security ipsec show-ikesa
Show IKE SA Information
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security ipsec show-ikesa
command displays information about IKE Security Associations (SA).
Running this command with the -node
parameter displays information relevant to IKE SAs generated at the specified node.
Running this command with the -vserver
parameter displays information relevant to IKE SAs associated with the specified vserver.
Running this command with the -policy-name
parameter displays information relevant to IKE SAs created based on the specified security policy.
You can specify additional parameters to display only information matching those parameters. For example, to display IKE SAs associated with a specific local address, run the command with the -local-address
parameter.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>,…
parameter, the command displays only the specified fields. Notice that key fields are always displayed. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays all fields of the IKE SAs. -node <nodename>
- Node-
This required parameter specifies the node from which the IKE SA information will be collected and displayed.
[-vserver <vserver name>]
- Vserver Name-
Use this parameter to display the IKE SAs associated with the specified Vserver.
[-policy-name <text>]
- Policy Name-
Use this parameter to display the IKE SAs created based on the specified security policy.
[-local-address <text>]
- Local Address-
Use this parameter to display the IKE SAs with the specified local endpoint IP address.
[-remote-address <text>]
- Remote Address-
Use this parameter to display the IKE SAs with the specified remote endpoint IP address.
[-initiator-spi <text>]
- Initiator SPI-
Use this parameter to display the IKE SAs with the specified initiator Security Parameter Index (SPI).
[-responder-spi <text>]
- Responder SPI-
Use this parameter to display the IKE SAs with the specified responder SPI.
[-is-initiator {true|false}]
- Is Initiator-
Use this parameter to display the IKE SAs created when the given node matches the specified initiator role: true means initiator role and false means responder role in IKE negotiation.
[-ike-version <integer>]
- IKE Version-
Use this parameter to display the IKE SAs created using the specified IKE version.
[-auth-method <IKE Authentication Method>]
- Authentication Method-
Use this parameter to display the IKE SAs created using the specified authentication method.
[-state <IKE SA State>]
- IKE SA State-
Use this parameter to display only the IKE SAs that are in the specified state.
[-cipher-suite <Cipher Suite Type>]
- Cipher Suite-
Use this parameter to display the IKE SAs created using the specified cipher suite.
[-lifetime <integer>]
- Lifetime-
Use this parameter to display the IKE SAs with the specified remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.
Examples
This example displays all IKE SAs for node cluster1-node1
:
cluster-1::> security ipsec show-ikesa -node cluster1-node1 Policy Local Remote Vserver Name Address Address Initator-SPI State ----------- ------ --------------- --------------- ---------------- ----------- vs1 Policy1 192.186.10.1 192.186.10.2 e658e5bc7ece199e ESTABLISHED vs2 Policy2 192.168.20.1 192.168.20.2 8eac392028ab4f12 ESTABLISHED 2 entries were displayed.
This example displays selected fields of all IKE SAs for node cluster1-node1
:
cluster-1::> security ipsec show-ikesa -node cluster1-node1 -fields is-initiator,initiator-spi,responder-spi,auth-method,cipher-suite,lifetime node vserver policy-name local-address remote-address initiator-spi responder-spi is-initiator auth-method cipher-suite lifetime -------------- ------- ----------- ------------- -------------- ---------------- ---------------- ------------ ----------- ------------- -------- cluster1-node1 vs1 Policy1 192.186.10.1 192.186.10.2 e658e5bc7ece199e 9b61befff71e8ca2 false PSK SUITEB_GCM256 6300 cluster1-node1 vs2 Policy2 192.186.20.1 192.186.20.2 4d43aaba8ca01cd8 00bdd5aac569e08a true PSK SUITEB_GCM256 6720 2 entries were displayed.
This example displays all IKE SAs for vserver vs1
:
cluster-1::> security ipsec show-ikesa -node cluster1-node1 Policy Local Remote Vserver Name Address Address Initator-SPI State ----------- ------ --------------- --------------- ---------------- ----------- vs1 Policy1 192.186.10.1 192.186.10.2 e658e5bc7ece199e ESTABLISHED
This example displays instance view (all fields) for all IKE SAs associated with node cluster1-node1
, vserver vs1
and created using policy Policy1
:
cluster-1::> security ipsec show-ikesa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance Node: cluster1-node1 Vserver Name: vs1 Policy Name: Policy1 Local Address: 192.168.10.1 Remote Address: 192.168.10.2 Initiator SPI: e658e5bc7ece199e Responder SPI: 9b61befff71e8ca2 Is Initiator: false IKE Version: 2 Authentication Method: PSK IKE SA State: ESTABLISHED Cipher Suite: SUITEB_GCM256 Lifetime: 6000