show services ipsec-vpn ike security-associations

IKE peer

Remote end of the IKE negotiation.

Role

Part played in the IKE session. The router triggering the IKE negotiation is the initiator, and the router accepting the first IKE exchange packets is the responder.

Remote Address

Responder's address.

State

State of the IKE security association:

• Matured—IKE security association is established.

• Not matured—The IKE security association is in the process of negotiation.

Initiator cookie

When the IKE negotiation is triggered, a random number is sent to the remote node.

Responder cookie

The remote node generates its own random number and sends it back to the initiator as a verification that the packets were received.

Of the numerous security services available, protection against denial of service (DoS) is one of the most difficult to address. A “cookie” or anticlogging token (ACT) is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity. An exchange prior to CPU-intensive public key operations can thwart some DoS attempts (such as simple flooding with invalid IP source addresses).

Exchange type

Specifies the number of messages in an IKE exchange, and the payload types that are contained in each message. Each exchange type provides a particular set of security services, such as anonymity of the participants, perfect forward secrecy of the keying material, and authentication of the participants. Junos OS supports two types of exchanges:

• Main—The exchange is done with six messages. Main encrypts the payload, protecting the identity of the neighbor.

• Aggressive—The exchange is done with three messages. Aggressive does not encrypt the payload, leaving the identity of the neighbor unprotected.

• IKEv2—The exchange is negotiated using IKE version 2.

PIC

The services PIC for which the IKE security associations are displayed.

Authentication method

Authentication method that determines which payloads are exchanged and when they are exchanged. Value can be ECDSA-signatures (256 bit key), ECDSA-signatures (384 bit key), Pre-shared-keys, or RSA-signatures.

Local

Prefix and port number of the local end.

Remote

Prefix and port number of the remote end.

Lifetime

Number of seconds remaining until the IKE security association expires.

Algorithms

Header for the IKE algorithms output.

• Authentication—(detail output only) Type of authentication algorithm used: md5 or sha1

• Encryption—(detail output only) Type of encryption algorithm used: des-cbc, 3des-cbc, or None.

• Pseudo random function—Function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

Traffic statistics

Number of bytes and packets received and transmitted on the IKE security association.

• Input bytes, Output bytes—Number of bytes received and transmitted on the IKE security association.

• Input packets, Output packets—Number of packets received and transmitted on the IKE security association.

Flags

Notification to the key management process of the status of the IKE negotiation:

• caller notification sent—Caller program notified about the completion of the IKE negotiation.

• waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

• waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

• waiting for policy manager—Negotiation is waiting for a response from the policy manager.

IPsec security associates

Number of IPsec security associations created and deleted with this IKE security association.

Phase 2 negotiations in progress

Number of phase 2 negotiations in progress and status information:

• Negotiation type—Type of phase 2 negotiation. The Junos OS currently supports quick mode.

• Message ID—Unique identifier for a phase 2 negotiation.

• Local identity—Identity of the local phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

• Remote identity—Identity of the remote phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation)

• Flags—Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.

  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.