show ipsec sa
-
- Last UpdatedJun 30, 2018
- 3 minutes read
Displays configuration information about current IP security (IPsec) security associations (SAs).
ip-address
| Specifies the IPv4 address of the SA.
| ||||||||
ipv6-address
| Specifies the IPv6 address of the SA.
| ||||||||
detail
| Specifies detailed information.
| ||||||||
identity
| Specifies the remote identity of the SA.
| ||||||||
interface
tunnel-port
| Specifies a tunnel port number.
| ||||||||
ipv4
| Specifies the IPv4 IPsec SA database.
| ||||||||
ipv6
| Specifies the IPv6 IPsec SA database.
| ||||||||
peer
| Specifies the peer address of the SA.
|
User EXEC mode
This command may be entered in all configuration modes.
When the detail option is omitted, only the basic SA information is displayed.
The show ipsec sa command display the following information (when the detail option is specified).
Output field | Description |
---|---|
interface | The IPsec tunnel interface ID. |
Local address | The source address of the IPsec SA. |
Remote address | The destination address of the IPsec SA. |
Inner VRF | The base VRF of the IPsec tunnel interface. |
Local Identity | The total traffic selector. |
Remote Identity | The received traffic selector. |
DF-bit | The "Don't fragment" bit that indicates if fragmentation is enabled or disabled. |
Profile-name | The name of the IPsec profile that is used by this IPsec SA. |
DH group | The Diffie-Hellman group that is used by this IPsec SA. |
Direction | The direction of the IPsec SA. Possible values are INBOUND or OUTBOUND. |
Mode | The encapsulation type. |
Protocol | The transform type. |
ICV size | The integrity check value (ICV) size. |
lifetime(sec) | The rekey time for this IPsec SA. |
Anti-replay service | The anti-replay service configuration. Possible values are Enable or Disable. |
ESN | The Extended Sequence Number (ESN) configuration. Possible values are Enable or Disable. |
Status | The state of the IPsec SA. |
Worry Metric | The rekey time for the IKEv2 SA. |
The following example displays basic information about the IPsec SA database.
device# show ipsec sa
IPSEC Security Association Database is empty.
SPDID(vrf:if) Dir Encap SPI Destination AuthAlg EncryptAlg
IPSEC Security Association Database(child SA pair:4)
0:tnl 18 OUT IPSEC_ 0x00007935 10.18.3.4 Null aes-gcm-256
0:tnl 18 IN IPSEC_ 0x0000b278 10.18.3.5 Null aes-gcm-256
0:tnl 22 OUT IPSEC_ 0x000064b2 10.22.3.4 Null aes-gcm-256
0:tnl 22 IN IPSEC_ 0x00008dea 10.22.3.5 Null aes-gcm-256
0:tnl 19 OUT IPSEC_ 0x00006018 10.19.3.4 Null aes-gcm-256
0:tnl 19 IN IPSEC_ 0x000062df 10.19.3.5 Null aes-gcm-256
0:tnl 20 OUT IPSEC_ 0x0000de58 10.20.3.4 Null aes-gcm-256
0:tnl 20 IN IPSEC_ 0x0000acff 10.20.3.5 Null aes-gcm-256
The following example displays detailed information for an IPsec SA by specifying the local IP address of the SA.
device# show ipsec sa address 10.19.3.4 detail
IPSEC Security Association Database(child SA pair:0)
interface : tnl 19
Local address: 10.3.3.4/500, Remote address: 10.19.3.5/500
Inner VRF : vrf1
Local Identity (addr/mask/prot/port): address(0.0.0.0/0/0/0)
Remote Identity(addr/mask/prot/port): address(0.0.0.0/0/0/0)
DF-bit : clear
Profile-name : 19
DH group : none
Direction : outbound, SPI: 0x6018
Mode : tunnel,
Protocol : IPSEC_ESP , Encryption : aes-gcm-256 , Authentication : Null
ICV size : 16 bytes
lifetime(sec) : Expiring in 243 secs
Anti-replay service : Disable
ESN : Disable
Status : ACTIVE
Worry Metric :0
The following example displays IPsec SA information, including information about IPv6 connections.
device# show ipsec sa
IPSEC Security Association Database(child SA pair:7)
SPDID(vrf:if) Dir Encap SPI Destination AuthAlg EncryptAlg
0:tnl 8 OUT IPSEC_ESP 0x000056c1 2220::1 NULL aes-gcm-256
0:tnl 8 IN IPSEC_ESP 0x00004b95 5002::2 NULL aes-gcm-256
0:tnl 7 OUT IPSEC_ESP 0x00001489 1110::1 NULL aes-gcm-256
0:tnl 7 IN IPSEC_ESP 0x000000a3 5002::2 NULL aes-gcm-256
0:tnl 1 OUT IPSEC_ESP 0x0000e1c1 1000::1 NULL aes-gcm-256
0:tnl 1 IN IPSEC_ESP 0x00007eb2 1004::2 NULL aes-gcm-256
0:tnl 4 OUT IPSEC_ESP 0x00001044 120.1.1. NULL aes-gcm-256
0:tnl 4 IN IPSEC_ESP 0x00009dd5 110.1.1.1 NULL aes-gcm-256
0:tnl 11 OUT IPSEC_ESP 0x00000682 1000::1 NULL aes-gcm-256
0:tnl 11 IN IPSEC_ESP 0x00001c49 1003::2 NULL aes-gcm-256
0:tnl 9 OUT IPSEC_ESP 0x0000f369 3330::1 NULL aes-gcm-256
0:tnl 9 IN IPSEC_ESP 0x00005f22 5002::2 NULL aes-gcm-256
0:tnl 3 OUT IPSEC_ESP 0x0000f948 100.1.1.1 NULL aes-gcm-256
0:tnl 3 IN IPSEC_ESP 0x000043dc 104.1.1.2 NULL aes-gcm-256
Release version | Command history |
---|---|
08.0.50 | This command was introduced. |
08.0.70 | Support was added for IPv6. |