IPsec status displayΒΆ

The IPsec status may be checked by displaying IPsec SPs and SAs.

To display IPsec SPs:

router{}show ipsec sp [vrf-id ID]
vrf-id ID
Specify the identifier of the VRF whose SPs are to be displayed, in the 0-2047 range. Default is 0.

Example

The following example displays two SPs corresponding to one IPsec rule for a static VPN performing ESP in tunnel mode, for the TCP protocol, from the 10.10.10.0/24 network to the 20.20.20.0/24 network.

router{}show ipsec sp
20.20.20.0/24[any] 10.10.10.0/24[any] tcp
        in ipsec global
        esp/tunnel/-/require
        created: Jul  2 14:33:02 2008  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=40 seq=1 pid=1280
        refcnt=1
10.10.10.0/24[any] 20.20.20.0/24[any] tcp
        out ipsec global
        esp/tunnel/-/require
        created: Jul  2 14:33:02 2008  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=33 seq=0 pid=1280
        refcnt=1
router{}

To display IPsec SAs:

router{}show ipsec sa [ike|static] [vrf-id ID]
ike
Display only IPsec SAs negotiated by the IKE protocol.
static
Display only manually configured IPsec SAs.
vrf-id ID

Specify the identifier of the VRF whose SAs are to be displayed, in the 0-2047 range. Default is 0.

When no ike or static parameter is given, all SAs are displayed.

Here is a description of the displayed information:

source
Source address of the SA
destination
Destination address of the SA
protocol
IPsec protocol (ESP or AH)
mode
IPsec mode (transport or tunnel)
spi
Security Parameters Index
reqid
Internal unique identifier of the security policy that triggered SA creation
encr-algo
Encryption algorithm
encr-key
Encryption key, in hexadecimal format
auth-algo
Authentication algorithm
auth-key
Authentication key, in hexadecimal format
replay-window
Size of the replay window. 0 if replay protection is disabled.
flags, seq, state, seq, pid
Internal values. If the state is different from mature, then the SA cannot be used yet.
created
Date of creation
current
Current time
elapsed
Time elapsed since the SA was created
hard-lifetime
When this time has elapsed since SA creation, the SA will expire. If set to 0, the SA will not expire based on elapsed time.
soft-lifetime
When this time has elapsed since SA creation, a new SA will be negotiated to replace it, before it reaches its hard lifetime. If set to 0, the SA will not be renegotiated based on elapsed time.
expiration
Date when the SA will reach its hard lifetime and expire
renewal
Date when the SA will reach its soft lifetime and a new negotiation will be requested
last-use
Date when the SA was last used by the IPsec module
bytes-processed
Volume of data that was processed by the IPsec module with this SA
hard-lifebyte
When this volume of data is processed with this SA, the SA will expire. If set to 0, the SA will not expire based on the volume of data.
soft-lifebyte
When this volume of data is processed with this SA, a new SA will be negotiated to replace it, before it reaches its hard lifebyte. If set to 0, the SA will not be renegotiated based on volume of data.

