Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show security ike security-associations

Syntax

Description

Display information about Internet Key Exchange security associations (IKE SAs).

Options

  • none—Display standard information about existing IKE SAs, including index numbers.

  • peer-address—(Optional) Display details about a particular SA based on the IPv4 or IPv6 address of the destination peer. This option and index provide the same level of output.

  • brief—(Optional) Display standard information about all existing IKE SAs. (Default)

  • detail—(Optional) Display detailed information about all existing IKE SAs.

  • family—(Optional) Display IKE SAs by family. This option is used to filter the output.

    • inet—IPv4 address family.

    • inet6—IPv6 address family.

  • fpc slot-number—(Optional) Display information about existing IKE SAs in this Flexible PIC Concentrator (FPC) slot. This option is used to filter the output.

    In a chassis cluster, when you execute the CLI command show security ike security-associations pic <slot-number> fpc <slot-number> in operational mode, only the primary node information about the existing IPsec SAs in the specified Flexible PIC Concentrator (FPC) slot and PIC slot is displayed.

    Starting Junos OS Release 23.4R1, this option is not available when junos-ike package is installed for running IPsec VPN using IKED process.

  • index SA-index-number—(Optional) Display information for a particular SA based on the index number of the SA. For a particular SA, display the list of existing SAs by using the command with no options. This option and peer-address provide the same level of output.

  • kmd-instance —(Optional) Display information about existing IKE SAs in the key management process (in this case, it is KMD) identified by FPC slot-number and PIC slot-number. This option is used to filter the output.

    • all—All KMD instances running on the Services Processing Unit (SPU).

    • kmd-instance-name—Name of the KMD instance running on the SPU.

    Starting Junos OS Release 23.4R1, this option is not available when junos-ike package is installed for running IPsec VPN using IKED process.

node-local

—(Optional) Display information about IKE SAs for node-local tunnels in a Multinode High Availability setup.

  • pic slot-number —(Optional) Display information about existing IKE SAs in this PIC slot. This option is used to filter the output.

    Starting Junos OS Release 23.4R1, this option is not available when junos-ike package is installed for running IPsec VPN using IKED process.

  • sa-type shortcut—(Optional) It's applicable for ADVPN. Display information about IKE SAs by type shortcut.

  • srg-id—(Optional) Display information related to a specific services redundancy group (SRG).

Required Privilege Level

view

Output Fields

Table 1 lists the output fields for the show security ike security-associations command. Output fields are listed in the approximate order in which they appear.

Table 1: show security ike security-associations Output Fields

Field Name

Field Description

IKE Peer or Remote Address

IP address of the destination peer with which the local peer communicates.

Index

Index number of an SA. This number is an internally generated number you can use to display information about a single SA.

Gateway Name

Name of the IKE gateway.

Location

  • FPC—Flexible PIC Concentrator (FPC) slot number.

  • PIC—PIC slot number.

  • KMD-Instance—The name of the KMD instance running on the SPU, identified by FPC slot-number and PIC slot-number. Currently, 4 KMD instances are running on each SPU, and any particular IKE negotiation is carried out by a single KMD instance.

Role

Part played in the IKE session. The device triggering the IKE negotiation is the initiator, and the device accepting the first IKE exchange packets is the responder.

State

State of the IKE SAs:

  • DOWN—SA has not been negotiated with the peer.

  • UP—SA has been negotiated with the peer.

Initiator cookie

Random number, called a cookie, which is sent to the remote node when the IKE negotiation is triggered.

Responder cookie

Random number generated by the remote node and sent back to the initiator as a verification that the packets were received.

A cookie is aimed at protecting the computing resources from attack without spending excessive CPU resources to determine the cookie's authenticity.

Exchange type

Negotiation method agreed on by the two IPsec endpoints, or peers, used to exchange information between one another. Each exchange type or mode determines the number of messages and the payload types that are contained in each message. The modes are:

  • main—The exchange is done with six messages. This mode encrypts the payload, protecting the identity of the neighbor.

  • aggressive—The exchange is done with three messages. This mode does not encrypt the payload, leaving the identity of the neighbor unprotected.

IKEv2 protocol does not use the mode configuration for negotiation. Therefore, the mode displays the version number of the security association.

Authentication method

Method used to authenticate the source of IKE messages, which can be either Pre-shared-keys or digital certificates, such as DSA-signatures, ECDSA-signatures-256, ECDSA-signatures-384, or RSA-signatures.

Local

Address of the local peer.

Remote

Address of the remote peer.

Lifetime

Number of seconds remaining until the IKE SA expires.

Reauth Lifetime

When enabled, number of seconds remaining until reauthentication triggers a new IKEv2 SA negotiation.

IKE Fragmentation

Enabled means that both the IKEv2 initiator and responder support message fragmentation and have negotiated the support during the IKE_SA_INIT message exchange.

Size shows the maximum size of an IKEv2 message before it is fragmented.

Algorithms

IKE algorithms used to encrypt and secure exchanges between the peers during the IPsec Phase 2 process:

  • Authentication—Type of authentication algorithm used:

    • sha1—Secure Hash Algorithm 1 authentication.

    • md5—MD5 authentication.

