display ipsec sa
Syntax
display ipsec sa [ brief | policy policy-name [ seq-number ] | remote ip-address ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec SAs.
policy: Displays detailed information about IPsec SAs created by using a specified IPsec policy.
policy-name: Name of the IPsec policy, a string 1 to 15 characters.
seq-number: Sequence number of the IPsec policy, in the range 1 to 65535.
remote ip-address: Displays detailed information about the IPsec SA with a specified remote address.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use the display ipsec sa command to display information about IPsec SAs.
If you do not specify any parameters, the command displays information about all IPsec SAs.
Related commands: reset ipsec sa and ipsec sa global-duration.
Examples
# Display brief information about all IPsec SAs.
<Sysname> display ipsec sa brief
Src Address Dst Address SPI Protocol Algorithm
--------------------------------------------------------
10.1.1.1 10.1.1.2 300 ESP E:AES-192;
A:HMAC-SHA1-96
10.1.1.2 10.1.1.1 400 ESP E:AES-192;
A:HMAC-SHA1-96
Table 55: Output description
Field | Description |
|---|---|
Src Address | Local IP address |
Dst Address | Remote IP address |
SPI | Security parameter index |
Protocol | Security protocol used by IPsec |
Algorithm | Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified. |
# Display detailed information about all IPsec SAs.
<Sysname> display ipsec sa
===============================
Interface: Vlan-interface1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "map1"
sequence number: 10
mode: isakmp
-----------------------------
connection id: 1
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 192.168.2.1
remote address: 192.168.3.1
flow:
sour addr: 192.168.2.1/255.255.255.255 port: 0 protocol: IP
dest addr: 192.168.3.1/255.255.255.255 port: 0 protocol: IP
[inbound ESP SAs]
spi: 2874568044 (0xab566d6c)
proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
sa duration (kilobytes/sec): 10240/3600
sa remaining duration (kilobytes/sec): 10239/3594
max received sequence-number: 4
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 893078595 (0x353b4c43)
proposal: ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1
sa duration (kilobytes/sec): 10240/3600
sa remaining duration (kilobytes/sec): 10239/3594
max received sequence-number: 5
udp encapsulation used for nat traversal: N
Table 56: Output description
Field | Description |
|---|---|
Interface | Interface referencing the IPsec policy. |
path MTU | Maximum IP packet length supported by the interface. |
Protocol | Name of the protocol to which the IPsec policy is applied. |
IPsec policy name | Name of IPsec policy used. |
sequence number | Sequence number of the IPsec policy. |
mode | IPsec negotiation mode. |
connection id | IPsec tunnel identifier. |
encapsulation mode | Encapsulation mode, transport or tunnel. |
perfect forward secrecy | Whether the perfect forward secrecy feature is enabled. |
tunnel | IPsec tunnel. |
local address | Local IP address of the IPsec tunnel. |
remote address | Remote IP address of the IPsec tunnel. |
flow | Data flow. |
sour addr | Source IP address of the data flow. |
dest addr | Destination IP address of the data flow. |
port | Port number. |
protocol | Protocol type. |
inbound | Information of the inbound SA. |
spi | Security parameter index. |
proposal | Security protocol and algorithms used by the IPsec proposal. |
sa duration | Lifetime of the IPsec SA. |
sa remaining key duration | Remaining lifetime of the SA. |
max received sequence-number | Maximum sequence number of the received packets (relevant to the anti-replay function provided by the security protocol). |
udp encapsulation used for nat traversal | Whether NAT traversal is enabled for the SA. |
outbound | Information of the outbound SA. |
max sent sequence-number | Maximum sequence number of the sent packets (relevant to the anti-replay function provided by the security protocol). |
anti-replay check enable | Whether IPsec anti-replay checking is enabled. |
anti-replay window size | Size of the anti-replay window. |