Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Junos CLI Reference CLI Reference S

Junos CLI Reference

keyboard_arrow_up
close
keyboard_arrow_left
Junos CLI Reference
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

show security ipsec security-associations

date_range 30-Sep-24
arrow_backward
arrow_forward

Syntax

content_copy zoom_out_map
show security ipsec security-associations
<brief | detail | extensive>
<family (inet  | inet6)>
<fpc slot-number pic slot-number>
<index SA-index-number>
<kmd-instance (all | kmd-instance-name)>
<node-local>
<pic slot-number fpc slot-number>
<sa-type shortcut>
<traffic-selector traffic-selector-name>
<srg-id id-number>
<vpn-name vpn-name>
<ha-link-encryption>

Description

Display information about the IPsec security associations (SAs).

In Junos OS Releases 20.1R2, 20.2R2, 20.3R2, 20.3R1, and later, when you execute the show security ipsec security-associations detail command, a new output field IKE SA Index corresponding to every IPsec SA within a tunnel is displayed under each IPsec SA information. See show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800).

Options

none

Display information about all SAs.

brief | detail | extensive

(Optional) Display the specified level of output. The default is brief.

family

(Optional) Display SAs by family. This option is used to filter the output.

  • inet—IPv4 address family.

  • inet6—IPv6 address family.

fpc slot-numberpic slot-number

(Optional) Display information about existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot.

In a chassis cluster, when you execute the CLI command show security ipsec security-associations pic <slot-number> fpc <slot-number> in operational mode, only the primary node information about the existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot is displayed.

index SA-index-number

(Optional) Display detailed information about the specified SA identified by this index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.

kmd-instance

(Optional) Display information about existing IPsec SAs in the key management process (in this case, it is KMD) identified by the FPC slot-number and PIC slot-number.

This option is applicable when you have kmd process for IPsec VPN features. This option is not available when you enable iked process using junos-ike package for running IPsec VPN features.

  • all—All KMD instances running on the Services Processing Unit (SPU).

  • kmd-instance-name—Name of the KMD instance running on the SPU.

node-local

—(Optional) Display information about IPsec SAs for node-local tunnels in a Multinode High Availability setup.

pic slot-numberfpc slot-number

(Optional) Display information about existing IPsec SAs in the specified PIC slot and FPC slot.

sa-type shortcut

(Optional) It's applicable for ADVPN. Display information about IPsec SAs by type shortcut.

traffic-selector traffic-selector-name

(Optional) Display information about the specified traffic selector.

vpn-name vpn-name

(Optional) Display information about the specified VPN.

ha-link-encryption

(Optional) Display information related to interchassis link tunnel only. See ipsec (High Availability), show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800), and show security ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800).

srg-id

(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ipsec security-associations command, Table 2 lists the output fields for the show security ipsec sa command and Table 3. lists the output fields for the show security ipsec sa detail. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec security-associations

Field Name

Field Description

Level of Output

Total active tunnels

Total number of active IPsec tunnels.

brief

ID

Index number of the SA. You can use this number to get additional information about the SA.

All levels

Algorithm

Cryptography used to secure exchanges between peers during the IKE negotiations includes:

  • An authentication algorithm used to authenticate exchanges between the peers.

  • An encryption algorithm used to encrypt data traffic.

brief

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: IKE and IPsec.

brief

Life: sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

brief

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPsec datapath verification is in progress.

brief

lsys

The root system.

brief

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

All levels

Gateway

IP address of the remote gateway.

brief

Virtual-system

Name of the logical system.

detail, extensive

VPN name

IPsec name for VPN.

detail, extensive

State

State has two options, Installed and Not Installed.

  • Installed—The SA is installed in the SA database.

  • Not Installed—The SA is not installed in the SA database.

    For transport mode, the value of State is always Installed.

detail, extensive

Local gateway

Gateway address of the local system.

detail, extensive

Remote gateway

Gateway address of the remote system.

detail, extensive

Traffic selector

Name of the traffic selector.

detail, extensive

Local identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

detail, extensive

Remote identity

IP address of the destination peer gateway.

detail, extensive

Term

Defines local IP range, remote IP range, source port range, destination port range, and protocol.

detail, extensive

Source-port

Source port range configured for a term.

detail, extensive

Destination-Port

Destination port range configured for a term.

detail, extensive

Version

IKE version, either IKEv1 or IKEv2.

detail, extensive

DF-bit

State of the don't fragment bit: set or cleared.

detail, extensive

Location

FPC—Flexible PIC Concentrator (FPC) slot number.

PIC—PIC slot number.

KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances running on each SPU, and any particular IPsec negotiation is carried out by a single KMD instance. This option is applicable when you have kmd process for IPsec VPN features. This option is not available when you enable iked process using junos-ike package for running IPsec VPN features.

detail, extensive

Tunnel events

Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take.

  • The detail option displays upto ten tunnel events in reverse chronological order.

  • The extensive option displays all the tunnel events.

detail, extensive

Anchorship

Anchor thread ID for the SA (for SRX4600 Series devices with the detail option).

  

Direction

Direction of the SA; it can be inbound or outbound.

detail, extensive

AUX-SPI

Value of the auxiliary security parameter index(SPI).

  • When the value is AH or ESP, AUX-SPI is always 0.

  • When the value is AH+ESP, AUX-SPI is always a positive integer.

detail, extensive

Mode

Mode of the SA:

  • transport—Protects host-to-host connections.

  • tunnel—Protects connections between security gateways.

detail, extensive

Type

Type of the SA:

  • manual—Security parameters require no negotiation. They are static and are configured by the user.

  • dynamic—Security parameters are negotiated by the IKE protocol. Dynamic SAs are not supported in transport mode.

detail, extensive

State

State of the SA:

  • Installed—The SA is installed in the SA database.

  • Not Installed—The SA is not installed in the SA database.

    For transport mode, the value of State is always Installed.

detail, extensive

Protocol

Protocol supported.

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).

  • Tunnel mode supports ESP and AH.

detail, extensive

Authentication

Type of authentication used.

detail, extensive

Encryption

Type of encryption used.

Starting in Junos OS Release 19.4R2, when you configure aes-128-gcm or aes-256-gcm as an encryption algorithm at the [edit security ipsec proposal proposal-name] hierarchy level, the authentication algorithm field of the show security ipsec security-associations detail command displays the same configured encryption algorithm.

detail, extensive

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire.

Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds—Number of seconds left until the SA expires.

detail, extensive

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds—Number of seconds left until the SA expires.

detail, extensive

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

  • Expires in kilobytes—Number of kilobytes left until the SA expires.

detail, extensive

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

detail, extensive

Replay window size

Size of the antireplay service window, which is 64 bits.

detail, extensive

Bind-interface

The tunnel interface to which the route-based VPN is bound.

detail, extensive

Copy-Outer-DSCP

Indicates if the system copies the outer DSCP value from the IP header to the inner IP header.

detail, extensive

tunnel-establishment

Indicates how the IKE is activated.

detail, extensive

IKE SA index

Indicates the list of parent IKE security associations.

detail, extensive

Table 2: show security ipsec sa Output Fields

Field Name

Field Description

Total active tunnels

Total number of active IPsec tunnels.

ID

Index number of the SA. You can use this number to get additional information about the SA.

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes:

  • An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-96, hmac-sha-256-128, or hmac-sha1-96.

  • An encryption algorithm used to encrypt data traffic. Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, chacha20-poly1305, or des-cbc.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

Life:sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPSec datapath verification is in progress.

lsys

The root system.

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

Gateway

Gateway address of the system.

Table 3: show security ipsec sa detail Output Fields

Field Name

Field Description

FC-name

Forwarding class (FC) name for the child security association.

ID

Index number of the SA. You can use this number to get additional information about the SA.

Virtual-system

The virtual system name.

VPN Name

IPSec name for VPN.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

Local Identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Remote Identity

IP address of the destination peer gateway.

Version

IKE version. For example, IKEv1, IKEv2.

Passive Mode Tunneling

IPsec tunneling of malformed packets. You can either enable or disable the option.

DF-bit

State of the don't fragment bit: set or cleared.

Bind-interface

The tunnel interface to which the route-based VPN is bound.

identity-management

Count for the VPN tunnel create, delete, and rekey events when push to identity management is enabled.

Tunnel Events

Direction

Direction of the SA; it can be inbound or outbound.

AUX-SPI

Value of the auxiliary security parameter index(SPI).

  • When the value is AH or ESP, AUX-SPI is always 0.

  • When the value is AH+ESP, AUX-SPI is always a positive integer.

VPN Monitoring

If VPN monitoring is enabled, then the Mon field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPsec datapath verification is in progress.

Starting Junos OS release 23.4R1 , the output displays Interval and Threshold details when the firewall runs IPsec VPN services with the iked process.

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds - Number of seconds left until the SA expires.

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds - Number of seconds left until the SA expires.

Mode

Mode of the SA:

  • transport - Protects host-to-host connections.

  • tunnel - Protects connections between security gateways.

Type

Type of the SA:

  • manual - Security parameters require no negotiation. They are static and are configured by the user.

  • dynamic - Security parameters are negotiated by the IKE protocol. Dynamic SAs are not supported in transport mode.

State

State of the SA:

  • Installed - The SA is installed in the SA database.

  • Not Installed - The SA is not installed in the SA database.

For transport mode, the value of State is always Installed.

Protocol

Protocol supported.

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).

  • Tunnel mode supports ESP and AH.

    • Authentication - Type of authentication used.

    • Encryption - Type of encryption used.

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

Replay window size

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets.

Interchassis Link Tunnel

HA Link Encryption Mode

High availability mode supported. Displays Multi-Node when multi-node high availability feature is enabled.

Sample Output

For brevity, the show command outputs does not display all the values of the configuration. Only a subset of the configuration is displayed. Rest of the configuration on the system has been replaced with ellipses (...).

show security ipsec security-associations (IPv4)

content_copy zoom_out_map
user@host> show security ipsec security-associations
  Total active tunnels: 14743 Total Ipsec sas: 14743
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <511672 ESP:aes-cbc-128/sha1 0x071b8cd2      -   root 500   10.21.45.152     
  >503327 ESP:aes-cbc-128/sha1 0x69d364dd 1584/ unlim - root 500 10.21.12.255     
  <503327 ESP:aes-cbc-128/sha1 0x0a577f2d 1584/ unlim - root 500 10.21.12.255     
  >512896 ESP:aes-cbc-128/sha1 0xd2f51c81 1669/ unlim - root 500 10.21.50.96      
  <512896 ESP:aes-cbc-128/sha1 0x071b8d9e 1669/ unlim - root 500 10.21.50.96      
  >513881 ESP:aes-cbc-128/sha1 0x95955834 1696/ unlim - root 500 10.21.54.57

show security ipsec security-associations (IPv6)

content_copy zoom_out_map
user@host> show security ipsec security-associations
Total active tunnels: 1
ID     Algorithm         SPI      Life:sec/kb  Mon  vsys Port  Gateway   
131074 ESP:aes256/sha256 14caf1d9 3597/ unlim   -   root 500   2001:db8::1112      
131074 ESP:aes256/sha256 9a4db486 3597/ unlim   -   root 500   2001:db8::1112

show security ipsec security-associations index 511672

content_copy zoom_out_map
user@host> show security ipsec security-associations index 511672
ID: 511672 Virtual-system: root, VPN Name: ipsec_vpn
  Local Gateway: 10.20.0.1, Remote Gateway: 10.21.45.152
  Traffic Selector Name: ts
  Local Identity: ipv4(10.191.151.0-10.191.151.255)
  Remote Identity: ipv4(10.40.151.0-10.40.151.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 
  Location: FPC 0, PIC 1, KMD-Instance 0
  Anchorship: Thread 10
  Direction: inbound, SPI: 0x835b8b42, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1639 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1257 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 0x071b8cd2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1639 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1257 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

show security ipsec security-associations index 131073 detail

content_copy zoom_out_map
user@host> show security ipsec security-associations index 131073 detail
ID: 131073 Virtual-system: root, VPN Name: IPSEC_VPN1
  Local Gateway: 10.4.0.1, Remote Gateway: 10.5.0.1
  Local Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=10.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
  Port: 500, Nego#: 18, Fail#: 0, Def-Del#: 0 Flag: 0x600a39 
  Multi-sa, Configured SAs# 9, Negotiated SAs#: 9 
  Tunnel events: 
    Mon Apr 23 2018 22:20:54 -0700: IPSec SA negotiation successfully completed (1 times)
    Mon Apr 23 2018 22:20:54 -0700: IKE SA negotiation successfully completed (2 times)
    Mon Apr 23 2018 22:20:18 -0700: User cleared IKE SA from CLI, corresponding IPSec SAs cleared (1 times)
    Mon Apr 23 2018 22:19:55 -0700: IPSec SA negotiation successfully completed (2 times)
    Mon Apr 23 2018 22:19:23 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Mon Apr 23 2018 22:19:23 -0700: Bind-interface's zone received. Information updated (1 times)
    Mon Apr 23 2018 22:19:23 -0700: External interface's zone received. Information updated (1 times)
  Direction: inbound, SPI: 2d8e710b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1930 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1563 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    Multi-sa FC Name: default
  Direction: outbound, SPI: 5f3a3239, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1930 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1563 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    Multi-sa FC Name: default
  Direction: inbound, SPI: 5d227e19, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1930 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1551 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    Multi-sa FC Name: best-effort
  Direction: outbound, SPI: 5490da, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1930 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1551 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes-256-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
...