Examples

router{}show ipsec sa
source=192.168.0.2 destination=192.168.0.1
        protocol=ah mode=tunnel spi=257(0x00000101) reqid=0(0x00000000)
        auth-algo=hmac-md5
        auth-key=746869736973616e6f746865726b6579
        replay-window=0 flags=0x00000000 state=mature seq=3 pid=2103
        created=2007-01-31/19:18:44 current=2007-01-31/19:18:48 elapsed=4(s)
        hard-lifetime=0(s) expiration=2007-01-31/19:18:44
        soft-lifetime=0(s) renewal=2007-01-31/19:18:44
        last-use=never
        bytes-processed=0 hard-lifebyte=0 soft-lifebyte=0
source=192.168.0.1 destination=192.168.0.2
        protocol=ah mode=tunnel spi=256(0x00000100) reqid=0(0x00000000)
        auth-algo=hmac-md5
        auth-key=7468697369737468656b657979797979
        replay-window=0 flags=0x00000000 state=mature seq=2 pid=2103
        created=2007-01-31/19:12:52 current=2007-01-31/19:18:48 elapsed=356(s)
        hard-lifetime=0(s) expiration=2007-01-31/19:12:52
        soft-lifetime=0(s) renewal=2007-01-31/19:12:52
        last-use=never
        bytes-processed=0 hard-lifebyte=0 soft-lifebyte=0
source=10.23.8.208 destination=10.23.8.108
        protocol=ah mode=tunnel spi=62927017(0x03c030a9) reqid=16411(0x0000401b)
        auth-algo=hmac-md5
        auth-key=f022dcd504c11b91f9ac54b53948764e
        replay-window=4 flags=0x10000000 state=mature seq=1 pid=2103
        created=2007-01-31/19:13:05 current=2007-01-31/19:18:48 elapsed=343(s)
        hard-lifetime=28800(s) expiration=2007-02-01/03:13:05
        soft-lifetime=23040(s) renewal=2007-02-01/01:37:05
        last-use=2007-01-31/19:13:06
        bytes-processed=15624 hard-lifebyte=0 soft-lifebyte=0
source=10.23.8.108 destination=10.23.8.208
        protocol=ah mode=tunnel spi=48633065(0x02e614e9) reqid=16410(0x0000401a)
        auth-algo=hmac-md5
        auth-key=cabb897fa53f98bd5139b39ea763db9e
        replay-window=4 flags=0x10000000 state=mature seq=0 pid=2103
        created=2007-01-31/19:13:05 current=2007-01-31/19:18:48 elapsed=343(s)
        hard-lifetime=28800(s) expiration=2007-02-01/03:13:05
        soft-lifetime=23040(s) renewal=2007-02-01/01:37:05
        last-use=2007-01-31/19:13:06
        bytes-processed=23808 hard-lifebyte=0 soft-lifebyte=0
router{}show ipsec sa ike
source=10.23.8.208 destination=10.23.8.108
        protocol=ah mode=tunnel spi=62927017(0x03c030a9) reqid=16411(0x0000401b)
        auth-algo=hmac-md5
        auth-key=f022dcd504c11b91f9ac54b53948764e
        replay-window=4 flags=0x10000000 state=mature seq=1 pid=2018
        created=2007-01-31/19:13:05 current=2007-01-31/19:13:12 elapsed=7(s)
        hard-lifetime=28800(s) expiration=2007-02-01/03:13:05
        soft-lifetime=23040(s) renewal=2007-02-01/01:37:05
        last-use=2007-01-31/19:13:06
        bytes-processed=588 hard-lifebyte=0 soft-lifebyte=0
source=10.23.8.108 destination=10.23.8.208
        protocol=ah mode=tunnel spi=48633065(0x02e614e9) reqid=16410(0x0000401a)
        auth-algo=hmac-md5
        auth-key=cabb897fa53f98bd5139b39ea763db9e
        replay-window=4 flags=0x10000000 state=mature seq=0 pid=2018
        created=2007-01-31/19:13:05 current=2007-01-31/19:13:12 elapsed=7(s)
        hard-lifetime=28800(s) expiration=2007-02-01/03:13:05
        soft-lifetime=23040(s) renewal=2007-02-01/01:37:05
        last-use=2007-01-31/19:13:06
        bytes-processed=896 hard-lifebyte=0 soft-lifebyte=0
router{}show ipsec sa static
source=192.168.0.2 destination=192.168.0.1
        protocol=ah mode=tunnel spi=257(0x00000101) reqid=0(0x00000000)
        auth-algo=hmac-md5
        auth-key=746869736973616e6f746865726b6579
        replay-window=0 flags=0x00000000 state=mature seq=3 pid=2109
        created=2007-01-31/19:18:44 current=2007-01-31/19:19:10 elapsed=26(s)
        hard-lifetime=0(s) expiration=2007-01-31/19:18:44
        soft-lifetime=0(s) renewal=2007-01-31/19:18:44
        last-use=never
        bytes-processed=0 hard-lifebyte=0 soft-lifebyte=0
source=192.168.0.1 destination=192.168.0.2
        protocol=ah mode=tunnel spi=256(0x00000100) reqid=0(0x00000000)
        auth-algo=hmac-md5
        auth-key=7468697369737468656b657979797979
        replay-window=0 flags=0x00000000 state=mature seq=2 pid=2109
        created=2007-01-31/19:12:52 current=2007-01-31/19:19:10 elapsed=378(s)
        hard-lifetime=0(s) expiration=2007-01-31/19:12:52
        soft-lifetime=0(s) renewal=2007-01-31/19:12:52
        last-use=never
        bytes-processed=0 hard-lifebyte=0 soft-lifebyte=0
router{}