Displaying IPsec configuration information

Various show commands can be used to display IPsec configuration information.

IPsec must be configured before displaying this information.

  • Enter the show ipsec proposal command to display information about IPsec proposal configurations.
    device# show ipsec proposal
    Name                : def-ipsec-prop
    Protocol            : ESP
    Encryption          : aes-gcm-256
    Authentication      : NULL
    ESN                 : Enable
    Mode                : Tunnel
    Ref Count           : 1
  • Enter the show ipsec profile command to display information about IPsec profile configurations.
    device# show ipsec profile
    Name                : 17
    Description         : 17
    Ike Profile         : 17
    Lifetime            : 28800 sec
    Anti-Replay Service : Enabled
    DH Group            : None
    Proposal            : 17
  • Enter the show ipsec sa command to display summary information about IPsec security association (SA) configurations.
    device# show ipsec sa
    IPSEC Security Association Database is empty.
    SPDID(vrf:if) Dir Encap SPI        Destination     AuthAlg  EncryptAlg
    IPSEC Security Association Database(child SA pair:2)
      1:tnl 15    OUT IPSEC_ 0x0000a748      NULL      aes-gcm-256
      1:tnl 15    IN  IPSEC_ 0x00007e14      NULL      aes-gcm-256
      0:tnl 4     OUT IPSEC_ 0x0000476d   NULL      aes-gcm-256
      0:tnl 4     IN  IPSEC_ 0x0000c989   NULL      aes-gcm-256
  • Enter the show ipsec sa address command to display detailed information about a specific IPsec SA by specifying the local address of the SA.
    device# show ipsec sa address detail
    IPSEC Security Association Database(child SA pair:0)
        interface           : tnl 19
        Local address:, Remote address:
        Inner VRF           : vrf1
         Local Identity (addr/mask/prot/port): address(
         Remote Identity(addr/mask/prot/port): address(
        DF-bit              : clear
        Profile-name        : 19
        DH group            : none
        Direction           : outbound, SPI: 0x6018
        Mode                : tunnel,
        Protocol            : IPSEC_ESP , Encryption : aes-gcm-256 , Authentication : Null
        ICV size            : 16 bytes
        lifetime(sec)       : Expiring in 243 secs
        Anti-replay service : Disable
        ESN                 : Disable
        Status              : ACTIVE
        Worry Metric        :0