Starting with Junos OS Release 18.2R1, the CLI show security ipsec security-associations index index-number detail output displays all the child SA details including forwarding class name.

show security ipsec sa

content_copy zoom_out_map
user@host> show security ipsec sa
Total active tunnels: 2
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
>67108885 ESP:aes-gcm-256/None fdef4dab 2918/ unlim - root 500 2001:db8:3000::2
>67108885 ESP:aes-gcm-256/None e785dadc 2918/ unlim - root 500 2001:db8:3000::2
>67108887 ESP:aes-gcm-256/None 34a787af 2971/ unlim - root 500 2001:db8:5000::2
>67108887 ESP:aes-gcm-256/None cf57007f 2971/ unlim - root 500 2001:db8:5000::2

show security ipsec sa detail

content_copy zoom_out_map
user@host> show security ipsec sa detail
ID: 500201 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2
  Local Identity: ipv4(10.0.0.0-255.255.255.255)
  Remote Identity: ipv4(10.0.0.0-255.255.255.255)
  Version: IKEv1
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  Location: FPC 0, PIC 1, KMD-Instance 0
  Anchorship: Thread 1
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x0a25c960, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 91 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 44 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    tunnel-establishment: establish-tunnels-responder-only-no-rekey
  Direction: outbound, SPI: 0x43e34ad3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 91 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 44 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    tunnel-establishment: establish-tunnels-responder-only-no-rekey
...

Starting with Junos OS Release 19.1R1, a new field tunnel-establishment in the output of the CLI show security ipsec sa detail displays the option configured under ipsec vpn establish-tunnels hierarchy.

Starting with Junos OS Release 21.3R1, a new field Tunnel MTU in the output of the CLI show security ipsec sa detail displays the option configured under ipsec vpn hub-to-spoke-vpn tunnel-mtu hierarchy.

Starting in Junos OS Release 22.1R3, on SRX5000 line of devices, the Tunnel MTU is not displayed in the CLI output if the tunnel MTU is not configured.

show security ipsec sa detail (MX-SPC3)

content_copy zoom_out_map
user@host> show security ipsec sa detail
ID: 500055 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 10.2.0.1, Remote Gateway: 10.2.0.2
  Local Identity: ipv4(10.0.0.0-255.255.255.255)
  Remote Identity: ipv4(10.0.0.0-255.255.255.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Tunnel MTU: 1420  Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  Location: FPC 0, PIC 0, KMD-Instance 0
  Anchorship: Thread 15
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x229b998e, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 23904 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 23288 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Enabled
    tunnel-establishment: establish-tunnels-immediately
  Direction: outbound, SPI: 0xb2e843a3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 23904 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 23288 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-md5-96, Encryption: aes-cbc (128 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Enabled
    tunnel-establishment: establish-tunnels-immediately

show security ipsec sa detail (MX-SPC3 and SRX4600) with passive mode tunneling

content_copy zoom_out_map
user@host> show security ipsec sa detail
ID: 500054 Virtual-system: root, VPN Name: TUN_3
  Local Gateway: 100.0.0.3, Remote Gateway: 200.0.0.3
  Traffic Selector Name: ts1
  Local Identity: ipv4(11.0.0.3-11.0.0.3)
  Remote Identity: ipv4(75.0.0.3-75.0.0.3)
  TS Type: traffic-selector
  Version: IKEv2
  Quantum Secured: No
  PFS group: N/A
  SRG ID: 0
  Passive mode tunneling: Enabled
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.3, Policy-name: IPSEC_POLICY
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 
  Tunnel events:
    Mon Sep 19 2022 19:27:44: IPsec SA negotiation succeeds (1 times)
  Location: FPC 3, PIC 1, KMD-Instance 0
  Anchorship: Thread 15
  Distribution-Profile: vms-3/1/0
  Direction: inbound, SPI: 0x25c03740, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expired
    Lifesize Remaining: Expired
    Soft lifetime: Expires in 2920 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 512
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 122
  Direction: outbound, SPI: 0x8e8f2009, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expired
    Lifesize Remaining: Expired
    Soft lifetime: Expires in 2920 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 512
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 122

show security ipsec security-association

content_copy zoom_out_map
user@host>show security ipsec security-association
Total active tunnels: 1     Total IPsec sas: 1
  ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <500006 ESP:aes-gcm-128/aes128-gcm 0x782b233c 1432/ unlim - root 500 10.2.0.2

show security ipsec security-associations brief

content_copy zoom_out_map
user@host> show security ipsec security-associations brief
Total active tunnels: 2     Total Ipsec sas: 18
  ID    Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway   
  <131073 ESP:aes256/sha256 89e5098  1569/ unlim   -   root 500   10.5.0.1         
  >131073 ESP:aes256/sha256 fcee9d54 1569/ unlim   -   root 500   10.5.0.1          
  <131073 ESP:aes256/sha256 f3117676 1609/ unlim   -   root 500   10.5.0.1          
  >131073 ESP:aes256/sha256 6050109f 1609/ unlim   -   root 500   10.5.0.1          
  <131073 ESP:aes256/sha256 e01f54b1 1613/ unlim   -   root 500   10.5.0.1          
  >131073 ESP:aes256/sha256 29a05dd6 1613/ unlim   -   root 500   10.5.0.1          
  <131073 ESP:aes256/sha256 606c90f6 1616/ unlim   -   root 500   10.5.0.1          
  >131073 ESP:aes256/sha256 9b5b059d 1616/ unlim   -   root 500   10.5.0.1          
  <131073 ESP:aes256/sha256 b8116d6d 1619/ unlim   -   root 500   10.5.0.1          
  >131073 ESP:aes256/sha256 b7ed6bfd 1619/ unlim   -   root 500   10.5.0.1          
  <131073 ESP:aes256/sha256 4f5ce754 1619/ unlim   -   root 500   10.5.0.1          
  >131073 ESP:aes256/sha256 af8984b6 1619/ unlim   -   root 500   10.5.0.1          
...

