 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <17277217 ESP:aes-cbc-256/sha256 0xc7faee3e 1440/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0x7921d472 1440/ unlim - root 500 10.112.0.1 <17277217 ESP:aes-cbc-256/sha256 0xf1a01dd4 1498/ unlim - root 500 10.112.0.1 >17277217 ESP:aes-cbc-256/sha256 0xa0b77273 1498/ unlim - root 500 10.112.0.1
show security ipsec security-associations node-local
user@host> show security ipsec security-associations node-local Total active tunnels: 1 Total IPsec sas: 1 ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway <500001 ESP:aes-cbc-256/sha256 0x5f2fdf60 3093/ unlim - root 500 6.0.0.2 >500001 ESP:aes-cbc-256/sha256 0x293e67e0 3093/ unlim - root 500 6.0.0.2
show security ipsec security-associations node-local detail
user@host> show security ipsec security-associations node-local detail ID: 500003 Virtual-system: root, VPN Name: IPSEC_VPN Local Gateway: 4.0.0.1, Remote Gateway: 6.0.0.2 Local Identity: ipv4(0.0.0.0-255.255.255.255) Remote Identity: ipv4(0.0.0.0-255.255.255.255) TS Type: proxy-id Version: IKEv2 Quantum Secured: No PFS group: DH-group-19 Passive mode tunneling: Disabled DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 Tunnel events: Sun Apr 09 2023 22:22:27: IPsec SA negotiation succeeds (1 times) Location: FPC 1, PIC 1, KMD-Instance 0 Anchorship: Thread 1 Distribution-Profile: default-profile Direction: inbound, SPI: 0x8c8c3761, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3564 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2884 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 25 Direction: outbound, SPI: 0x0e798f8c, AUX-SPI: 0 , VPN Monitoring: - Hard lifetime: Expires in 3564 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2884 seconds Mode: Tunnel(0 0), Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits) Anti-replay service: counter-based enabled, Replay window size: 64 Extended-Sequence-Number: Disabled tunnel-establishment: establish-tunnels-responder-only IKE SA Index: 25
Release Information
Command introduced in Junos OS Release
8.5. Support for the family
option
added in Junos OS Release 11.1.
Support for the vpn-name
option added in Junos OS Release 11.4R3. Support
for the traffic-selector
option and traffic selector field added in Junos
OS Release 12.1X46-D10.
Support for Auto Discovery VPN (ADVPN) added in Junos OS Release 12.3X48-D10.
Support for IPsec datapath verification added in Junos OS Release 15.1X49-D70.
Support for thread anchorship added in Junos OS Release 17.4R1.
Starting in Junos OS Release 18.2R2 the show security ipsec security-assocations
detail
command output will include thread anchorship information for the security
associations (SAs).
Starting in Junos OS Release 19.4R1, we have deprecated the CLI option
fc-name
(COS Forward Class name) in the new iked
process that displays the security associations (SAs) under show command show
security ipsec sa
.
Support for the ha-link-encryption
option added in Junos OS Release
20.4R1.
Support for the srg-id
option added in Junos OS Release 22.4R1.
Support for the passive-mode-tunneling
option
added
in Junos OS Release
23.1R1.
Support for the node-local
option is added in Junos OS Release 23.2R1.
Starting in Junos OS Release 23.4R1, kmd-instance
option is available only
when you have kmd
process for IPsec VPN. When you enable
iked
process usingjunos-iked
package, this option is not
available.
Support for lifesize in kilobytes, lifesize remaining, and VPN monitoring information in the command output with IPsec VPN running the iked process is added in Junos OS Release 23.4R1.
Support for the chacha20-poly1305
option is added in Junos OS Release
24.2R1.
Support for fc-name
in the displayed output added in Junos OS Release
24.4R1.
Support for identity-management
in the displayed output added in Junos OS
Release 24.4R1.