[x]

IKEv2 commands > display ikev2 sa

 

 Next

display ikev2 sa

Use display ikev2 sa to display the IKEv2 SA information.

Syntax

display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

count: Displays the number of IKEv2 SAs.

local: Displays IKEv2 SA information for a local IP address.

remote: Displays IKEv2 SA information for a remote IP address.

ipv4-address: Specifies a local or remote IPv4 address.

ipv6 ipv6-address: Specifies a local or remote IPv6 address.

vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information about IKEv2 SAs for the public network.

verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.

tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKEv2 SAs.

Examples

# Display summary information about all IKEv2 SAs.

<Sysname> display ikev2 sa
     Tunnel ID          Local             Remote             Status
  --------------------------------------------------------------------
     1                  1.1.1.1/500       1.1.1.2/500        EST
     2                  2.2.2.1/500       2.2.2.2/500        EST
  Status:
  IN-NEGO: Negotiating, EST: Established, DEL: Deleting

# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2
     Tunnel ID          Local             Remote             Status
  --------------------------------------------------------------------
     1                  1.1.1.1/500       1.1.1.2/500        EST
  Status:
  IN-NEGO: Negotiating, EST: Established, DEL: Deleting

Table 53: Command output

Field

Description

Tunnel ID

ID of the IPsec tunnel to which the IKEv2 SA belongs.

Local

Local IP address of the IKEv2 SA.

Remote

Remote IP address of the IKEv2 SA.

Status

Status of the IKEv2 SA:

  • IN-NEGO (Negotiating)—The IKEv2 SA is under negotiation.

  • EST (Established)—The IKEv2 SA has been set up.

  • DEL (Deleting)—The IKEv2 SA is about to be deleted.

# Display detailed information about all IKEv2 SAs.

<Sysname> display ikev2 sa verbose
  Tunnel ID: 1
  Local IP/Port: 1.1.1.1/500
  Remote IP/Port: 1.1.1.2/500
  Outside VRF: -
  Inside VRF: -
  Local SPI: 8f8af3dbf5023a00
  Remote SPI: 0131565b9b3155fa

  Local ID type: FQDN
  Local ID: device_a
  Remote ID type: FQDN
  Remote ID: device_b

  Auth sign method: Pre-shared key
  Auth verify method: Pre-shared key
  Integrity algorithm: HMAC_MD5
  PRF algorithm: HMAC_MD5
  Encryption algorithm: AES-CBC-192

  Life duration: 86400 secs
  Remaining key duration: 85604 secs
  Diffie-Hellman group: MODP1024/Group2
  NAT traversal: Not detected
  DPD: Interval 20 secs, retry interval 2 secs
  Transmitting entity: Initiator

  Local window: 1
  Remote window: 1
  Local request message ID: 2
  Remote request message ID:2
  Local next message ID: 0
  Remote next message ID: 0

  Pushed IP address: 192.168.1.5
  Assigned IP address: 192.168.2.24

# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.

<Sysname> display ikev2 sa remote 1.1.1.2 verbose
  Tunnel ID: 1
  Local IP/Port: 1.1.1.1/500
  Remote IP/Port: 1.1.1.2/500
  Outside VRF: -
  Inside VRF: -
  Local SPI: 8f8af3dbf5023a00
  Remote SPI: 0131565b9b3155fa

  Local ID type: FQDN
  Local ID: device_a
  Remote ID type: FQDN
  Remote ID: device_b

  Auth sign method: Pre-shared key
  Auth verify method: Pre-shared key
  Integrity algorithm: HMAC_MD5
  PRF algorithm: HMAC_MD5
  Encryption algorithm: AES-CBC-192

  Life duration: 86400 secs
  Remaining key duration: 85604 secs
  Diffie-Hellman group: MODP1024/Group2
  NAT traversal: Not detected
  DPD: Interval 30 secs, retry interval 10 secs
  Transmitting entity: Initiator

  Local window: 1
  Remote window: 1
  Local request message ID: 2
  Remote request message ID: 2
  Local next message ID: 0
  Remote next message ID: 0

  Pushed IP address: 192.168.1.5
  Assigned IP address: 192.168.2.24

Table 54: Command output

Field

Description

Tunnel ID

ID of the IPsec tunnel to which the IKEv2 SA belongs.

Local IP/Port

IP address and port number of the local security gateway.

Remote IP/Port

IP address and port number of the remote security gateway.

Outside VRF

Name of the VPN instance to which the protected outbound data flow belongs.

If the protected outbound data flow belongs to the public network, this field displays a hyphen (-).

Inside VRF

Name of the VPN instance to which the protected inbound data flow belongs.

If the protected inbound data flow belongs to the public network, this field displays a hyphen (-).

Local SPI

SPI that the local end uses.

Remote SPI

SPI that the remote end uses.

Local ID type

ID type of the local security gateway.

Local ID

ID of the local security gateway.

Remote ID type

ID type of the remote security gateway.

Remote ID

ID of the remote security gateway.

Auth sign method

Signature method that the IKEv2 proposal uses in authentication.

Auth verify method

Verification method that the IKEv2 proposal uses in authentication.

Integrity algorithm

Integrity protection algorithms that the IKEv2 proposal uses.

PRF algorithm

PRF algorithms that the IKEv2 proposal uses.

Encryption algorithm

Encryption algorithms that the IKEv2 proposal uses.

Life duration

Lifetime of the IKEv2 SA, in seconds.

Remaining key duration

Remaining lifetime of the IKEv2 SA, in seconds.

Diffie-Hellman group

DH groups used in IKEv2 key negotiation.

NAT traversal

Whether a NAT gateway is detected between the local and remote ends.

DPD

DPD settings:

  • Detection interval in seconds.

  • Retry interval in seconds.

If DPD is disabled, this field displays Disabled.

Transmitting entity

Role of the local end in IKEv2 negotiation, initiator or responder.

Local window

Window size that the local end uses.

Remote window

Window size that the remote end uses.

Local request message ID

ID of the request message that the local end is about to send.

Remote request message ID

ID of the request message that the remote end is about to send.

Local next message ID

ID of the message that the local end expects to receive.

Remote next message ID

ID of the message that the remote end expects to receive.

Pushed IP address

IP address pushed to the local end by the remote end.

Assigned IP address

IP address assigned to the remote end by the local end .

# Display the number of IKEv2 SAs.

[Sysname-probe] display ikev2 sa count
IKEv2 SAs count: 0

prev

 

up

 next

display ikev2 proposal 

home

 display ikev2 statistics

© Copyright 2018 Hewlett Packard Enterprise Development LP