< Home

display ike sa

Function

The display ike sa command displays information about SAs established through IKE negotiation.

Format

display ike sa [ remote { ipv4-address | ipv6-address } ] [ slot slot-id cpu cpu-id ] [ active | standby ]

display ike sa [ slot slot-id cpu cpu-id ] [ active | standby ] [ remote-id-type remote-id-type ] remote-id remote-id

display ike sa verbose remote { ipv4-address | ipv6-address } | connection-id connection-id | [ remote-id-type remote-id-type ] remote-id remote-id

display ike sa [ slot slot-id cpu cpu-id ] { all-systems | vsys vsys-name } [ active | standby ]

Parameters

Parameter Description Value

remote ipv4-address

Specifies the IPv4 address of the remote peer.

The value is in dotted decimal notation.

remote ipv6-address

Specifies the IPv6 address of the remote peer.

The value is in colon hexadecimal notation.

remote-id-type remote-id-type

Specifies a remote ID type.

The remote ID type can be ip, dn, esn, fqdn, or user-fqdn.

remote-id remote-id

Specifies the remote ID.

The remote ID must be an existing one.

slot slot-id cpu cpu-id

Displays information about SAs with the specified slot ID and CPU ID. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter.

The values of slot-id and cpu-id are integers and must be set according to the device configuration.

active

Displays SA information of the active SPU.

-

standby

Displays SA information of the standby SPU.

-

verbose

Displays detailed information about SAs.

-

connection-id connection-id

Specifies the connection ID of an SA.

The value is an integer that ranges from 1 to 4294967295.

all-systems

Displays SA information of all systems including the root system and virtual system.

NOTE:

This parameter is available only in the root system.

-

vsys vsys-name

Displays SA information of the virtual system.

NOTE:

This parameter is available only in the root system.

The name of the virtual system must have been created.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ike sa command to check the following SA information: connection ID, peer IP address, VPN instance name, SA phase, remote ID type, remote ID, and SA status.

After an IPSec tunnel is established successfully, the display ike sa command does not display the latest local ID or remote ID until the IPSec tunnel is re-negotiated if the local ID or remote ID is modified.

Example

# Display SA information of all systems.
<sysname> display ike sa all-systems
IKE SA information :
   Conn-ID    Peer             VPN     Flag(s)      Phase   RemoteType  RemoteID
  ------------------------------------------------------------------------------------
   83886142   1.1.1.1/500             RD|ST|A      v2:2    IP          1.1.1.1
   83886137   1.1.1.1/500             RD|A         v2:1    IP          1.1.1.1
   134217773  2.2.1.2/500             RD|A         v2:2    IP          2.2.1.2
   134217765  2.2.1.2/500             RD|A         v2:1    IP          2.2.1.2

  Number of IKE SA : 4
  ------------------------------------------------------------------------------------

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

# Display IKE SAs and IPSec SAs.

<sysname> display ike sa
IKE SA information :
    Conn-ID     Peer            VPN   Flag(s)  Phase  RemoteType  RemoteID
  -----------------------------------------------------------------------------
    117477244   10.1.1.1/4500   vrf1  RD|M     v2:2   FQDN        huawei
    117477242   10.1.1.1/4500   vrf1  RD|M     v2:1   FQDN        huawei

  Number of IKE SA : 2
  -----------------------------------------------------------------------------

  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
Table 1 Description of the display ike sa command output
Item
Description

IKE SA information

Configuration of SAs.

Conn-ID

Connection ID of an SA.

Peer

IP address and UDP port number of the peer.

VPN

VPN instance bound to the interface where the IPSec policy was applied to.

NOTE:

This field is unavailable in the virtual system.

Flag(s)

SA status:

  • RD--READY: The SA has been established successfully.

  • ST--STAYALIVE: This end is the initiator of tunnel negotiation.

  • RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time.

  • FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires.

  • TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout.

  • HRT--HEARTBEAT: The local IKE SA sends heartbeat packets.

  • LKG--LAST KNOWN GOOD SEQ NO: It is the last known sequence number.

  • BCK--BACKED UP: The SA is backed up.

  • M--ACTIVE: The IPSec policy group is in active state.

  • S--STANDBY: The IPSec policy group is in standby state.

  • A--ALONE: The IPSec policy group is not backed up.

  • NEG--NEGOTIATING: The devices are negotiating an SA.

  • Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.

Phase

Phases of the SA:

  • v1:1 or v2:1: v1 and v2 are IKE versions. The digit 1 indicates the phase during which a security channel, that is IKE SA, is established.
  • v1:2 or v2:2: v1 and v2 are IKE versions. The digit 2 indicates the phase during which a security service, that is IPSec SA, is negotiated.

RemoteType

Remote ID type.

RemoteID

Remote ID.

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv1 to negotiate IPSec SAs.

