Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security ipsec security-associations

Syntax

Description

Display information about the IPsec security associations (SAs).

In Junos OS Releases 20.1R2, 20.2R2, 20.3R2, 20.3R1, and later, when you execute the show security ipsec security-associations detail command, a new output field IKE SA Index corresponding to every IPsec SA within a tunnel is displayed under each IPsec SA information. See show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800).

Options

none

Display information about all SAs.

brief | detail | extensive

(Optional) Display the specified level of output. The default is brief.

family

(Optional) Display SAs by family. This option is used to filter the output.

  • inet—IPv4 address family.

  • inet6—IPv6 address family.

fpc slot-numberpic slot-number

(Optional) Display information about existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot.

In a chassis cluster, when you execute the CLI command show security ipsec security-associations pic <slot-number> fpc <slot-number> in operational mode, only the primary node information about the existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot is displayed.

index SA-index-number

(Optional) Display detailed information about the specified SA identified by this index number. To obtain a list of all SAs that includes their index numbers, use the command with no options.

kmd-instance

(Optional) Display information about existing IPsec SAs in the key management process (in this case, it is KMD) identified by the FPC slot-number and PIC slot-number.

This option is applicable when you have kmd process for IPsec VPN features. This option is not available when you enable iked process using junos-ike package for running IPsec VPN features.

  • all—All KMD instances running on the Services Processing Unit (SPU).

  • kmd-instance-name—Name of the KMD instance running on the SPU.

node-local

—(Optional) Display information about IPsec SAs for node-local tunnels in a Multinode High Availability setup.

pic slot-numberfpc slot-number

(Optional) Display information about existing IPsec SAs in the specified PIC slot and FPC slot.

sa-type shortcut

(Optional) It's applicable for ADVPN. Display information about IPsec SAs by type shortcut.

traffic-selector traffic-selector-name

(Optional) Display information about the specified traffic selector.

vpn-name vpn-name

(Optional) Display information about the specified VPN.

ha-link-encryption

(Optional) Display information related to interchassis link tunnel only. See ipsec (High Availability), show security ipsec security-associations ha-link-encryption (SRX5400, SRX5600, SRX5800), and show security ipsec sa detail ha-link-encryption (SRX5400, SRX5600, SRX5800).

srg-id

(Optional) Display information related to a specific services redundancy group (SRG) in a Multinode High Availability setup.

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ipsec security-associations command, Table 2 lists the output fields for the show security ipsec sa command and Table 3. lists the output fields for the show security ipsec sa detail. Output fields are listed in the approximate order in which they appear.

Table 1: show security ipsec security-associations

Field Name

Field Description

Level of Output

Total active tunnels

Total number of active IPsec tunnels.

brief

ID

Index number of the SA. You can use this number to get additional information about the SA.

All levels

Algorithm

Cryptography used to secure exchanges between peers during the IKE negotiations includes:

  • An authentication algorithm used to authenticate exchanges between the peers.

  • An encryption algorithm used to encrypt data traffic.

brief

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: IKE and IPsec.

brief

Life: sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

brief

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPsec datapath verification is in progress.

brief

lsys

The root system.

brief

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

All levels

Gateway

IP address of the remote gateway.

brief

Virtual-system

Name of the logical system.

detail, extensive

VPN name

IPsec name for VPN.

detail, extensive

State

State has two options, Installed and Not Installed.

  • Installed—The SA is installed in the SA database.

  • Not Installed—The SA is not installed in the SA database.

    For transport mode, the value of State is always Installed.

detail, extensive

Local gateway

Gateway address of the local system.

detail, extensive

Remote gateway

Gateway address of the remote system.

detail, extensive

Traffic selector

Name of the traffic selector.

detail, extensive

Local identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

detail, extensive

Remote identity

IP address of the destination peer gateway.

detail, extensive

Term

Defines local IP range, remote IP range, source port range, destination port range, and protocol.

detail, extensive

Source-port

Source port range configured for a term.

detail, extensive

Destination-Port

Destination port range configured for a term.

detail, extensive

Version

IKE version, either IKEv1 or IKEv2.

detail, extensive

DF-bit

State of the don't fragment bit: set or cleared.

detail, extensive

Location

FPC—Flexible PIC Concentrator (FPC) slot number.

