[x]

IKE configuration commands > display ike sa

 

 Next

display ike sa

Syntax

display ike sa [ verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range 1 to 2000000000.

remote: Displays detailed information about IKE SAs with a specified remote address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

exclude: Displays all lines that do not match the specified regular expression.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use the display ike sa command to display information about the current IKE SAs.

If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs.

Related commands: ike proposal and ike peer.

Examples

# Display brief information about the current IKE SAs. 

<Sysname> display ike sa
    total phase-1 SAs:  1
    connection-id  peer            flag        phase   doi
  ----------------------------------------------------------
      1            202.38.0.2      RD|ST        1      IPSEC
      2            202.38.0.2      RD|ST        2      IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

Table 63: Output description

Field

Description

total phase-1 SAs

Total number of SAs for phase 1

connection-id

Identifier of the ISAKMP SA

peer

Remote IP address of the SA

flag

Status of the SA:

  • RD (READY): The SA has been established.

  • ST (STAYALIVE): This end is the initiator of the tunnel negotiation.

  • RL (REPLACED): The tunnel has been replaced by a new one and will be deleted later.

  • FD (FADING): The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over.

  • TO (TIMEOUT): The SA has received no keepalive packets after the last keepalive timeout. If no keepalive packets are received before the next keepalive timeout, the SA will be deleted.

phase

The phase the SA belongs to:

  • Phase 1: The phase for establishing the ISAKMP SA.

  • Phase 2: The phase for negotiating the security service. IPsec SAs are established in this phase.

doi

Interpretation domain the SA belongs to

# Display detailed information about the current IKE SAs. 

<Sysname> display ike sa verbose
    ---------------------------------------------
    connection id: 2
transmitting entity: initiator
    ---------------------------------------------
    local ip: 4.4.4.4
    local id type: IPV4_ADDR
    local id: 4.4.4.4

    remote ip: 4.4.4.5
    remote id type: IPV4_ADDR
    remote id: 4.4.4.5

    authentication-method: PRE-SHARED-KEY
    authentication-algorithm: HASH-SHA1
    encryption-algorithm: AES-CBC

    life duration(sec): 86400
    remaining key duration(sec): 86379
    exchange-mode: MAIN
    diffie-hellman group: GROUP1
    nat traversal: NO

# Display detailed information about the IKE SA with the connection ID of 2.

<Sysname> display ike sa verbose connection-id 2
    ---------------------------------------------
    connection id: 2
transmitting entity: initiator
    ---------------------------------------------
    local ip: 4.4.4.4
    local id type: IPV4_ADDR
    local id: 4.4.4.4

    remote ip: 4.4.4.5
    remote id type: IPV4_ADDR
    remote id: 4.4.4.5

    authentication-method: PRE-SHARED-KEY
    authentication-algorithm: HASH-SHA1
    encryption-algorithm: AES-CBC

    life duration(sec): 86400
    remaining key duration(sec): 82480
    exchange-mode: MAIN
    diffie-hellman group: GROUP14
    nat traversal: NO

# Display detailed information about the IKE SA with the remote address of 4.4.4.5.

<Sysname> display ike sa verbose remote-address 4.4.4.5
    ---------------------------------------------
    connection id: 2
    transmitting entity: initiator
    ---------------------------------------------
    local ip: 4.4.4.4
    local id type: IPV4_ADDR
    local id: 4.4.4.4

    remote ip: 4.4.4.5
    remote id type: IPV4_ADDR
    remote id: 4.4.4.5

    authentication-method: PRE-SHARED-KEY
    authentication-algorithm: HASH-SHA1
    encryption-algorithm: AES-CBC

    life duration(sec): 86400
    remaining key duration(sec): 82236
    exchange-mode: MAIN
    diffie-hellman group: GROUP1
    nat traversal: NO

Table 64: Output description

Field

Description

connection id

Identifier of the ISAKMP SA

transmitting entity

Entity in the IKE negotiation

local ip

IP address of the local gateway

local id type

Identifier type of the local gateway

local id

Identifier of the local gateway

remote ip

IP address of the remote gateway

remote id type

Identifier type of the remote gateway

remote id

Identifier of the remote security gateway

authentication-method

Authentication method used by the IKE proposal

authentication-algorithm

Authentication algorithm used by the IKE proposal

encryption-algorithm

Encryption algorithm used by the IKE proposal

life duration(sec)

Lifetime of the ISAKMP SA in seconds

remaining key duration(sec)

Remaining lifetime of the ISAKMP SA in seconds

exchange-mode

IKE negotiation mode in phase 1

diffie-hellman group

DH group used for key negotiation in IKE phase 1

nat traversal

Whether NAT traversal is enabled

prev

 

up

 next

display ike proposal 

home

 dpd

© Copyright 2016 Hewlett Packard Enterprise Development LP