display ipsec sa

Use display ipsec sa to display information about IPsec SAs.

Syntax

display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

brief: Displays brief information about all IPsec SAs.

count: Displays the number of IPsec SAs.

interface interface-type interface-number: Specifies an interface by its type and number.

ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.

policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.

policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535.

profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

remote ip-address: Specifies an IPsec SA by its remote end IP address.

ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all IPsec SAs.

Examples

# Display brief information about IPsec SAs.

<Sysname> display ipsec sa brief
-----------------------------------------------------------------------
Interface/Global   Dst Address      SPI         Protocol  Status
-----------------------------------------------------------------------
Vlan100            10.1.1.1         400         ESP       Active
Vlan100            255.255.255.255  4294967295  ESP       Active
Vlan100            100::1/64        500         AH        Active
Global             --               600         ESP       Active

Table 41: Command output

Field	Description
Interface/Global	Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile).
Dst Address	Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
SPI	IPsec SA SPI.
Protocol	Security protocol used by IPsec.
Status	Status of the IPsec SA, which can only be Active.

# Display the number of IPsec SAs.

<Sysname> display ipsec sa count
Total IPsec SAs count: 4

# Display detailed information about all IPsec SAs.

<Sysname> display ipsec sa
-------------------------------
Interface: Vlan-interface100
-------------------------------

  -----------------------------
  IPsec policy: r2
  Sequence number: 1
  Mode: ISAKMP
  -----------------------------
    Tunnel id: 3
    Encapsulation mode: tunnel
    Perfect Forward Secrecy:
    Inside VRF: vp1
    Extended Sequence Numbers enable: Y
    Traffic Flow Confidentiality enable: N
    Path MTU: 1443
    Tunnel:
        local  address: 2.2.2.2
        remote address: 1.1.1.2
    Flow:
        sour addr: 192.168.2.0/255.255.255.0  port: 0  protocol: ip
        dest addr: 192.168.1.0/255.255.255.0  port: 0  protocol: ip

    [Inbound ESP SAs]
      SPI: 3564837569 (0xd47b1ac1)
      Connection ID: 90194313219
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 4294967295/604800
      SA remaining duration (kilobytes/sec): 1843200/2686
      Max received sequence-number: 5
      Anti-replay check enable: Y
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N
      Status: Active

    [Outbound ESP SAs]
      SPI: 801701189 (0x2fc8fd45)
      Connection ID: 64424509441
      Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1
      SA duration (kilobytes/sec): 4294967295/604800
      SA remaining duration (kilobytes/sec): 1843200/2686
      Max sent sequence-number: 6
      UDP encapsulation used for NAT traversal: N
      Status: Active
-------------------------------
Global IPsec SA
-------------------------------

  -----------------------------
  IPsec profile: profile
  Mode: Manual
  -----------------------------
    Encapsulation mode: transport
    [Inbound AH SA]
      SPI: 1234563 (0x0012d683)
      Connection ID: 64426789452
      Transform set: AH-SHA1
      No duration limit for this SA
    [Outbound AH SA]
      SPI: 1234563 (0x002d683)
      Connection ID: 64428999468
      Transform set: AH-SHA1
      No duration limit for this SA

Table 42: Command output

Field	Description
Interface	Interface where the IPsec SA belongs.
IPsec policy	Name of the IPsec policy.
IPsec profile	Name of the IPsec profile.
Sequence number	Sequence number of the IPsec policy entry.
Mode	Negotiation mode used by the IPsec policy: Manual—Manual mode. ISAKMP—IKE negotiation mode. Template—IPsec policy template mode.
Flow table status	Status of the flow entries deployed by IPsec: Active or Inactive.
Tunnel id	IPsec tunnel ID.
Encapsulation mode	Encapsulation mode, transport or tunnel.
Perfect Forward Secrecy	Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: 768-bit Diffie-Hellman group (dh-group1). 1024-bit Diffie-Hellman group (dh-group2). 1536-bit Diffie-Hellman group (dh-group5). 2048-bit Diffie-Hellman group (dh-group14). 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). 256-bit ECP Diffie-Hellman group (dh-group19). 384-bit ECP Diffie-Hellman group (dh-group20).
Extended Sequence Numbers enable	Whether Extended Sequence Number (ESN) is enabled.
Traffic Flow Confidentiality enable	Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Inside VRF	VPN instance to which the protected data flow belongs.
Path MTU	Path MTU of the IPsec SA.
Tunnel	Local and remote addresses of the IPsec tunnel.
local address	Local end IP address of the IPsec tunnel.
remote address	Remote end IP address of the IPsec tunnel.
Flow	Information about the data flow protected by the IPsec tunnel.
sour addr	Source IP address of the data flow.
dest addr	Destination IP address of the data flow.
port	Port number.
protocol	Protocol type: ip or ipv6.
Current outbound SPI	SPI that the outbound IPsec SA currently uses. This field is displayed when the negotiation mode is GDOI.
SPI	SPI of the IPsec SA.
Connection ID	Identifier of the IPsec SA.
Transform set	Security protocol and algorithms used by the IPsec transform set.
SA duration (kilobytes/sec)	IPsec SA lifetime, in kilobytes or seconds.
SA remaining duration (kilobytes/sec)	Remaining IPsec SA lifetime, in kilobytes or seconds.
Max received sequence-number	Max sequence number in the received packets.
Max sent sequence-number	Max sequence number in the sent packets.
Anti-replay check enable	Whether anti-replay checking is enabled.
UDP encapsulation used for NAT traversal	Whether NAT traversal is used by the IPsec SA.
Status	Status of the IPsec SA, which can only be Active.
No duration limit for this SA	The manual IPsec SAs do not have lifetime.

Related commands

ipsec sa global-duration

reset ipsec sa

prev	up	next
display ipsec profile	home	display ipsec statistics