display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
brief: Displays brief information about all IPsec SAs.
count: Displays the number of IPsec SAs.
interface interface-type interface-number: Specifies an interface by its type and number.
ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.
policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535.
profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
remote ip-address: Specifies an IPsec SA by its remote end IP address.
ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.
Usage guidelines
If you do not specify any parameters, this command displays detailed information about all IPsec SAs.
Examples
# Display brief information about IPsec SAs.
<Sysname> display ipsec sa brief ----------------------------------------------------------------------- Interface/Global Dst Address SPI Protocol Status ----------------------------------------------------------------------- Vlan100 10.1.1.1 400 ESP Active Vlan100 255.255.255.255 4294967295 ESP Active Vlan100 100::1/64 500 AH Active Global -- 600 ESP Active
Table 41: Command output
Field | Description |
---|---|
Interface/Global | Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile). |
Dst Address | Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
SPI | IPsec SA SPI. |
Protocol | Security protocol used by IPsec. |
Status | Status of the IPsec SA, which can only be Active. |
# Display the number of IPsec SAs.
<Sysname> display ipsec sa count Total IPsec SAs count: 4
# Display detailed information about all IPsec SAs.
<Sysname> display ipsec sa ------------------------------- Interface: Vlan-interface100 ------------------------------- ----------------------------- IPsec policy: r2 Sequence number: 1 Mode: ISAKMP ----------------------------- Tunnel id: 3 Encapsulation mode: tunnel Perfect Forward Secrecy: Inside VRF: vp1 Extended Sequence Numbers enable: Y Traffic Flow Confidentiality enable: N Path MTU: 1443 Tunnel: local address: 2.2.2.2 remote address: 1.1.1.2 Flow: sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip [Inbound ESP SAs] SPI: 3564837569 (0xd47b1ac1) Connection ID: 90194313219 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max received sequence-number: 5 Anti-replay check enable: Y Anti-replay window size: 32 UDP encapsulation used for NAT traversal: N Status: Active [Outbound ESP SAs] SPI: 801701189 (0x2fc8fd45) Connection ID: 64424509441 Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1 SA duration (kilobytes/sec): 4294967295/604800 SA remaining duration (kilobytes/sec): 1843200/2686 Max sent sequence-number: 6 UDP encapsulation used for NAT traversal: N Status: Active ------------------------------- Global IPsec SA ------------------------------- ----------------------------- IPsec profile: profile Mode: Manual ----------------------------- Encapsulation mode: transport [Inbound AH SA] SPI: 1234563 (0x0012d683) Connection ID: 64426789452 Transform set: AH-SHA1 No duration limit for this SA [Outbound AH SA] SPI: 1234563 (0x002d683) Connection ID: 64428999468 Transform set: AH-SHA1 No duration limit for this SA
Table 42: Command output
Field | Description |
---|---|
Interface | Interface where the IPsec SA belongs. |
IPsec policy | Name of the IPsec policy. |
IPsec profile | Name of the IPsec profile. |
Sequence number | Sequence number of the IPsec policy entry. |
Mode | Negotiation mode used by the IPsec policy:
|
Flow table status | Status of the flow entries deployed by IPsec: Active or Inactive. |
Tunnel id | IPsec tunnel ID. |
Encapsulation mode | Encapsulation mode, transport or tunnel. |
Perfect Forward Secrecy | Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation:
|
Extended Sequence Numbers enable | Whether Extended Sequence Number (ESN) is enabled. |
Traffic Flow Confidentiality enable | Whether Traffic Flow Confidentiality (TFC) padding is enabled. |
Inside VRF | VPN instance to which the protected data flow belongs. |
Path MTU | Path MTU of the IPsec SA. |
Tunnel | Local and remote addresses of the IPsec tunnel. |
local address | Local end IP address of the IPsec tunnel. |
remote address | Remote end IP address of the IPsec tunnel. |
Flow | Information about the data flow protected by the IPsec tunnel. |
sour addr | Source IP address of the data flow. |
dest addr | Destination IP address of the data flow. |
port | Port number. |
protocol | Protocol type: ip or ipv6. |
Current outbound SPI | SPI that the outbound IPsec SA currently uses. This field is displayed when the negotiation mode is GDOI. |
SPI | SPI of the IPsec SA. |
Connection ID | Identifier of the IPsec SA. |
Transform set | Security protocol and algorithms used by the IPsec transform set. |
SA duration (kilobytes/sec) | IPsec SA lifetime, in kilobytes or seconds. |
SA remaining duration (kilobytes/sec) | Remaining IPsec SA lifetime, in kilobytes or seconds. |
Max received sequence-number | Max sequence number in the received packets. |
Max sent sequence-number | Max sequence number in the sent packets. |
Anti-replay check enable | Whether anti-replay checking is enabled. |
UDP encapsulation used for NAT traversal | Whether NAT traversal is used by the IPsec SA. |
Status | Status of the IPsec SA, which can only be Active. |
No duration limit for this SA | The manual IPsec SAs do not have lifetime. |
Related commands
ipsec sa global-duration
reset ipsec sa