show security ipsec security-associations detail

content_copy zoom_out_map
user@host> show security ipsec security-associations detail

ID: 500009 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 10.2.0.2, Remote Gateway: 10.2.0.1
  Local Identity: ipv4(10.0.0.0-255.255.255.255)
  Remote Identity: ipv4(10.0.0.0-255.255.255.255)
  Version: IKEv1
  PFS group: DH-group-14
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 
  Location: FPC 0, PIC 0, KMD-Instance 0
  Anchorship: Thread 0
  Distribution-Profile: default-profile
  IKE SA Index: 2068
  Direction: inbound, SPI: 0xba7bb1f2, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 146 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 101 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-on-traffic
  Direction: outbound, SPI: 0x41650a1b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 146 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 101 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-on-traffic

show security ipsec security-associations with VPN monitoring enabled

content_copy zoom_out_map
user@host> show security ipsec security-associations
  Total active tunnels: 1     Total Ipsec sas: 1
  ID    Algorithm       SPI      Life:sec/kb   Mon lsys Port  Gateway   
  <131073 ESP:aes-gcm-256/None 15e8de2c 2086/ unlim U root 500 3.0.0.1         
  >131073 ESP:aes-gcm-256/None 2a1f46fb 2086/ unlim U root 500 3.0.0.1   
  VPN Monitoring: UP

show security ipsec security-associations detail with VPN monitoring enabled

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: SPK_VPN1
  Local Gateway: 3.0.0.2, Remote Gateway: 3.0.0.1
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1
  Port: 500, Nego#: 2, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 
  Multi-sa, Configured SAs# 1, Negotiated SAs#: 1 
  
  Direction: inbound, SPI: 15e8de2c, AUX-SPI: 0
                              , VPN Monitoring: UP Mode: optimized  Interval:10sec Threshold: 3
    Hard lifetime: Expires in 1314 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 708 seconds
    Mode: Tunnel(10 5), Type: dynamic, State: installed
    Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 2a1f46fb, AUX-SPI: 0
                              , VPN Monitoring: UP Mode: optimized  Interval:10sec Threshold: 3
    Hard lifetime: Expires in 1313 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 707 seconds
    Mode: Tunnel(10 5), Type: dynamic, State: installed
    Protocol: ESP, Authentication: None, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

show security ipsec security-associations family inet6

content_copy zoom_out_map
user@host> show security ipsec security-associations family inet6
  Virtual-system: root
  Local Gateway: 2001:db8:1212::1111, Remote Gateway: 2001:db8:1212::1112
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
    DF-bit: clear
    Direction: inbound, SPI: 14caf1d9, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3440 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2813 seconds
    Mode: tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

    Direction: outbound, SPI: 9a4db486, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3440 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2813 seconds
    Mode: tunnel, Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64

show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)

content_copy zoom_out_map
user@host> show security ipsec security-associations fpc 6 pic 1 kmd-instance all
  Total active tunnels: 1

ID    Gateway          Port  Algorithm           SPI      Life:sec/kb  Mon vsys

<2    192.168.1.2      500   ESP:aes256/sha256   67a7d25d 28280/unlim   -   0

>2    192.168.1.2      500   ESP:aes256/sha256   a23cbcdc 28280/unlim   -   0

show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel)

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 70516737 Virtual-system: root, VPN Name: ZTH_HUB_VPN
  Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2                        
  DF-bit: clear
  Bind-interface: st0.1

  Port: 500, Nego#: 5, Fail#: 0, Def-Del#: 0 Flag: 0x608a29 
  Tunnel events: 
  Tue Nov 03 2015 01:24:27 -0800: IPSec SA negotiation successfully completed (1 times)
  Tue Nov 03 2015 01:24:27 -0800: IKE SA negotiation successfully completed (4 times)
  Tue Nov 03 2015 01:23:38 -0800: User cleared IPSec SA from CLI (1 times)
  Tue Nov 03 2015 01:21:32 -0800: IPSec SA negotiation successfully completed (1 times)
  Tue Nov 03 2015 01:21:31 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
  Tue Nov 03 2015 01:21:27 -0800: IPSec SA negotiation successfully completed (1 times)
  Tue Nov 03 2015 01:21:13 -0800: Tunnel configuration changed. Corresponding IKE/IPSec SAs are deleted (1 times)
  Tue Nov 03 2015 01:19:27 -0800: IPSec SA negotiation successfully completed (1 times)
  Tue Nov 03 2015 01:19:27 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
  Location: FPC 0, PIC 3, KMD-Instance 2
  Direction: inbound, SPI: 43de5d65, AUX-SPI: 0
  Hard lifetime: Expires in 1335 seconds
  Lifesize Remaining:  Unlimited
  Soft lifetime: Expires in 996 seconds
  Mode: Tunnel(0 0), Type: dynamic, State: installed
  Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
  Anti-replay service: counter-based enabled

  , Replay window size: 64
  Location: FPC 0, PIC 3, KMD-Instance 2
  Direction: outbound, SPI: 5b6e157c, AUX-SPI: 0
  Hard lifetime: Expires in 1335 seconds
  Lifesize Remaining:  Unlimited
  Soft lifetime: Expires in 996 seconds
  Mode: Tunnel(0 0), Type: dynamic, State: installed
  Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
  Anti-replay service: counter-based enabled

  , Replay window size: 64

show security ipsec security-associations detail (ADVPN Partner, Static Tunnel)

