[x]

IKE commands > display ike sa

 

 Next

display ike sa

Use display ike sa to display information about IKE SAs.

Syntax

display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-instance-name ] ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.

remote-address: Displays detailed information about IKE SAs with the specified remote address.

ipv6: Specifies an IPv6 address.

remote-address: Remote IP address.

vpn-instance vpn-instance-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays detailed information about IKE SAs for the public network.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKE SAs.

Examples

# Display summary information about all IKE SAs.

<Sysname> display ike sa
    Connection-ID  Remote          Flag        DOI
  ----------------------------------------------------------
      1            202.38.0.2      RD          IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY

Table 48: Command output

Field

Description

Connection-ID

Identifier of the IKE SA.

Remote

Remote IP address of the SA.

Flags

Status of the SA:

  • RD--READY—The SA has been established.

  • RL--REPLACED—The SA has been replaced by a new one and will be deleted later.

  • FD-FADING—The SA is in use, but it is about to expire and will be deleted soon.

  • RK-REKEY—The SA is a Rekey SA.

  • Unknown—The SA status is unknown.

DOI

Interpretation domain to which the SA belongs.

IPsec—The SA belongs to an IPsec DOI.

# Display detailed information about all IKE SAs. 

<Sysname> display ike sa verbose
    ---------------------------------------------
    Connection ID: 2
    Outside VPN: 
    Inside VPN: 
    Profile: prof1
    Transmitting entity: Initiator
    ---------------------------------------------
    Local IP: 4.4.4.4
    Local ID type: IPV4_ADDR
    Local ID: 4.4.4.4

    Remote IP: 4.4.4.5
    Remote ID type: IPV4_ADDR
    Remote ID: 4.4.4.5

    Authentication-method: PRE-SHARED-KEY
    Authentication-algorithm: SHA1
    Encryption-algorithm: AES-CBC-128

    Life duration(sec): 86400
    Remaining key duration(sec): 86379
    Exchange-mode: Main
    Diffie-Hellman group: Group 1
    NAT traversal: Not detected

    Extend authentication: Enabled
    Assigned IP address: 192.168.2.1

# Display detailed information about the IKE SA with a remote address of 4.4.4.5.

<Sysname> display ike sa verbose remote-address 4.4.4.5
    ---------------------------------------------
    Connection ID: 2
    Outside VPN: 
    Inside VPN: 
    Profile: prof1
    Transmitting entity: Initiator
    ---------------------------------------------
    Local IP: 4.4.4.4
    Local ID type: IPV4_ADDR
    Local ID: 4.4.4.4

    Remote IP: 4.4.4.5
    Remote ID type: IPV4_ADDR
    Remote ID: 4.4.4.5

    Authentication-method: PRE-SHARED-KEY
    Authentication-algorithm: SHA1
    Encryption-algorithm: AES-CBC-128

    Life duration(sec): 86400
    Remaining key duration(sec): 86379
    Exchange-mode: Main
    Diffie-Hellman group: Group 1
    NAT traversal: Not detected

    Extend authentication: Enabled
    Assigned IP address: 192.168.2.1

Table 49: Command output

Field

Description

Connection ID

Identifier of the IKE SA.

Outside VPN

VPN instance name of the MPLS L3VPN to which the receiving interface belongs.

Inside VPN

VPN instance name of the MPLS L3VPN to which the protected data belongs.

Profile

Name of the matching IKE profile found in the IKE SA negotiation.

If no matching profile is found, this field displays nothing.

Transmitting entity

Role of the IKE negotiation entity: Initiator or Responder.

Local IP

IP address of the local gateway.

Local ID type

Identifier type of the local gateway.

Local ID

Identifier of the local gateway.

Remote IP

IP address of the remote gateway.

Remote ID type

Identifier type of the remote gateway.

Remote ID

Identifier of the remote security gateway.

Authentication-method

Authentication method used by the IKE proposal.

Authentication-algorithm

Authentication algorithm used by the IKE proposal:

  • MD5—HMAC-MD5 algorithm.

  • SHA1—HMAC-SHA1 algorithm.

  • SHA256—HMAC-SHA256 algorithm.

  • SHA384—HMAC-SHA384 algorithm.

  • SHA512—HMAC-SHA512 algorithm.

Encryption-algorithm

Encryption algorithm used by the IKE proposal:

  • 3DES-CBC—168-bit 3DES algorithm in CBC mode.

  • AES-CBC-128—128-bit AES algorithm in CBC mode.

  • AES-CBC-192—192-bit AES algorithm in CBC mode.

  • AES-CBC-256—256-bit AES algorithm in CBC mode.

  • DES-CBC—56-bit DES algorithm in CBC mode.

Life duration(sec)

Lifetime of the IKE SA in seconds.

Remaining key duration(sec)

Remaining lifetime of the IKE SA in seconds.

Exchange-mode

IKE negotiation mode in phase 1: Main or Aggressive.

Diffie-Hellman group

DH group used for key negotiation in IKE phase 1.

NAT traversal

Whether a NAT gateway is detected.

Extend authentication

Whether extended authentication for clients is enabled.

Assigned IP address

IP address assigned to the remote peer.

This field is not displayed if no IP address is assigned.

prev

 

up

 next

display ike proposal 

home

 display ike statistics

© Copyright 2018 Hewlett Packard Enterprise Development LP