display ipsec sa
Format
display ipsec sa [ [ brief ] [ slot slot-id cpu cpu-id ] | duration | policy policy-name [ seq-number ] | profile profile-name | remote { ipv4-address | ipv6-address } ]
display ipsec sa [ [ brief ] [ slot slot-id cpu cpu-id ] | policy policy-name [ seq-number ] | profile profile-name | remote { ipv4-address | ipv6-address } ] { active | standby }
display ipsec sa [ brief ] [ slot slot-id cpu cpu-id ] { all-systems | vsys vsys-name } [ active | standby ]
Parameters
| Parameter | Description | Value |
|---|---|---|
brief |
Displays brief information about all IPSec SAs. |
- |
slot slot-id cpu cpu-id |
Displays information about IPSec SAs on a specified CPU in a specified slot. Only the USG6635E/6655E, USG6680E and USG6712E/6716E support this parameter. |
The values of slot-id and cpu-id are integers and must be set according to the device configuration. |
duration |
Displays detailed information about IPSec SAs with specified lifetime. |
- |
policy policy-name |
Displays detailed information about IPSec SAs established using an IPSec policy with a specified name. |
The value must be an existing IPSec policy name. |
seq-number |
Displays detailed information about IPSec SAs established using an IPSec policy with a specified sequence number. |
The value must be an existing IPSec policy sequence number. |
profile profile-name |
Displays detailed information about IPSec SAs established using a specified IPSec profile. |
The value must be an existing IPSec profile name. |
remote ipv4-address |
Displays detailed information about IPSec SAs with the specified remote IPv4 address. |
The value is in dotted decimal notation. |
remote ipv6-address |
Displays detailed information about IPSec SAs with the specified remote IPv6 address. |
The value is in colon hexadecimal notation. |
active |
Displays SA information of the active SPU. |
- |
standby |
Displays SA information of the standby SPU. |
- |
all-systems |
Displays IPSec SA information about all systems including the root system and virtual system. NOTE:
This parameter is available only in the root system. |
- |
vsys vsys-name |
Displays IPSec SA information about the virtual system. NOTE:
This parameter is available only in the root system. |
The name of the virtual system must have been created. |
Usage Guidelines
If no parameter is specified, detailed information about all IPSec SAs is displayed.
If duration is specified, the command displays information about global IPSec SAs with specified time-based or traffic-based lifetime. For details, see the sa duration command.
During IPSec SA information backup, Holding time is not backed up and the time during which an IPSec tunnel exists is counted again.
Example
<sysname> display ipsec sa ipsec sa information: =============================== Interface: GigabitEthernet0/0/5 =============================== ----------------------------- IPSec policy name: "pc2" Sequence number : 1 Acl group : 3061/IPv4 Acl rule : 5 Mode : Template ----------------------------- Connection ID : 67108879 Encapsulation mode: Tunnel Failover state : Master Holding time : 0d 0h 4m 29s Tunnel local : 10.0.0.1/500 Tunnel remote : 10.0.0.2/500 Flow source : 10.0.0.1/255.255.255.255 17/1701 Flow destination : 10.0.0.2/255.255.255.255 17/39725 Flow dscp : af11 Flow vpn : Flow-vrf check : Disable [Outbound ESP SAs] SPI: 4055669516 (0xf1bc9b0c) Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128 SA remaining key soft duration (kilobytes/sec): 4666163/2960 SA remaining key hard duration (kilobytes/sec): 5242880/3355 Max sent sequence-number: 2377 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/kilobytes): 2376/2877 [Inbound ESP SAs] SPI: 1050491168 (0x3e9d3920) Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128 SA remaining key soft duration (kilobytes/sec): 4666163/2960 SA remaining key hard duration (kilobytes/sec): 5242880/3355 Max received sequence-number: 0 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/kilobytes): 2376/2877 Anti-replay : Enable Anti-replay window size: 1024 =============================== Interface: Tunnel0 =============================== ----------------------------- IPSec profile: "pc3" Mode : PROF-ISAKMP ----------------------------- Connection ID : 67108879 Encapsulation mode: Tunnel Failover state : Master Holding time : 0d 0h 4m 29s Tunnel local : 10.0.0.1/500 Tunnel remote : 10.0.0.2/500 Flow source : 10.0.0.1/255.255.255.255 47/0-65535 Flow destination : 10.0.0.2/255.255.255.255 47/0-65535 [Outbound ESP SAs] SPI: 4055669516 (0xf1bc9b0c) Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128 SA remaining key soft duration (kilobytes/sec): 4666163/2960 SA remaining key hard duration (kilobytes/sec): 5242880/3355 Max sent sequence-number: 2377 UDP encapsulation used for NAT traversal: N SA encrypted packets (number/kilobytes): 2376/2877 [Inbound ESP SAs] SPI: 1050491168 (0x3e9d3920) Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128 SA remaining key soft duration (kilobytes/sec): 4666163/2960 SA remaining key hard duration (kilobytes/sec): 5242880/3355 Max received sequence-number: 0 UDP encapsulation used for NAT traversal: N SA decrypted packets (number/kilobytes): 2376/2877 Anti-replay : Enable Anti-replay window size: 1024