PIC—PIC slot number.

KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances running on each SPU, and any particular IPsec negotiation is carried out by a single KMD instance. This option is applicable when you have kmd process for IPsec VPN features. This option is not available when you enable iked process using junos-ike package for running IPsec VPN features.

detail, extensive

Tunnel events

Tunnel event and the number of times the event has occurred. See Tunnel Events for descriptions of tunnel events and the action you can take.

  • The detail option displays upto ten tunnel events in reverse chronological order.

  • The extensive option displays all the tunnel events.

detail, extensive

Anchorship

Anchor thread ID for the SA (for SRX4600 Series devices with the detail option).

 

Direction

Direction of the SA; it can be inbound or outbound.

detail, extensive

AUX-SPI

Value of the auxiliary security parameter index(SPI).

  • When the value is AH or ESP, AUX-SPI is always 0.

  • When the value is AH+ESP, AUX-SPI is always a positive integer.

detail, extensive

Mode

Mode of the SA:

  • transport—Protects host-to-host connections.

  • tunnel—Protects connections between security gateways.

detail, extensive

Type

Type of the SA:

  • manual—Security parameters require no negotiation. They are static and are configured by the user.

  • dynamic—Security parameters are negotiated by the IKE protocol. Dynamic SAs are not supported in transport mode.

detail, extensive

State

State of the SA:

  • Installed—The SA is installed in the SA database.

  • Not Installed—The SA is not installed in the SA database.

    For transport mode, the value of State is always Installed.

detail, extensive

Protocol

Protocol supported.

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).

  • Tunnel mode supports ESP and AH.

detail, extensive

Authentication

Type of authentication used.

detail, extensive

Encryption

Type of encryption used.

Starting in Junos OS Release 19.4R2, when you configure aes-128-gcm or aes-256-gcm as an encryption algorithm at the [edit security ipsec proposal proposal-name] hierarchy level, the authentication algorithm field of the show security ipsec security-associations detail command displays the same configured encryption algorithm.

detail, extensive

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire.

Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds—Number of seconds left until the SA expires.

detail, extensive

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds—Number of seconds left until the SA expires.

detail, extensive

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

  • Expires in kilobytes—Number of kilobytes left until the SA expires.

detail, extensive

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

detail, extensive

Replay window size

Size of the antireplay service window, which is 64 bits.

detail, extensive

Bind-interface

The tunnel interface to which the route-based VPN is bound.

detail, extensive

Copy-Outer-DSCP

Indicates if the system copies the outer DSCP value from the IP header to the inner IP header.

detail, extensive

tunnel-establishment

Indicates how the IKE is activated.

detail, extensive

IKE SA index

Indicates the list of parent IKE security associations.

detail, extensive

Table 2: show security ipsec sa Output Fields

Field Name

Field Description

Total active tunnels

Total number of active IPsec tunnels.

ID

Index number of the SA. You can use this number to get additional information about the SA.

Algorithm

Cryptography used to secure exchanges between peers during the IKE Phase 2 negotiations includes:

  • An authentication algorithm used to authenticate exchanges between the peers. Options are hmac-md5-96, hmac-sha-256-128, or hmac-sha1-96.

  • An encryption algorithm used to encrypt data traffic. Options are 3des-cbc, aes-128-cbc, aes-192-cbc, aes-256-cbc, chacha20-poly1305, or des-cbc.

SPI

Security parameter index (SPI) identifier. An SA is uniquely identified by an SPI. Each entry includes the name of the VPN, the remote gateway address, the SPIs for each direction, the encryption and authentication algorithms, and keys. The peer gateways each have two SAs, one resulting from each of the two phases of negotiation: Phase 1 and Phase 2.

Life:sec/kb

The lifetime of the SA, after which it expires, expressed either in seconds or kilobytes.

Mon

The Mon field refers to VPN monitoring status. If VPN monitoring is enabled, then this field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPSec datapath verification is in progress.

lsys

The root system.

Port

If Network Address Translation (NAT) is used, this value is 4500. Otherwise, it is the standard IKE port, 500.

Gateway

Gateway address of the system.

Table 3: show security ipsec sa detail Output Fields

Field Name

Field Description

FC-name

Forwarding class (FC) name for the child security association.

ID

Index number of the SA. You can use this number to get additional information about the SA.

