Displaying IKEv2 configuration information

Various show commands can be used to display information about IKEv2 configurations.

IKEv2 must be configured before displaying this information.

  • Enter the show ikev2 proposal command to display information about IKEv2 proposal configurations.
    
    device# show ikev2 proposal 
    ==================================================================================
    Name       : def-ike-prop
    Encryption : AES-CBC-256
    Integrity  : sha384
    PRF        : sha384
    DH Group   : 384_ECP/Group 20
    Ref Count  : 2
    
    
  • Enter the show ikev2 policy command to display information about IKEv2 policy configurations.
    
    device# show ikev2 policy
    ==================================================================================
    Name                : ike_policy_red
    Vrf                 : Default
    Local address/Mask  : 0.0.0.0/0.0.0.0   
    Proposal            : ike_proposal_red
    Ref Count           : 0
    ==================================================================================
    Name                : def-ike-policy
    Vrf                 : Default
    Local address/Mask  : 0.0.0.0/0.0.0.0  
    Proposal            : def-ike-prop
    Ref Count           : 0
    
    
  • Enter the show ikev2 profile command to display information about IKEv2 profile configurations The following example displays information about a specific IKEv2 profile named ipsec_tunnel_1.
    
    device# show ikev2 profile ipsec_tunnel_1
    
    IKEv2 Profile       : ipsec_tunnel_1
    Auth Profile        : ipsec_tunnel_1
    Match Criteria      :
    Inside VRF          : vrf1
    Local               : email ipsec_tunnel_1@example.com
    Remote              : email ipsec_tunnel_1@example.com
    Local Identifier    : email ipsec_tunnel_1@example.com
    Remote Identifier   : email ipsec_tunnel_1@example.com
    Lifetime            : 2592000 sec
    Keepalive Check     : 10 sec
    Initial contact     : yes 
    Ref Count           : 1
    
    
  • Enter the show ikev2 sa command to display summary information about IKEv2 security association (SA) configurations.
    
    device# show ikev2 sa
    
    Total SA : 4
    Active SA: 4    : Constructing SA:0     : Dying SA:0
    --------------------------------------------------------------------------------
    tnl-id       local             remote        status  vrf(i)       vrf(f)
    --------------------------------------------------------------------------------
    tnl 18       10.18.3.4         10.18.3.5     active  default-vrf  default-vrf
    tnl 22       10.22.3.4         10.22.3.5     active  default-vrf  default-vrf
    tnl 19       10.19.3.4         10.19.3.5     active  default-vrf  default-vrf
    tnl 20       10.20.3.4         10.20.3.5     active  default-vrf  default-vrf
    
    
  • Enter the show ikev2 sa detail command to display detailed information about IKEv2 SA configurations.
    
    device# show ikev2 sa detail
    
    Total SA : 1
    Active SA: 1   : Constructing SA:0     : Dying SA:0    
    --------------------------------------------------------------------------------
    tnl-id  Local           Remote          Status       Vrf(i)      Vrf(f)
    --------------------------------------------------------------------------------
    --------------------------------------------------------------------------------
    tnl 1  10.1.41.1      10.4.41.1      Active       vrf1        vrf2       
    --------------------------------------------------------------------------------
    Role                : Initiator
    Local SPI           : 0x6fb19219160c7d71     Remote SPI: 0xde1b24e5764f311e
    Profile             : p1 
    Policy              : ipsec_tunnel_1
    Auth Proposal       : p1
    
    
  • Enter the show ikev2 session command to display summary information about IKEv2 session configurations.
    
    device# show ikev2 session
    
    IKE count:1, Child Sa Count:2
    tnl-id       local             remote        status    vrf(i)      vrf(f)
    ---------------------------------------------------------------------------------
    tnl 18       10.18.3.4/500     10.18.3.5/500 active    default-vrf default-vrf
    ---------------------------------------------------------------------------------
        Encr: aes-cbc-256, Hash: sha384, DH Grp:384_ECP/Group 20, Auth: pre_shared
        PRF: sha384
        Is Initiator: No
        Local spi  : 0xe115847e85ad667b       Remote spi: 0x7bb5ee3b6074a4b4
        Life/Active Time: 2592000/534 sec
        Rekey count Local: 0       Rekey count Remote: 2
    Child Sa:
     id 1
           Local selector  0.0.0.0/0 - 255.255.255.255
           Remote selector 0.0.0.0/0 - 255.255.255.255
           ESP SPI IN/OUT: 0xb278/0x7935
           Encryption: aes-gcm-256, ICV Size: 16 octects, Esp_hmac: Null
           Authetication: null  DH Group:none , Mode: tunnel
           Rekey count Local: 0       Rekey count Remote: 2
    
    
  • Enter the show ikev2 session detail command to display detailed information about IKEv2 session configurations.
    
    device# show ikev2 session detail
    
    IKE count:4, Child Sa Count:8
    tnl-id       local             remote        status   vrf(i)      vrf(f)
    ---------------------------------------------------------------------------------
    tnl 18       10.18.3.4         10.18.3.5     active   default-vrf default-vrf
    ---------------------------------------------------------------------------------
        Encr: aes-cbc-256, Hash: sha384, DH Grp:384_ECP/Group 20, Auth: pre_shared
        PRF: SHA384
        Is Initiator: Yes
        Local spi  : 0xe115847e85ad667b       Remote spi: 0x7bb5ee3b6074a4b4
        Life/Active Time: 2592000/614 sec
        Status Description: active
        Initiator id: address 10.28.3.4    Responder id: address 10.18.3.5
        no Exchange in progress
        next request message id=4
        Keepalive timer: 300 seconds, retry 0
            Total keepalive sent: 2
            Total keepalive received: 0
            Total Bytes sent    : 524   Total Bytes Received   : 672
        Time past since last msg: 14
        NAT-T is not detected
        Rekey count Local: 0       Rekey count Remote: 2
    Child Sa:
     id 1
           Local selector  0.0.0.0/0 - 255.255.255.255
           Remote selector 0.0.0.0/0 - 255.255.255.255
           ESP SPI IN/OUT: 0xb278/0x7935
           Encryption: aes-gcm-256, ICV Size: 16 octects, Esp_hmac: Null
           Authetication: null  DH Group:none , Mode: tunnel
           Rekey count Local: 0       Rekey count Remote: 2