<sysname> display ike sa verbose remote 10.1.1.1
 
Spu board slot 1, cpu 1 ike sa verbose information :
-----------------------------------------------
Ike Sa phase   : 2
Establish Time : 2015-09-18 18:58:24
PortCfg Index  : 0xe
IKE Peer Name  : a
Connection Id  : 67126707
Version        : v1
Flow VPN       :
Peer VPN       :
------------------------------------------------
 Cookie        : 0x a7b1c107a7a67b1
Responder Cookie        : 0xf70b111e391f79a9
Local Address           : 10.2.2.2/500
Remote Address          : 10.1.1.1/4500
PFS                     : dh-group14
Flags                   : RD|ST|S
------------------------------------------------

------------------------------------------------
Ike Sa phase   : 1
Establish Time : 2015-09-18 18:58:24
PortCfg Index  : 0xe
IKE Peer Name  : a
Connection Id  : 67125326
Version        : v1 Exchange Mode  : Main 
Flow VPN       :
Peer VPN       :
------------------------------------------------
 Cookie               : 0x a7b1c107a7a67b1
Responder Cookie               : 0xf70b111e391f79a9
Local Address                  : 10.2.2.2/500
Remote Address                 : 10.1.1.1/4500
Encryption Algorithm           : AES-256
Authentication Algorithm       : SHA2-256
Authentication Method          : Pre-Shared key
DPD Capability                 : Yes 
DPD Enable                     : No 
DPD Message Learning Enable    : Yes
DPD Message Format             : Seq-Notify-Hash 
Reference Counter              : 60
Flags                          : RD|ST|S
Remote Id Type                 : IP
Remote Id                      : 10.1.1.1 
DH Group                       : group14 
NAT Traversal Version          : RFC3947 
ModeCfg IP                     : 10.10.1.1 
SA Remaining Soft Timeout (sec):100 
SA Remaining Hard Timeout (sec):200
------------------------------------------------
                                                                                
  Number of IKE SA : 2
------------------------------------------------
 Total number of IKE SA in all CPU : 2       
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv2 to negotiate IPSec SAs.

<sysname> display ike sa verbose remote 10.1.1.1
  
Spu board slot 1, cpu 1 ike sa verbose information :
------------------------------------------------                                
Ike Sa phase   : 2
Establish Time : 2015-09-18 18:58:24
PortCfg Index  : 0x4                                                            
IKE Peer Name  : test                                                          
Connection Id  : 117440514                                                      
Version        : v2                                                             
Flow VPN       :                                                                
Peer VPN       :                                                                
------------------------------------------------                                
 Cookie        : 0x10dbb95cdb031726                                    
Responder Cookie        : 0x4ba2840bddcf74fd                                    
Local Address           : 10.2.2.2/500
Remote Address          : 10.1.1.1/4500 PFS                     : dh-group14
Flags                   : RD|ST|A
------------------------------------------------                                
                                                                                
------------------------------------------------                                
Ike Sa phase   : 1
Establish Time : 2015-09-18 18:58:24
PortCfg Index  : 0x4                                                            
IKE Peer Name  : test                                                          
Connection Id  : 117440513                                                      
Version        : v2 
Flow VPN       :                                                                
Peer VPN       :                                                                
------------------------------------------------                                
 Cookie                       : 0x10dbb95cdb031726
Responder Cookie                       : 0x4ba2840bddcf74fd                                    
Local Address                          : 10.2.2.2/500
Remote Address                         : 10.1.1.1/4500
Encryption Algorithm                   : AES-256                                               
Authentication Method                  : Pre-Shared key                                        
Integrity Algorithm                    : hmac-sha2-256                                         
Prf Algorithm                          : hmac-sha2-256 
DPD Capability                         : Yes 
DPD Enable                             : Yes 
Reference Counter                      : 1                                                     
Flags                                  : RD|ST|A  
Remote Id Type                         : IP 
Remote Id                              : 10.1.1.1 
DH Group                               : group14 
Re-authentication remaining time (sec) : -   
IKEv2 fragmentation negotiation success: No 
ModeCfg IP                             : 10.10.1.1 
SA Remaining Soft Timeout (sec)        :100 
SA Remaining Hard Timeout (sec)        :200
------------------------------------------------
                                                                                
  Number of IKE SA : 2
------------------------------------------------
 Total number of IKE SA in all CPU : 2       
                                                     
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
Table 2 Description of the display ike sa verbose command output
Item
Description

Spu board slot 1, cpu 1 ike sa verbose information :

Details on the SA of CPU 1 in the SPU in slot 1.

Ike Sa phase

Phases of the SA:

  • 1: IKE peers establish an IPSec tunnel. An IKE SA is established in this phase.
  • 2: IKE peers negotiate security services. An IPSec SA is established in this phase.

