Show command IPsec

Owned by Jean-luc KRIKER
Last updated: Dec 09, 2018
2 min read

root@vSRX1> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2101212 UP 767790f7193ba6ca 78bbb3150f022cd2 Main 1.2.3.22


root@vSRX1> show security ike security-associations detail
IKE peer 1.2.3.22, Index 2101212, Gateway Name: IKE-GW
Role: Initiator, State: UP
Initiator cookie: 767790f7193ba6ca, Responder cookie: 78bbb3150f022cd2
Exchange type: Main, Authentication method: Pre-shared-keys
Local: 1.2.3.21:500, Remote: 1.2.3.22:500
Lifetime: Expires in 3060 seconds
Peer ike-id: 1.2.3.22
Xauth assigned IP: 0.0.0.0
Algorithms:
Authentication : hmac-sha1-96
Encryption : aes128-cbc
Pseudo random function: hmac-sha1
Diffie-Hellman group : DH-group-5
Traffic statistics:
Input bytes : 892
Output bytes : 1096
Input packets: 4
Output packets: 5
Flags: IKE SA is created
IPSec security associations: 1 created, 0 deleted
Phase 2 negotiations in progress: 0

Negotiation type: Quick mode, Role: Initiator, Message ID: 0
Local: 1.2.3.21:500, Remote: 1.2.3.22:500
Local identity: 1.2.3.21
Remote identity: 1.2.3.22
Flags: IKE SA is created


==================================================================================

root@vSRX1> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:aes-cbc-128/sha1 c016fe6c 3111/ unlim U root 500 1.2.3.22
>131073 ESP:aes-cbc-128/sha1 cc33a2c0 3111/ unlim U root 500 1.2.3.22


root@vSRX1> show security ipsec security-associations detail
ID: 131073 Virtual-system: root, VPN Name: IPSEC-VPN
Local Gateway: 1.2.3.21, Remote Gateway: 1.2.3.22
Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0)
Version: IKEv1
DF-bit: clear
Bind-interface: st0.1

Port: 500, Nego#: 1, Fail#: 0, Def-Del#: 0 Flag: 0x600a29
Last Tunnel Down Reason: SA not initiated
Direction: inbound, SPI: c016fe6c, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3033 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2411 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64

Direction: outbound, SPI: cc33a2c0, AUX-SPI: 0
, VPN Monitoring: UP
Hard lifetime: Expires in 3033 seconds
Lifesize Remaining: Unlimited
Soft lifetime: Expires in 2411 seconds
Mode: Tunnel(10 10), Type: dynamic, State: installed
Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
Anti-replay service: counter-based enabled, Replay window size: 64


Show security statistics:
root@vSRX1> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 209552
Decrypted bytes: 115440
Encrypted packets: 1382
Decrypted packets: 1375
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0


Monitor the interface:

root@vSRX1> monitor interface st0.1

vSRX1 Seconds: 2290 Time: 12:57:20
Delay: 0/0/3
Interface: st0.1, Enabled, Link is Up
Flags: Point-To-Point SNMP-Traps
Encapsulation: Secure-Tunnel
Local statistics: Current delta
Input bytes: 49560 [19236]
Output bytes: 0 [0]
Input packets: 590 [229]
Output packets: 0 [0]
Remote statistics:
Input bytes: 41648 (328 bps) [17172]
Output bytes: 15912 (0 bps) [7056]
Input packets: 777 (0 pps) [313]
Output packets: 194 (0 pps) [84]
Traffic statistics: Input bytes: 9120, [36408]
Input bytes: 64032 [9232]