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 67108872 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.1
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Bind-interface: st0.1
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x8608a29 
  Tunnel events: 
  Tue Nov 03 2015 01:24:26 -0800: IPSec SA negotiation successfully completed (1 times)
  Tue Nov 03 2015 01:24:26 -0800: IKE SA negotiation successfully completed (4 times)
  Tue Nov 03 2015 01:23:37 -0800: IPSec SA delete payload received from peer, corresponding IPSec SAs cleared (1 times)
  Tue Nov 03 2015 01:21:31 -0800: IPSec SA negotiation successfully completed (1 times)
  Tue Nov 03 2015 01:21:31 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
  Tue Nov 03 2015 01:18:26 -0800: Key pair not found for configured local certificate. Negotiation failed (1 times)
  Tue Nov 03 2015 01:18:13 -0800: CA certificate for configured local certificate not found. Negotiation not initiated/successful (1 times)
  Direction: inbound, SPI: 5b6e157c, AUX-SPI: 0
  Hard lifetime: Expires in 941 seconds
  Lifesize Remaining:  Unlimited
  Soft lifetime: Expires in 556 seconds
  Mode: Tunnel(0 0), Type: dynamic, State: installed
  Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
  Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: 43de5d65, AUX-SPI: 0
  Hard lifetime: Expires in 941 seconds
  Lifesize Remaining:  Unlimited
  Soft lifetime: Expires in 556 seconds
  Mode: Tunnel(0 0), Type: dynamic, State: installed
  Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
  Anti-replay service: counter-based enabled, Replay window size: 64

show security ipsec security-associations sa-type shortcut (ADVPN)

content_copy zoom_out_map
user@host> show security ipsec security-associations sa-type shortcut
Total active tunnels: 1
ID         Algorithm         SPI      Life:sec/kb  Mon lsys Port  Gateway   
<268173318 ESP:aes256/sha256 6f164ee0 3580/ unlim - root 500 192.168.0.111      
>268173318 ESP:aes256/sha256 e6f29cb0 3580/ unlim - root 500 192.168.0.111

show security ipsec security-associations sa-type shortcut detail (ADVPN)

content_copy zoom_out_map
user@host> show security ipsec security-associations sa-type shortcut detail
node0:
--------------------------------------------------------------------------

ID: 67108874 Virtual-system: root, VPN Name: ZTH_SPOKE_VPN
  Local Gateway: 192.168.1.2, Remote Gateway: 192.168.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Auto Discovery VPN:
    Type: Shortcut, Shortcut Role: Initiator
  Version: IKEv2
  DF-bit: clear, Bind-interface: st0.1
  Port: 4500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0x40608a29 
  Tunnel events: 
    Tue Nov 03 2015 01:47:26 -0800: IPSec SA negotiation successfully completed (1 times)
    Tue Nov 03 2015 01:47:26 -0800: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
    Tue Nov 03 2015 01:47:26 -0800: IKE SA negotiation successfully completed (1 times)
  Direction: inbound, SPI: b7a5518, AUX-SPI: 0
    Hard lifetime: Expires in 1766 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1381 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Direction: outbound, SPI: b7e0268, AUX-SPI: 0
    Hard lifetime: Expires in 1766 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1381 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

show security ipsec security-associations family inet detail

content_copy zoom_out_map
user@host> show security ipsec security-associations family inet detail
ID: 131073 Virtual-system: root, VPN Name: ike-vpn
  Local Gateway: 192.168.1.1, Remote Gateway: 192.168.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv1
  DF-bit: clear
  , Copy-Outer-DSCP Enabled
  Bind-interface: st0.99

  Port: 500, Nego#: 116, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 
  Tunnel events: 
  Fri Oct 30 2015 15:47:21 -0700: IPSec SA rekey successfully completed (115 times)
  Fri Oct 30 2015 11:38:35 -0700: IKE SA negotiation successfully completed (12 times)
  Mon Oct 26 2015 16:41:07 -0700: IPSec SA negotiation successfully completed (1 times)
  Mon Oct 26 2015 16:40:56 -0700: Tunnel is ready. Waiting for trigger event or peer to trigger negotiation (1 times)
  Mon Oct 26 2015 16:40:56 -0700: External interface's address received. Information updated (1 times)
  Location: FPC 0, PIC 1, KMD-Instance 1
  Direction: inbound, SPI: 81b9fc17, AUX-SPI: 0
  Hard lifetime: Expires in 1713 seconds
  Lifesize Remaining:  Unlimited
  Soft lifetime: Expires in 1090 seconds
  Mode: Tunnel(0 0), Type: dynamic, State: installed
  Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
  Anti-replay service: counter-based enabled

  , Replay window size: 64
  Location: FPC 0, PIC 1, KMD-Instance 1
  Direction: outbound, SPI: 727f629d, AUX-SPI: 0
  Hard lifetime: Expires in 1713 seconds
  Lifesize Remaining:  Unlimited
  Soft lifetime: Expires in 1090 seconds
  Mode: Tunnel(0 0), Type: dynamic, State: installed
  Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
  Anti-replay service: counter-based enabled

  , Replay window size: 64

show security ipsec security-associations detail (SRX4600)

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: ike-vpn
  Local Gateway: 10.62.1.3, Remote Gateway: 10.62.1.2
  Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
  Version: IKEv2
  DF-bit: clear, Bind-interface: st0.0
  Port: 500, Nego#: 25, Fail#: 0, Def-Del#: 0 Flag: 0x600a29 
  Tunnel events: 
    Fri Jan 12 2007 07:50:10 -0800: IPSec SA rekey successfully completed (23 times)
  Location: FPC 0, PIC 0, KMD-Instance 0
  Anchorship: Thread 6
  Direction: inbound, SPI: 812c9c01, AUX-SPI: 0
    Hard lifetime: Expires in 2224 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1598 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
  Location: FPC 0, PIC 0, KMD-Instance 0
  Anchorship: Thread 7
  Direction: outbound, SPI: c4de0972, AUX-SPI: 0
    Hard lifetime: Expires in 2224 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1598 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha-256, Encryption: aes256-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64

show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)

A new output field IKE SA Index corresponding to every IPsec SA within a tunnel is displayed under each IPsec SA information.

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 500005 Virtual-system: root, VPN Name: 85BX5-OAM
  Local Gateway: 10.217.0.4, Remote Gateway: 10.200.254.118
  Traffic Selector Name: TS_DEFAULT
  Local Identity: ipv4(0.0.0.0-255.255.255.255)
  Remote Identity: ipv4(10.181.235.224-10.181.235.224)
  Version: IKEv2
  PFS group: N/A
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: MACRO-IPSEC-POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 
  Location: FPC 7, PIC 1, KMD-Instance 0
  Anchorship: Thread 15
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0xe2eb3838, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 644 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 159 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
    Anti-replay service: disabled
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-responder-only
    IKE SA Index: 22
  Direction: outbound, SPI: 0x4f7c3101, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 644 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 159 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
    Anti-replay service: disabled
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-responder-only
    IKE SA Index: 22
  Direction: inbound, SPI: 0x30b6d66f, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1771 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1391 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
    Anti-replay service: disabled
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-responder-only
          IKE SA Index: 40
Direction: outbound, SPI: 0xd2db4108, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1771 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1391 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes128-gcm, Encryption: aes-gcm (128 bits)
    Anti-replay service: disabled
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-responder-only
          IKE SA Index: 40

show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800)

Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details.

content_copy zoom_out_map
user@host> show security ipsec security-associations ha-link-encryption
  Total active tunnels: 1     Total IPsec sas: 91
  ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <495001 ESP:aes-gcm-256/aes256-gcm 0x0047658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x0046c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x0447658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x0446c5cd 298/ unlim - root 500 10.23.0.2  
  <495001 ESP:aes-gcm-256/aes256-gcm 0x0847658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x0846c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x0c47658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x0c46c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x1047658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x1046c5cd 298/ unlim - root 500 10.23.0.2

  <495001 ESP:aes-gcm-256/aes256-gcm 0x1447658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x1446c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x1847658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x1846c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x1c47658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x1c46c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x2047658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x2046c5cd 298/ unlim - root 500 10.23.0.2
  <495001 ESP:aes-gcm-256/aes256-gcm 0x2447658d 298/ unlim - root 500 10.23.0.2
  >495001 ESP:aes-gcm-256/aes256-gcm 0x2446c5cd 298/ unlim - root 500 10.23.0.2
...

show security ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800)

Starting in Junos OS Release 20.4R1, when you configure the high availability (HA) feature, you can use this show command to view only interchassis link tunnel details. It displays the multi SAs created for interchassis link encryption tunnel.

content_copy zoom_out_map
user@host> show security ipsec sa detail ha-link-encryption
ID: 495001 Virtual-system: root, VPN Name: L3HA_IPSEC_VPN
  Local Gateway: 10.23.0.1, Remote Gateway: 10.23.0.2
  Traffic Selector Name: __L3HA_IPSEC_VPN__multi_node__
  Local Identity: ipv4(180.100.1.1-180.100.1.1)
  Remote Identity: ipv4(180.100.1.2-180.100.1.2)
  Version: IKEv2
  PFS group: DH-Group-24
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Policy-name: L3HA_IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  HA Link Encryption Mode: Multi-Node
  Location: FPC -, PIC -, KMD-Instance -
  Anchorship: Thread -
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x00439cf8, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 294 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 219 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    Location: FPC 1, PIC 0, KMD-Instance 0
    Anchorship: Thread 15
    IKE SA Index: 4294966297
  Direction: outbound, SPI: 0x004cfceb, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 294 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 219 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    Location: FPC 1, PIC 0, KMD-Instance 0
    Anchorship: Thread 15
    IKE SA Index: 4294966297
  Direction: inbound, SPI: 0x04439cf8, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 294 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 219 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: aes256-gcm, Encryption: aes-gcm (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    Location: FPC 1, PIC 0, KMD-Instance 0
    Anchorship: Thread 16
    IKE SA Index: 4294966297
  Direction: outbound, SPI: 0x044cfceb, AUX-SPI: 0
                              , VPN Monitoring: -

...

In Junos OS Release 22.3R1 and later, when you configure the Chassis Cluster HA control link encryption feature, you can execute the show security ike sa ha-link-encryption detail, show security ipsec sa ha-link-encryption detail, and show security ipsec sa ha-link-encryption commands to view the Chassis cluster control link encryption tunnel details.

show security ike sa ha-link-encryption detail

content_copy zoom_out_map
user@host> show security ike sa ha-link-encryption detail
IKE peer 10.2.0.1, Index 4294966274, Gateway Name: IKE_GW_HA_0
  Role: Initiator, State: UP
  Initiator cookie: ae5bcb5540d388a1, Responder cookie: 28bbae629ceb727f
  Exchange type: IKEv2, Authentication method: Pre-shared-keys
  Local gateway interface: em0
  Routing instance: __juniper_private1__
  Local: 10.7.0.2:500, Remote: 10.2.0.1:500
  Lifetime: Expires in 24856 seconds
  Reauth Lifetime: Disabled
  IKE Fragmentation: Enabled, Size: 576
  Remote Access Client Info: Unknown Client
  Peer ike-id: 10.2.0.1
  AAA assigned IP: 0.0.0.0
  Algorithms:
   Authentication        : hmac-sha1-96
   Encryption            : aes256-cbc
   Pseudo random function: hmac-sha1
   Diffie-Hellman group  : DH-group-2
  Traffic statistics:
   Input  bytes  :               200644
   Output bytes  :               200644
   Input  packets:                 2635
   Output packets:                 2635
   Input  fragmented packets:       0
   Output fragmented packets:       0
  IPSec security associations: 6 created, 3 deleted
  Phase 2 negotiations in progress: 1
  IPSec Tunnel IDs: 495002
    Negotiation type: Quick mode, Role: Initiator, Message ID: 0
    Local: 10.7.0.2:500, Remote: 10.2.0.1:500
    Local identity: 10.7.0.2
    Remote identity: 10.2.0.1
    Flags: IKE SA is created
 IPsec SA Rekey CREATE_CHILD_SA exchange stats:
   Initiator stats:                                  Responder stats:
    Request Out             : 1                       Request In             : 1
    Response In             : 1                       Response Out           : 1
    No Proposal Chosen In   : 0                       No Proposal Chosen Out : 0
    Invalid KE In           : 0                       Invalid KE Out         : 0
    TS Unacceptable In      : 0                       TS Unacceptable Out    : 0
    Res DH Compute Key Fail : 0                       Res DH Compute Key Fail: 0
    Res Verify SA Fail      : 0
    Res Verify DH Group Fail: 0
    Res Verify TS Fail      : 0

show security ipsec sa ha-link-encryption detail

content_copy zoom_out_map
user@host> show security ipsec sa ha-link-encryption detail
ID: 495002 Virtual-system: root, VPN Name: IPSEC_VPN_HA_0
  Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1
  Traffic Selector Name: __IPSEC_VPN_HA_0__l2_chassis_clu
  Local Identity: ipv4(10.7.0.2-10.7.0.2)
  Remote Identity: ipv4(10.2.0.1-10.2.0.1)
  TS Type: traffic-selector
  Version: IKEv2
  PFS group: DH-group-24
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.16000, Tunnel MTU: 0, Policy-name: IPSEC_POL_HA_0
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  HA Link Encryption Mode: L2 Chassis Cluster
  Location: FPC -, PIC -, KMD-Instance -
  Anchorship: Thread -
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x35fae26b, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3435 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2818 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 4294966274
  Direction: outbound, SPI: 0x0a2b9927, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3435 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2818 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 4294966274