Establish Time

Time when the SA was created.

PortCfg Index

Index of the interface where the IPSec policy was applied to.

IKE Peer Name

IKE peer name. To configure an IKE peer, run the ike peer command.

Connection Id

Connection ID of an SA.

Version
IKE version of the IKE peer:
  • v1: IKEv1 is enabled.
  • v2: IKEv2 is enabled.
  • v1v2: Both IKEv1 and IKEv2 are enabled.

To configure an IKE version, run the version (IKE peer view) command.

Exchange Mode

Negotiation mode of the IKEv1 phase 1.

  • Main: main mode.
  • Aggressive: aggressive mode.

To configure the negotiation mode, run the exchange-mode command.

Flow VPN

VPN to which the data flow belongs, run the sa binding vpn-instance command.

NOTE:

This field is unavailable in the virtual system.

Peer VPN

VPN to which the peer belongs, run the sa binding vpn-instance command.

NOTE:

This field is unavailable in the virtual system.

Cookie

Cookie of the initiator.

Responder Cookie

Cookie of the responder.

Local Address

Local IP address of an IPSec tunnel. To configure the local IP address of an IPSec tunnel, run the tunnel local command.

Remote Address

Remote IP address and UDP port number of an IPSec tunnel. To configure the remote IP address of an IPSec tunnel, run the tunnel remote command.

Encryption Algorithm

Encryption algorithm in the IKE proposal. To configure an encryption algorithm, run the encryption-algorithm command.

Authentication Algorithm

Authentication algorithm in the IKE proposal. To configure an authentication algorithm, run the authentication-algorithm command.

Authentication Method

Authentication method in the IKE proposal. To configure an authentication method, run the authentication-method command.

Integrity Algorithm

Integrity algorithm used in an IKEv2 proposal. To configure an integrity algorithm, run the integrity-algorithm command.

Prf Algorithm

Pseudo-random function (PRF) used in an IKEv2 proposal. To configure a PRF algorithm, run the prf command.

DPD Capability
Whether DPD capability is successfully negotiated.
  • Yes
  • No

DPD Enable
Whether the DPD function is enabled.
  • Yes
  • No

To enable this function, run the dpd type command.

DPD Message Learning Enable

Whether automatic learning of the payload sequence of DPD packets is enabled.

  • Yes
  • No

To configure the automatic learning function, run the dpd msg notify-hash-sequence learning command.

DPD Message Format
Sequence of the payload in DPD packets.
  • Seq-Notify-Hash
  • Seq-Hash-Notify

Reference Counter

Number of IPSec SAs negotiated by the IKE SA.

PFS

Perfect Forward Secrecy (PFS) when the local end initiates negotiation. To enable this function, run the pfs command.

Flags

SA status:

  • RD--READY: The SA has been established successfully.

  • ST--STAYALIVE: This end is the initiator of tunnel negotiation.

  • RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time.

  • FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires.

  • TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout.

  • HRT--HEARTBEAT: The local IKE SA sends heartbeat packets.

  • LKG--LAST KNOWN GOOD SEQ NO.: It is the last known sequence number.

  • BCK--BACKED UP: The SA is backed up.

  • M--ACTIVE: The IPSec policy group is in active state.

  • S--STANDBY: The IPSec policy group is in standby state.

  • A--ALONE: The IPSec policy group is not backed up.

  • NEG--NEGOTIATING: The devices are negotiating an SA.

  • Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.

Remote Id Type

Remote ID type. To configure the remote ID type, run the remote-id-type command.

Remote Id

Remote ID for IKE negotiation. To configure the remote ID, run the remote-id command.

DH Group

DH group in the IKE proposal. To configure a DH group, run the dh command.

NAT Traversal Version
Version of NAT traversal.
  • draft-ietf-ipsec-nat-t-ike-00
  • draft-ietf-ipsec-nat-t-ike-02
  • RFC3947

Re-authentication remaining time (sec)

Remaining time for IKEv2 to initiate re-authentication, in seconds.

When the IKEv2 re-authentication interval is set on the device and the device functions as the responder, it does not initiate IKEv2 re-authentication. Therefore, the remaining time for IKEv2 to initiate re-authentication displays - in the command output. You can view the remaining time on the initiator.

IKEv2 fragmentation negotiation success

Whether IKEv2 fragmentation negotiation succeeds:

  • Yes
  • No

ModeCfg IP

IP address allocated through mode configuration.

SA Remaining Soft Timeout (sec)

Soft remaining lifetime of an IKE SA, in seconds.

SA Remaining Hard Timeout (sec)

Hard remaining lifetime of an IKE SA, in seconds.

Number of IKE SA

Total number of IKE SAs and IPSec SAs.

Total number of IKE SA in all CPU

Total number of IKE SAs and IPSec SAs on all CPUs.
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >