display ikev2 sa
Use display ikev2 sa to display the IKEv2 SA information.
Syntax
display ikev2 sa [ count | [ { local | remote } { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-instance-name ] ] [ verbose [ tunnel tunnel-id ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
count: Displays the number of IKEv2 SAs.
local: Displays IKEv2 SA information for a local IP address.
remote: Displays IKEv2 SA information for a remote IP address.
ipv4-address: Specifies a local or remote IPv4 address.
ipv6 ipv6-address: Specifies a local or remote IPv6 address.
vpn-instance vpn-instance-name: Displays information about the IKEv2 SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays information about IKEv2 SAs for the public network.
verbose: Displays detailed information. If you do not specify this keyword, the command displays the summary information.
tunnel tunnel-id: Displays detailed IKEv2 SA information for an IPsec tunnel. The tunnel-id argument specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.
Usage guidelines
If you do not specify any parameters, this command displays summary information about all IKEv2 SAs.
Examples
# Display summary information about all IKEv2 SAs.
<Sysname> display ikev2 sa Tunnel ID Local Remote Status -------------------------------------------------------------------- 1 1.1.1.1/500 1.1.1.2/500 EST 2 2.2.2.1/500 2.2.2.2/500 EST Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting
# Display summary IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2 Tunnel ID Local Remote Status -------------------------------------------------------------------- 1 1.1.1.1/500 1.1.1.2/500 EST Status: IN-NEGO: Negotiating, EST: Established, DEL: Deleting
Table 53: Command output
Field | Description |
---|---|
Tunnel ID | ID of the IPsec tunnel to which the IKEv2 SA belongs. |
Local | Local IP address of the IKEv2 SA. |
Remote | Remote IP address of the IKEv2 SA. |
Status | Status of the IKEv2 SA:
|
# Display detailed information about all IKEv2 SAs.
<Sysname> display ikev2 sa verbose Tunnel ID: 1 Local IP/Port: 1.1.1.1/500 Remote IP/Port: 1.1.1.2/500 Outside VRF: - Inside VRF: - Local SPI: 8f8af3dbf5023a00 Remote SPI: 0131565b9b3155fa Local ID type: FQDN Local ID: device_a Remote ID type: FQDN Remote ID: device_b Auth sign method: Pre-shared key Auth verify method: Pre-shared key Integrity algorithm: HMAC_MD5 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs Remaining key duration: 85604 secs Diffie-Hellman group: MODP1024/Group2 NAT traversal: Not detected DPD: Interval 20 secs, retry interval 2 secs Transmitting entity: Initiator Local window: 1 Remote window: 1 Local request message ID: 2 Remote request message ID:2 Local next message ID: 0 Remote next message ID: 0 Pushed IP address: 192.168.1.5 Assigned IP address: 192.168.2.24
# Display detailed IKEv2 SA information for the remote IP address 1.1.1.2.
<Sysname> display ikev2 sa remote 1.1.1.2 verbose Tunnel ID: 1 Local IP/Port: 1.1.1.1/500 Remote IP/Port: 1.1.1.2/500 Outside VRF: - Inside VRF: - Local SPI: 8f8af3dbf5023a00 Remote SPI: 0131565b9b3155fa Local ID type: FQDN Local ID: device_a Remote ID type: FQDN Remote ID: device_b Auth sign method: Pre-shared key Auth verify method: Pre-shared key Integrity algorithm: HMAC_MD5 PRF algorithm: HMAC_MD5 Encryption algorithm: AES-CBC-192 Life duration: 86400 secs Remaining key duration: 85604 secs Diffie-Hellman group: MODP1024/Group2 NAT traversal: Not detected DPD: Interval 30 secs, retry interval 10 secs Transmitting entity: Initiator Local window: 1 Remote window: 1 Local request message ID: 2 Remote request message ID: 2 Local next message ID: 0 Remote next message ID: 0 Pushed IP address: 192.168.1.5 Assigned IP address: 192.168.2.24
Table 54: Command output
Field | Description |
---|---|
Tunnel ID | ID of the IPsec tunnel to which the IKEv2 SA belongs. |
Local IP/Port | IP address and port number of the local security gateway. |
Remote IP/Port | IP address and port number of the remote security gateway. |
Outside VRF | Name of the VPN instance to which the protected outbound data flow belongs. If the protected outbound data flow belongs to the public network, this field displays a hyphen (-). |
Inside VRF | Name of the VPN instance to which the protected inbound data flow belongs. If the protected inbound data flow belongs to the public network, this field displays a hyphen (-). |
Local SPI | SPI that the local end uses. |
Remote SPI | SPI that the remote end uses. |
Local ID type | ID type of the local security gateway. |
Local ID | ID of the local security gateway. |
Remote ID type | ID type of the remote security gateway. |
Remote ID | ID of the remote security gateway. |
Auth sign method | Signature method that the IKEv2 proposal uses in authentication. |
Auth verify method | Verification method that the IKEv2 proposal uses in authentication. |
Integrity algorithm | Integrity protection algorithms that the IKEv2 proposal uses. |
PRF algorithm | PRF algorithms that the IKEv2 proposal uses. |
Encryption algorithm | Encryption algorithms that the IKEv2 proposal uses. |
Life duration | Lifetime of the IKEv2 SA, in seconds. |
Remaining key duration | Remaining lifetime of the IKEv2 SA, in seconds. |
Diffie-Hellman group | DH groups used in IKEv2 key negotiation. |
NAT traversal | Whether a NAT gateway is detected between the local and remote ends. |
DPD | DPD settings:
If DPD is disabled, this field displays Disabled. |
Transmitting entity | Role of the local end in IKEv2 negotiation, initiator or responder. |
Local window | Window size that the local end uses. |
Remote window | Window size that the remote end uses. |
Local request message ID | ID of the request message that the local end is about to send. |
Remote request message ID | ID of the request message that the remote end is about to send. |
Local next message ID | ID of the message that the local end expects to receive. |
Remote next message ID | ID of the message that the remote end expects to receive. |
Pushed IP address | IP address pushed to the local end by the remote end. |
Assigned IP address | IP address assigned to the remote end by the local end . |
# Display the number of IKEv2 SAs.
[Sysname-probe] display ikev2 sa count IKEv2 SAs count: 0