security ipsec show-ipsecsa
Show IPsec SA Information
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security ipsec show-ipsecsa
command displays information about IPsec Security Associations (SA).
Running the command with the -node
parameter displays information relevant to IPsec SAs at the specified node.
Running this command with the -vserver
parameter displays information relevant to IPsec SAs associated with the specified vserver.
Running this command with the -policy-name
parameter displays information relevant to IPsec SAs created using the specified security policy.
You can specify additional parameters to display only information matching those parameters. For example, to display IPsec SAs only about a certain local address, run the command with the -local-address
parameter.
Parameters
- {
[-fields <fieldname>,…]
-
If you specify the
-fields <fieldname>,…
parameter, the command displays only the specified fields. Notice that key fields are always displayed. - |
[-instance ]
} -
If you specify the
-instance
parameter, the command displays all fields of matching IPsec SAs. -node <nodename>
- Node-
This required parameter specifies from which node the IPsec SA information will be collected and displayed.
[-vserver <Vserver Name>]
- Vserver Name-
Use this parameter to display the IPsec SAs associated with the specified Vserver.
[-policy-name <text>]
- Policy Name-
Use this parameter to display the IPsec SAs created based on the specified security policy.
[-local-address <text>]
- Local Address-
Use this parameter to display the IPsec SAs with the specified local endpoint IP address.
[-remote-address <text>]
- Remote Address-
Use this parameter to display the IPsec SAs with the specified remote endpoint IP address.
[-inbound-spi <text>]
- Inbound SPI-
Use this parameter to display the IPsec SA having the specified inbound Security Parameter Index (SPI).
[-outbound-spi <text>]
- Outbound SPI-
Use this parameter to display the IPsec SA having the specified outbound SPI.
[-action <IPsec Action Type>]
- IPsec Action-
Use this parameter to display IPsec SAs with the specified security action type, such as ESP_TRA for ESP transport mode protection or BYPASS to bypass IPsec, or DISCARD.
[-state <text>]
- IPsec SA State-
Use the parameter to display only the IPsec SAs that are in the specified state.
[-cipher-suite <Cipher Suite Type>]
- Cipher Suite-
Use this parameter to display the IPsec SAs that use the specified cipher-suite.
[-ib-bytes <integer>]
- Inbound Bytes Processed-
Use this parameter to display the IPsec SAs matching the processed inbound bytes. Notice that ib-bytes keeps changing as inbound packets are processed.
[-ib-pkts <integer>]
- Inbound Pkts Processed-
Use this parameter to display the IPsec SAs matching the processed inbound packets. Notice that ib-pkts keeps changing as inbound packets are processed.
[-ob-bytes <integer>]
- Outbound Bytes Processed-
Use this parameter to display the IPsec SAs matching the processed outbound bytes. Notice that ob-bytes keeps changing as outbound packets are processed.
[-ob-pkts <integer>]
- Outbound Pkts Processed-
Use this parameter to display the IPsec SAs matching the processed outbound packets. Notice that ob-pkts keeps changing as outbound packets are processed.
[-lifetime <integer>]
- IPsec SA Lifetime Seconds-
Use this parameter to display the IPsec SAs matching the remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.
Examples
The this example displays all IPsec SAs for node cluster1-node1
:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 Policy Local Remote Inbound Outbound Vserver Name Address Address SPI SPI State ----------- ------- --------------- --------------- -------- -------- --------- vs1 Policy1 192.186.10.1 192.186.10.2 c68de9db c84f913b INSTALLED vs2 Policy2 192.186.20.1 192.186.20.2 cbc01493 c6ee7424 INSTALLED 2 entries were displayed.
This example displays selected fields of all IPsec SAs for node cluster1-node1
:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields local-address,remote-address,inbound-spi,outbound-spi node vserver policy-name local-address remote-address inbound-spi outbound-spi -------------- ------- ----------- -------------- -------------- ----------- ------------ cluster1-node1 vs1 Policy1 192.186.10.1 192.186.10.2 c68de9db c84f913b cluster1-node1 vs2 Policy2 192.186.20.1 192.186.20.2 cbc01493 c6ee7424 2 entries were displayed.
This example displays selected fields of all IPsec SAs associated with node ``_cluster1-node1_``: cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields ib-bytes,ib-pkts,ob-bytes,ob-pkts node vserver policy-name local-address remote-address inbound-spi ib-bytes ib-pkts ob-bytes ob-pkts -------------- ------- ----------- -------------- -------------- ----------- -------- ------- -------- ------- cluster1-node1 vs1 Policy1 192.186.10.1 192.186.10.2 c68de9db 4704 56 6720 56 cluster1-node1 vs2 Policy2 192.186.20.1 192.186.20.2 cbc01493 20434 115 23082 120 2 entries were displayed.
This example displays instance view (all fields) for all IPsec SAs associated with node cluster1-node1
, vserver vs1
and created using policy Policy1
:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance Node: cluster1-node1 Vserver Name: vs1 Policy Name: Policy1 Inbound SPI: c68de9db Outbound SPI: c84f913b Local Address: 192.168.10.1 Remote Address: 192.168.10.2 IPsec Action: ESP_TRA IPsec SA State: INSTALLED Cipher Suite: SUITEB_GCM256 Inbound Bytes Processed: 4704 Inbound Pkts Processed: 56 Outbound Bytes Processed: 6720 Outbound Pkts Processed: 56 IPsec SA Lifetime Seconds: 1800