show security ipsec sa ha-link-encryption

content_copy zoom_out_map
user@host> show security ipsec sa ha-link-encryption
Total active tunnels: 1     Total IPsec sas: 1
  ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <495002 ESP:aes-cbc-256/sha1 0x35fae26b 3484/ unlim - root 500 10.2.0.1
  >495002 ESP:aes-cbc-256/sha1 0x0a2b9927 3484/ unlim - root 500 10.2.0.1

show security ipsec security-associations (ChaCha20-Poly1305)

content_copy zoom_out_map
user@host> show security ipsec security-associations
  Total active tunnels: 1     Total IPsec sas: 1
  ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <500001 ESP:chacha20-poly1305/chacha20-poly1305 0x8db47f67 86372/ unlim - root 500 30.1.1.10
  >500001 ESP:chacha20-poly1305/chacha20-poly1305 0x6bfe4971 86372/ unlim - root 500 30.1.1.10

show security ipsec security-associations detail (ChaCha20-Poly1305)

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 500001 Virtual-system: root, VPN Name: ipsec_vpn
  Local Gateway: 30.1.1.20, Remote Gateway: 30.1.1.10
  Traffic Selector Name: ts1
  Local Identity: ipv4(40.1.1.0-40.1.1.255)
  Remote Identity: ipv4(20.1.1.0-20.1.1.255)
  TS Type: traffic-selector
  Version: IKEv2
  Quantum Secured: No
  PFS group: N/A
  Passive mode tunneling: Disabled
  DF-bit: clear, Copy-Outer-DSCP: Disabled, Bind-interface: st0.0, Policy-name: ipsec_pol
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  Tunnel events:
    Sun Sep 10 2023 23:41:25: IPsec SA negotiation succeeds (1 times)
  Location: FPC 0, PIC 0
  Anchorship: Thread 1
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x8db47f67, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 86367 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 85755 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: chacha20-poly1305, Encryption: chacha20-poly1305
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Enabled
    tunnel-establishment: establish-tunnels-responder-only-no-rekey

show security ipsec security-associations detail (identity-management)

content_copy zoom_out_map
user@host> show security ipsec sa detail
ID: 500008 Virtual-system: root, VPN Name: juniper-vpn
  Local Gateway: 5.0.0.254, Remote Gateway: 5.0.0.1
  Traffic Selector Name: TS1
  Local Identity: ipv4(0.0.0.0-255.255.255.255)
  Remote Identity: ipv4(80.1.1.8-80.1.1.8)
  TS Type: traffic-selector
  Version: IKEv1
  Quantum Secured: No
  PFS group: DH-group-2
  Passive mode tunneling: Disabled
  DF-bit: clear, Copy-Outer-DSCP: Disabled, Bind-interface: st0.1, Policy-name: juniper-ipsec-policy
  Port: 10952, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 
  Tunnel events:
    Fri Jan 12 2024 04:37:27: IPSec SA is deleted because received DEL notification from peer (1 times)    
    Mon Apr 05 2021 12:35:32: IPsec SA identity-management tunnel create event sent (1 times)
    Mon Apr 05 2021 12:35:32: IPsec SA identity-management tunnel rekey event sent (3 times)

show security ipsec security-associations detail (multi-sa with forwarding class details)

content_copy zoom_out_map
user@host> show security ipsec sa detail
ID: 67108933 Virtual-system: root, VPN Name: v2
  Local Gateway: 2.2.2.1, Remote Gateway: 3.3.3.3
  Traffic Selector Name: ts1
  Local Identity: ipv4(1.1.1.0-1.1.1.255)
  Remote Identity: ipv4(4.4.4.0-4.4.4.255)
  Version: IKEv2
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0
  Port: 500, Nego#: 5353, Fail#: 0, Def-Del#: 0 Flag: 0x2c608b29
  Multi-sa, pending SAs:1

  Direction: inbound, SPI: 1b37340d, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 107 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 15 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    FC-name:voip-data  
  Direction: outbound, SPI: 40c545e3, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 107 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 15 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha1-96, Encryption: 3des-cbc
    Anti-replay service: counter-based enabled, Replay window size: 64
    FC-name:voip-data

show security ipsec security-associations detail (SRX Series Firewalls and MX Series Routers)

In Junos OS Release 20.4R2, 21.1R1, and later, you can execute the show security ipsec security-associations detail command to view the traffic selector type for a VPN.

content_copy zoom_out_map
user@host> show security ipsec security-associations detail
ID: 500024 Virtual-system: root, VPN Name: S2S_VPN2
  Local Gateway: 10.7.0.2, Remote Gateway: 10.2.0.1
  Traffic Selector Name: ts1
  Local Identity: ipv4(10.20.20.0-10.20.20.255)
  Remote Identity: ipv4(10.10.10.0-10.10.10.255)
  TS Type: traffic-selector
  Version: IKEv2
  PFS group: DH-group-14
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.2, Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  Tunnel events:
    Tue Jan 19 2021 04:43:49: IPsec SA negotiation succeeds (1 times)
  Location: FPC 0, PIC 0, KMD-Instance 0
  Anchorship: Thread 1
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0xf8642fae, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1798 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1397 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 17
  Direction: outbound, SPI: 0xb2a26969, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1798 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1397 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 17
ID: 500025 Virtual-system: root, VPN Name: S2S_VPN1
  Local Gateway: 10.7.0.1, Remote Gateway: 10.2.0.1
  Local Identity: ipv4(0.0.0.0-255.255.255.255)
  Remote Identity: ipv4(0.0.0.0-255.255.255.255)
  TS Type: proxy-id
  Version: IKEv2
  PFS group: DH-group-14
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
  Tunnel events:
    Tue Jan 19 2021 04:44:41: IPsec SA negotiation succeeds (1 times)
  Location: FPC 0, PIC 0, KMD-Instance 0
  Anchorship: Thread 1
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0xe293762a, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1755 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1339 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 18
  Direction: outbound, SPI: 0x7aef9d7f, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 1755 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 1339 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-immediately
    IKE SA Index: 18

show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)

Starting in Junos OS Release 21.1R1, you can view the traffic selector details, that includes, local identity, remote identity, protocol, source-port range, destination port range for multiple terms defined for an IPsec SA.