Virtual-system

The virtual system name.

VPN Name

IPSec name for VPN.

Local Gateway

Gateway address of the local system.

Remote Gateway

Gateway address of the remote system.

Local Identity

Identity of the local peer so that its partner destination gateway can communicate with it. The value is specified as an IP address, fully qualified domain name, e-mail address, or distinguished name (DN).

Remote Identity

IP address of the destination peer gateway.

Version

IKE version. For example, IKEv1, IKEv2.

Passive Mode Tunneling

IPsec tunneling of malformed packets. You can either enable or disable the option.

DF-bit

State of the don't fragment bit: set or cleared.

Bind-interface

The tunnel interface to which the route-based VPN is bound.

identity-management

Count for the VPN tunnel create, delete, and rekey events when push to identity management is enabled.

Tunnel Events

Direction

Direction of the SA; it can be inbound or outbound.

AUX-SPI

Value of the auxiliary security parameter index(SPI).

  • When the value is AH or ESP, AUX-SPI is always 0.

  • When the value is AH+ESP, AUX-SPI is always a positive integer.

VPN Monitoring

If VPN monitoring is enabled, then the Mon field displays U (up) or D (down). A hyphen (-) means VPN monitoring is not enabled for this SA. A V means that IPsec datapath verification is in progress.

Starting Junos OS release 23.4R1 , the output displays Interval and Threshold details when the firewall runs IPsec VPN services with the iked process.

Hard lifetime

The hard lifetime specifies the lifetime of the SA.

  • Expires in seconds - Number of seconds left until the SA expires.

Lifesize Remaining

The lifesize remaining specifies the usage limits in kilobytes. If there is no lifesize specified, it shows unlimited.

Soft lifetime

The soft lifetime informs the IPsec key management system that the SA is about to expire. Each lifetime of an SA has two display options, hard and soft, one of which must be present for a dynamic SA. This allows the key management system to negotiate a new SA before the hard lifetime expires.

  • Expires in seconds - Number of seconds left until the SA expires.

Mode

Mode of the SA:

  • transport - Protects host-to-host connections.

  • tunnel - Protects connections between security gateways.

Type

Type of the SA:

  • manual - Security parameters require no negotiation. They are static and are configured by the user.

  • dynamic - Security parameters are negotiated by the IKE protocol. Dynamic SAs are not supported in transport mode.

State

State of the SA:

  • Installed - The SA is installed in the SA database.

  • Not Installed - The SA is not installed in the SA database.

For transport mode, the value of State is always Installed.

Protocol

Protocol supported.

  • Transport mode supports Encapsulation Security Protocol (ESP) and Authentication Header (AH).

  • Tunnel mode supports ESP and AH.

    • Authentication - Type of authentication used.

    • Encryption - Type of encryption used.

Anti-replay service

State of the service that prevents packets from being replayed. It can be Enabled or Disabled.

Replay window size

Configured size of the antireplay service window. It can be 32 or 64 packets. If the replay window size is 0, the antireplay service is disabled.

The antireplay window size protects the receiver against replay attacks by rejecting old or duplicate packets.

Interchassis Link Tunnel

HA Link Encryption Mode

High availability mode supported. Displays Multi-Node when multi-node high availability feature is enabled.

Sample Output

For brevity, the show command outputs does not display all the values of the configuration. Only a subset of the configuration is displayed. Rest of the configuration on the system has been replaced with ellipses (...).

show security ipsec security-associations (IPv4)

show security ipsec security-associations (IPv6)

show security ipsec security-associations index 511672

show security ipsec security-associations index 131073 detail

Starting with Junos OS Release 18.2R1, the CLI show security ipsec security-associations index index-number detail output displays all the child SA details including forwarding class name.

show security ipsec sa

show security ipsec sa detail

Starting with Junos OS Release 19.1R1, a new field tunnel-establishment in the output of the CLI show security ipsec sa detail displays the option configured under ipsec vpn establish-tunnels hierarchy.

Starting with Junos OS Release 21.3R1, a new field Tunnel MTU in the output of the CLI show security ipsec sa detail displays the option configured under ipsec vpn hub-to-spoke-vpn tunnel-mtu hierarchy.