  • Encryption—Type of encryption algorithm used:

    • aes-256-cbc—Advanced Encryption Standard (AES) 256-bit encryption.

    • aes-192-cbc— AES192-bit encryption.

    • aes-128-cbc—AES 128-bit encryption.

    • 3des-cbc—3 Data Encryption Standard (DES) encryption.

    • aes-128-gcm—Advanced Encryption Standard (AES) 256-bit encryption.

    • chacha20-poly1305—ChaCha20-Poly1305 authenticated encryption.

    • des-cbc—DES encryption.

    Starting in Junos OS Release 19.4R2, when you configure aes-128-gcm or aes-256-gcm as an encryption algorithm at the [edit security ipsec proposalproposal-name] hierarchy level, the authentication algorithm field of the show security ikesecurity-associations detail command displays the same configured encryption algorithm.

  • Pseudo random function—Function that generates highly unpredictable random numbers: hmac-md5 or hmac-sha1.

  • Diffie-Hellman group—Specifies the type of Diffie-Hellman group when performing the new Diffie-Hellman exchange. It can be one of the following:

    • group1—768-bit Modular Exponential (MODP) algorithm.

    • group2—1024-bit MODP algorithm.

    • group14—2048-bit MODP group.

    • group15—3072-bit MODP algorithm.

    • group16—4096-bit MODP algorithm.

    • group19—256-bit random Elliptic Curve Groups modulo a prime (ECP group) algorithm.

    • group20—384-bit random ECP group algorithm.

    • group21—521-bit random ECP group algorithm.

    • group24—2048-bit MODP group with 256-bit prime order subgroup.

Traffic statistics

  • Input bytes—Number of bytes received.

  • Output bytes—Number of bytes transmitted.

  • Input packets—Number of packets received.

  • Output packets—Number of packets transmitted.

  • Input fragmented packets—Number of IKEv2 fragmented packets received.

  • Output fragmented packets—Number of IKEv2 fragmented packets transmitted.

Flags

Notification to the key management process of the status of the IKE negotiation:

  • caller notification sent—Caller program notified about the completion of the IKE negotiation.

  • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

  • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

  • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

IPSec security associations

  • number created: The number of SAs created.

  • number deleted: The number of SAs deleted.

Phase 2 negotiations in progress

Number of Phase 2 IKE negotiations in progress and status information:

  • Negotiation type—Type of Phase 2 negotiation. Junos OS currently supports quick mode.

  • Message ID—Unique identifier for a Phase 2 negotiation.

  • Local identity—Identity of the local Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

  • Remote identity—Identity of the remote Phase 2 negotiation. The format is id-type-name (proto-name:port-number,[0..id-data-len] = iddata-presentation).

  • Flags—Notification to the key management process of the status of the IKE negotiation:

    • caller notification sent—Caller program notified about the completion of the IKE negotiation.

    • waiting for done—Negotiation is done. The library is waiting for the remote end retransmission timers to expire.

    • waiting for remove—Negotiation has failed. The library is waiting for the remote end retransmission timers to expire before removing this negotiation.

    • waiting for policy manager—Negotiation is waiting for a response from the policy manager.

Local gateway interface

Interface name of the local gateway.

Routing instance

Name of the local gateway routing instance.

IPsec Tunnel IDs

Indicates the list of child IPsec tunnel IDs

Sample Output

show security ike security-associations (IPv4)

show security ike security-associations (IPv6)

show security ike security-associations detail (SRX300, SRX320, SRX340, SRX345, and SRX550HM Devices)

show security ike security-associations detail (SRX5400, SRX5600, and SRX5800 Devices)

command-name

The show security ike stats topic lists the output fields for the show security ike security-associations detail command.

show security ike security-associations family inet6

show security ike security-associations index 222075191 detail

show security ike security-associations index 788674 detail

show security ike security-associations 192.168.1.2

show security ike security-associations fpc 6 pic 1 kmd-instance all (SRX Series Firewalls)

show security ike security-associations detail (ADVPN Suggester, Static Tunnel)

show security ike security-associations detail (ADVPN Partner, Static Tunnel)

show security ike security-associations detail (ADVPN Partner, Shortcut)

show security ike security-associations sa-type shortcut (ADVPN)

show security ike security-associations sa-type shortcut detail (ADVPN)

show security ike security-associations detail (IKEv2 Reauthentication)

show security ike security-associations detail (IKEv2 Fragmentation)

show security ike security-associations srg-id

show security ike security-associations node-local

show security ike security-associations node-local detail

show security ike security-associations detail (ChaCha20-Poly1305)

Release Information

Command introduced in Junos OS Release 8.5. Support for the fpc, pic, and kmd-instance options added in Junos OS Release 9.3. Support for the family option added in Junos OS Release 11.1. Support for Auto Discovery VPN added in Junos OS Release 12.3X48-D10. Support for IKEv2 reauthentication added in Junos OS Release 15.1X49-D60. Support for IKEv2 fragmentation added in Junos OS Release 15.1X49-D80.

Support for the ha-link-encryption option added in Junos OS Release 20.4R1.

Support for the srg-id option added in Junos OS Release 22.4R1.

Support for the node-local option added in Junos OS Release 23.2R1.

Support for the chacha20-poly1305 option added in Junos OS Release 24.2R1.