Item
|
Description |
|---|---|
ipsec sa information |
Information about the IPSec SA. |
Interface |
Interface to which the IPSec policy is applied. |
IPSec policy name |
Name of the IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command. |
IPSec profile name |
Name of the IPSec profile. To configure an IPSec profile, run the ipsec profile command. |
Sequence number |
Sequence number of the IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command. |
Acl group |
ACL number used in the IPSec policy. To configure an ACL referenced by an IPSec policy, run the security acl command. |
Acl rule |
ID of the matched ACL rule. The ACL rule ID is not displayed if the IPSec tunnel is created manually. |
Mode |
Mode in which an IPSec policy is created:
To configure an IPSec policy, run the ipsec policy (system view) command. |
Connection ID |
ID of the IPSec SA connection. |
Encapsulation mode |
Encapsulation mode in an IPSec proposal. tunnel indicates that the encapsulation mode is tunnel mode, and transport indicates that the encapsulation mode is transport mode. To configure an encapsulation mode, run the encapsulation-mode command. |
Failover state |
SPU master/slave status:
|
Holding time |
Time elapsed since an IPSec tunnel was created. |
Tunnel local |
IP address and UDP port of the local interface. To configure the IP address and NAT traversal port of the local interface, run the tunnel local and ipsec nat-traversal source-port command. |
Tunnel remote |
IP address and UDP port of the remote interface. To configure the IP address and NAT traversal port of the remote interface, run the tunnel remote/remote-address and ipsec nat-traversal source-port command. |
Flow source |
Source IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL. |
Flow destination |
Destination IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL. |
Flow dscp |
DSCP value of the data flow sent from the local end. |
Flow vpn |
VPN information of data flows. |
Flow-vrf check |
Whether to enable the check of the VPN instance in a data flow during IPSec encryption/decryption:
To enable this check function, run the flow-vrf check disable command. |
Outbound ESP SAs |
Outbound IPSec SA information using ESP. |
SPI |
SPI of an SA. To configure the SPI for the SA created using a manually configured IPSec policy, run the sa spi command. The SPI is automatically generated when an IPSec policy is created in IKE negotiation mode. |
Proposal |
Name of an IPSec proposal referenced by the IPSec policy. To reference an IPSec proposal, run the proposal command. |
SA remaining key soft duration (kilobytes/sec) |
Soft remaining lifetime of an SA, in kilobytes or seconds. |
SA remaining key hard duration (kilobytes/sec) |
Hard remaining lifetime of an SA, in kilobytes or seconds. To set the SA lifetime, run the sa duration command. |
Max sent sequence-number |
Maximum sequence number of sent packets. The sequence number increases during communication and is used for anti-replay. |
UDP encapsulation used for NAT traversal |
Whether NAT traversal is enabled:
|
SA encrypted packets (number/kilobytes) |
Number of packets that are successfully encrypted using the IPSec SA. |
Inbound ESP SAs |
Inbound IPSec SA information using ESP. |
Max received sequence-number |
Maximum sequence number of received packets. |
SA decrypted packets (number/kilobytes) |
Number of packets that are successfully decrypted using the IPSec SA. |
Anti-replay |
Whether the anti-replay function is enabled for an IPSec tunnel:
To configure the anti-replay function for an IPSec tunnel, run the anti-replay enable or ipsec anti-replay enable command. |
Anti-replay window size |
IPSec anti-replay window size. This field is valid only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window or ipsec anti-replay window command. |
Src address |
IP address of the local interface. To configure the IP address of the local interface, run the tunnel local command. |
Dst address |
IP address of the remote interface. To configure the IP address of the remote interface, run the tunnel remote or remote-address command. |
VPN |
VPN instance that the IPSec tunnel belongs to. To configure a VPN instance that the IPSec tunnel belongs to, run the sa binding vpn-instance command. NOTE:
This field is unavailable in the virtual system. |
Protocol |
Security protocol used by the IPSec SA:
To configure a security protocol, run the transform command. |
Algorithm |
Authentication and encryption algorithms used by a security protocol. A indicates the authentication algorithm, and E indicates the encryption algorithm. To configure an authentication algorithm, run the ah authentication-algorithm or esp authentication-algorithm command. To configure an encryption algorithm, run the esp encryption-algorithm command. |