Starting in Junos OS Release 22.1R3, on SRX5000 line of devices, the Tunnel MTU is not displayed in the CLI output if the tunnel MTU is not configured.

show security ipsec sa detail (MX-SPC3)

show security ipsec sa detail (MX-SPC3 and SRX4600) with passive mode tunneling

show security ipsec security-association

show security ipsec security-associations brief

show security ipsec security-associations detail

show security ipsec security-associations with VPN monitoring enabled

show security ipsec security-associations detail with VPN monitoring enabled

show security ipsec security-associations family inet6

show security ipsec security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)

show security ipsec security-associations detail (ADVPN Suggester, Static Tunnel)

show security ipsec security-associations detail (ADVPN Partner, Static Tunnel)

show security ipsec security-associations sa-type shortcut (ADVPN)

show security ipsec security-associations sa-type shortcut detail (ADVPN)

show security ipsec security-associations family inet detail

show security ipsec security-associations detail (SRX4600)

show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)

A new output field IKE SA Index corresponding to every IPsec SA within a tunnel is displayed under each IPsec SA information.

In Junos OS Release 22.3R1 and later, when you configure the Chassis Cluster HA control link encryption feature, you can execute the show security ike sa ha-link-encryption detail, show security ipsec sa ha-link-encryption detail, and show security ipsec sa ha-link-encryption commands to view the Chassis cluster control link encryption tunnel details.

show security ike sa ha-link-encryption detail

show security ipsec sa ha-link-encryption detail

show security ipsec sa ha-link-encryption

show security ipsec security-associations (ChaCha20-Poly1305)

show security ipsec security-associations detail (ChaCha20-Poly1305)

show security ipsec security-associations detail (identity-management)

show security ipsec security-associations detail (multi-sa with forwarding class details)

show security ipsec security-associations detail (SRX Series Firewalls and MX Series Routers)

In Junos OS Release 20.4R2, 21.1R1, and later, you can execute the show security ipsec security-associations detail command to view the traffic selector type for a VPN.

show security ipsec security-associations detail (SRX5400, SRX5600, SRX5800)

Starting in Junos OS Release 21.1R1, you can view the traffic selector details, that includes, local identity, remote identity, protocol, source-port range, destination port range for multiple terms defined for an IPsec SA.

In the earlier Junos Releases, traffic selection for a particular SA is performed using existing IP range defined using IP address or netmask. From Junos OS Release 21.1R1 onwards, additionally traffic is selected through protocol specified using protocol_name. And also, low and high port range specified for source and destination port numbers.

show security ipsec security-associations srg-id

show security ipsec security-associations node-local

show security ipsec security-associations node-local detail

Release Information

Command introduced in Junos OS Release 8.5. Support for the family option added in Junos OS Release 11.1.

Support for the vpn-name option added in Junos OS Release 11.4R3. Support for the traffic-selector option and traffic selector field added in Junos OS Release 12.1X46-D10.

Support for Auto Discovery VPN (ADVPN) added in Junos OS Release 12.3X48-D10.

Support for IPsec datapath verification added in Junos OS Release 15.1X49-D70.

Support for thread anchorship added in Junos OS Release 17.4R1.

Starting in Junos OS Release 18.2R2 the show security ipsec security-assocations detail command output will include thread anchorship information for the security associations (SAs).

Starting in Junos OS Release 19.4R1, we have deprecated the CLI option fc-name (COS Forward Class name) in the new iked process that displays the security associations (SAs) under show command show security ipsec sa.

Support for the ha-link-encryption option added in Junos OS Release 20.4R1.

Support for the srg-id option added in Junos OS Release 22.4R1.

Support for the passive-mode-tunneling option added in Junos OS Release 23.1R1.

Support for the node-local option is added in Junos OS Release 23.2R1.

Starting in Junos OS Release 23.4R1, kmd-instance option is available only when you have kmd process for IPsec VPN. When you enable iked process usingjunos-iked package, this option is not available.

Support for lifesize in kilobytes, lifesize remaining, and VPN monitoring information in the command output with IPsec VPN running the iked process is added in Junos OS Release 23.4R1.

Support for the chacha20-poly1305 option is added in Junos OS Release 24.2R1.

Support for fc-name in the displayed output added in Junos OS Release 24.4R1.

Support for identity-management in the displayed output added in Junos OS Release 24.4R1.