In the earlier Junos Releases, traffic selection for a particular SA is performed using existing IP range defined using IP address or netmask. From Junos OS Release 21.1R1 onwards, additionally traffic is selected through protocol specified using protocol_name. And also, low and high port range specified for source and destination port numbers.

content_copy zoom_out_map
user@host> show security ipsec security-associations detail

ID: 500075 Virtual-system: root, VPN Name: pkn-r0-r1-ipsec-vpn-1
Local Gateway: 10.1.1.1, Remote Gateway: 10.1.1.2

Traffic Selector Name: ts1

   Local Identity:
   Protocol		 Port				 IP
   17/UDP		 100-200			 198.51.100.0-198.51.100.255
   6/TCP		 250-300			 198.51.100.0-198.51.100.255
   Remote Identity:
   Protocol		 Port				 IP
   17/UDP		 150-200			 10.80.0.1-10.80.0.1
   6/TCP		 250-300			 10.80.1.1-10.80.1.1
Version: IKEv2	
DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.0, Policy-name: pkn-r0-r1-ipsec-policy
Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0
Multi-sa, Configured SAs# 0, Negotiated SAs#: 0
Location: FPC 0, PIC 0, KMD-Instance 0
Anchorship: Thread 1
Distribution-Profile: default-profile
Direction: inbound, SPI: ………
Direction: outbound, SPI: …………

show security ipsec security-associations srg-id

content_copy zoom_out_map
user@host> show security ipsec security-associations srg-id 1

Total active tunnels: 1     Total IPsec sas: 2
  ID      Algorithm       SPI      Life:sec/kb  Mon lsys Port  Gateway
  <17277217 ESP:aes-cbc-256/sha256 0xc7faee3e 1440/ unlim - root 500 10.112.0.1
  >17277217 ESP:aes-cbc-256/sha256 0x7921d472 1440/ unlim - root 500 10.112.0.1
  <17277217 ESP:aes-cbc-256/sha256 0xf1a01dd4 1498/ unlim - root 500 10.112.0.1
  >17277217 ESP:aes-cbc-256/sha256 0xa0b77273 1498/ unlim - root 500 10.112.0.1

show security ipsec security-associations node-local

content_copy zoom_out_map
user@host> show security ipsec security-associations node-local
Total active tunnels: 1     Total IPsec sas: 1
  ID      Algorithm              SPI      Life:sec/kb  Mon lsys Port  Gateway
  <500001 ESP:aes-cbc-256/sha256 0x5f2fdf60 3093/ unlim -  root 500   6.0.0.2         
  >500001 ESP:aes-cbc-256/sha256 0x293e67e0 3093/ unlim -  root 500   6.0.0.2

show security ipsec security-associations node-local detail

content_copy zoom_out_map
user@host> show security ipsec security-associations node-local detail
ID: 500003 Virtual-system: root, VPN Name: IPSEC_VPN
  Local Gateway: 4.0.0.1, Remote Gateway: 6.0.0.2
  Local Identity: ipv4(0.0.0.0-255.255.255.255)
  Remote Identity: ipv4(0.0.0.0-255.255.255.255)
  TS Type: proxy-id
  Version: IKEv2
  Quantum Secured: No
  PFS group: DH-group-19
  Passive mode tunneling: Disabled
  DF-bit: clear, Copy-Outer-DSCP Disabled, Bind-interface: st0.1, Policy-name: IPSEC_POL
  Port: 500, Nego#: 0, Fail#: 0, Def-Del#: 0 Flag: 0 
  Multi-sa, Configured SAs# 0, Negotiated SAs#: 0 
  Tunnel events:
    Sun Apr 09 2023 22:22:27: IPsec SA negotiation succeeds (1 times)
  Location: FPC 1, PIC 1, KMD-Instance 0
  Anchorship: Thread 1
  Distribution-Profile: default-profile
  Direction: inbound, SPI: 0x8c8c3761, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3564 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2884 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-responder-only
    IKE SA Index: 25                    
  Direction: outbound, SPI: 0x0e798f8c, AUX-SPI: 0
                              , VPN Monitoring: -
    Hard lifetime: Expires in 3564 seconds
    Lifesize Remaining:  Unlimited
    Soft lifetime: Expires in 2884 seconds
    Mode: Tunnel(0 0), Type: dynamic, State: installed
    Protocol: ESP, Authentication: hmac-sha256-128, Encryption: aes-cbc (256 bits)
    Anti-replay service: counter-based enabled, Replay window size: 64
    Extended-Sequence-Number: Disabled
    tunnel-establishment: establish-tunnels-responder-only
    IKE SA Index: 25

Release Information

Command introduced in Junos OS Release 8.5. Support for the family option added in Junos OS Release 11.1.

Support for the vpn-name option added in Junos OS Release 11.4R3. Support for the traffic-selector option and traffic selector field added in Junos OS Release 12.1X46-D10.

Support for Auto Discovery VPN (ADVPN) added in Junos OS Release 12.3X48-D10.

Support for IPsec datapath verification added in Junos OS Release 15.1X49-D70.

Support for thread anchorship added in Junos OS Release 17.4R1.

Starting in Junos OS Release 18.2R2 the show security ipsec security-assocations detail command output will include thread anchorship information for the security associations (SAs).

Starting in Junos OS Release 19.4R1, we have deprecated the CLI option fc-name (COS Forward Class name) in the new iked process that displays the security associations (SAs) under show command show security ipsec sa.

Support for the ha-link-encryption option added in Junos OS Release 20.4R1.

Support for the srg-id option added in Junos OS Release 22.4R1.

Support for the passive-mode-tunneling option added in Junos OS Release 23.1R1.

Support for the node-local option is added in Junos OS Release 23.2R1.

Starting in Junos OS Release 23.4R1, kmd-instance option is available only when you have kmd process for IPsec VPN. When you enable iked process usingjunos-iked package, this option is not available.

Support for lifesize in kilobytes, lifesize remaining, and VPN monitoring information in the command output with IPsec VPN running the iked process is added in Junos OS Release 23.4R1.

Support for the chacha20-poly1305 option is added in Junos OS Release 24.2R1.

Support for fc-name in the displayed output added in Junos OS Release 24.4R1.

Support for identity-management in the displayed output added in Junos OS Release 24.4R1.

Related Documentation

arrow_backward PREVIOUS show security ipsec next-hop-tunnels
NEXT arrow_forward show security ipsec statistics
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top