display ike sa
Use display ike sa to display information about IKE SAs.
Syntax
display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-instance-name ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
verbose: Displays detailed information.
connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
remote-address: Displays detailed information about IKE SAs with the specified remote address.
ipv6: Specifies an IPv6 address.
remote-address: Remote IP address.
vpn-instance vpn-instance-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays detailed information about IKE SAs for the public network.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKE SAs.
Examples
# Display summary information about all IKE SAs.
<Sysname> display ike sa Connection-ID Remote Flag DOI ---------------------------------------------------------- 1 202.38.0.2 RD IPsec Flags: RD--READY RL--REPLACED FD-FADING RK-REKEY
Table 48: Command output
Field | Description |
---|---|
Connection-ID | Identifier of the IKE SA. |
Remote | Remote IP address of the SA. |
Flags | Status of the SA:
|
DOI | Interpretation domain to which the SA belongs. IPsec—The SA belongs to an IPsec DOI. |
# Display detailed information about all IKE SAs.
<Sysname> display ike sa verbose --------------------------------------------- Connection ID: 2 Outside VPN: Inside VPN: Profile: prof1 Transmitting entity: Initiator --------------------------------------------- Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Enabled Assigned IP address: 192.168.2.1
# Display detailed information about the IKE SA with a remote address of 4.4.4.5.
<Sysname> display ike sa verbose remote-address 4.4.4.5 --------------------------------------------- Connection ID: 2 Outside VPN: Inside VPN: Profile: prof1 Transmitting entity: Initiator --------------------------------------------- Local IP: 4.4.4.4 Local ID type: IPV4_ADDR Local ID: 4.4.4.4 Remote IP: 4.4.4.5 Remote ID type: IPV4_ADDR Remote ID: 4.4.4.5 Authentication-method: PRE-SHARED-KEY Authentication-algorithm: SHA1 Encryption-algorithm: AES-CBC-128 Life duration(sec): 86400 Remaining key duration(sec): 86379 Exchange-mode: Main Diffie-Hellman group: Group 1 NAT traversal: Not detected Extend authentication: Enabled Assigned IP address: 192.168.2.1
Table 49: Command output
Field | Description |
---|---|
Connection ID | Identifier of the IKE SA. |
Outside VPN | VPN instance name of the MPLS L3VPN to which the receiving interface belongs. |
Inside VPN | VPN instance name of the MPLS L3VPN to which the protected data belongs. |
Profile | Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing. |
Transmitting entity | Role of the IKE negotiation entity: Initiator or Responder. |
Local IP | IP address of the local gateway. |
Local ID type | Identifier type of the local gateway. |
Local ID | Identifier of the local gateway. |
Remote IP | IP address of the remote gateway. |
Remote ID type | Identifier type of the remote gateway. |
Remote ID | Identifier of the remote security gateway. |
Authentication-method | Authentication method used by the IKE proposal. |
Authentication-algorithm | Authentication algorithm used by the IKE proposal:
|
Encryption-algorithm | Encryption algorithm used by the IKE proposal:
|
Life duration(sec) | Lifetime of the IKE SA in seconds. |
Remaining key duration(sec) | Remaining lifetime of the IKE SA in seconds. |
Exchange-mode | IKE negotiation mode in phase 1: Main or Aggressive. |
Diffie-Hellman group | DH group used for key negotiation in IKE phase 1. |
NAT traversal | Whether a NAT gateway is detected. |
Extend authentication | Whether extended authentication for clients is enabled. |
Assigned IP address | IP address assigned to the remote peer. This field is not displayed if no IP address is assigned. |