Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

IP security configuration such as security policy database and IKE SA information.

Command Syntax

Code Block
languagenone
> show table addressContext <addressContext_name> ipsec 
	ikeSaStatistics
	ikeSaStatus
	ipsecSaStatistics
	ipsecSaStatus
	peer
	spd
	systemStatistics

Multiexcerpt
MultiExcerptNameIPsec

Command Parameters

Caption
0Table
1IPsec Parameters
3IPsec Parameters

Parameter

Description

ipsecIP security configuration such as security policy database and IKE SA information.

ikeSaStatistics <sai>

This object displays IKE SA statistics. The fields displayed include:

  • <sa index> – The unique SAI (Security Association Index).
  • ikeVersion – The IKE version of this IPsec configuration.
  • ipsecSaNegotiationsFailed Number of IPsec SAs negotiations failed on this IKE SA 
  • ipsecSaNegotiationsSucceeded Number of IPsec SAs negotiated using this IKE SA 
  • localIpAddr – Displays local IP address
  • peerIpAddr – Displays peer IP address

ikeSaStatus <sai>

This object displays IKE SA status details. The fields displayed include:

  • <sa index>The unique SAI (Security Association Index).
  • dhGroup – DH group supported in the IKE exchange
  • encType – Encryption cipher type for this SA 
  • ikeVersion – The IKE version of this IPsec configuration.
  • integrityType – Integrity cipher type for this SA 
  • localId – Local identity type (fqdn/ipV4Addr/ipV6Addr)
  • localIpAddr – Displays local IP address
  • peerId – Remote identity type (fqdn/ipV4Addr/ipV6Addr)
  • peerIpAddr – Displays remote IP address
  • secondsRemaining – Number of seconds remaining for this SA

ipsecSaStatistics <spi>

This object displays IPsec SA statistics details. The fields displayed include:

  • inBytesCount – Number of ESP bytes received.
  • inPacketDiscardAntiReplay – Number of packets discarded due to anti-replay.
  • inPacketDiscardFailedIntegrity – Number of packets discarded due to integrity check failure.
  • inPacketsCount – Number of ESP packets received.
  • localIpAddr – Local IP address.
  • outBytesCount – Number of ESP bytes sent.
  • outPacketsCount – Number of ESP packets sent.
  • peerIpAddr –Remote IP address.
  • remoteSpi – Remote Security Policy Index (SPI).

ipsecSaStatus <local spi>

IPsec SA status. The fields displayed include:

  • bytesRemaining – Number of bytes remaining if used for SA lifetime.
  • encType – Encryption type (aes/3des).
  • ikeSaIndex – Unique internally-assigned ID.
  • ikeVersion – The IKE version of this IPsec configuration.
  • integrityType – Integrity type (sha1/md5).
  • localSelector – Local SA traffic selector
  • localSPI – Local Security Policy Index (SPI) name
  • localTerminationAddr – IP Address of the local termination point 
  • remoteSelector – Remote SA traffic selector
  • remoteSPI – Remote SPI name
  • remoteTerminationAddr – IP Address of the remote termination point
  • secondsRemaining – Number of seconds remaining in SA lifetime.
  • selectorName – Name of the Security Policy Database (SPD) used for this SA
  • upperLayerProtocol – Upper layer protocol of the SA.
peer

IPsec remote key management protocol details for the peer. The fields displayed include:

  • name
  • ipAddress
  • protocol
  • type
  • ipAddress
  • domainName
  • ipAddressVar
  • type
  • ipAddress
  • domainName
  • preSharedKey
  • protectionProfile

NOTE: This command applies to the 'show table' command only.

spd

IPsec security policy configuration. The fields displayed include:

  • name
  • state
  • precedence
  • localIpAddr
  • localIpPrefixLen
  • localPort
  • remoteIpAddr
  • remoteIpPrefixLen
  • remotePort
  • protocol
  • action
  • mode
  • protectionProfile
  • peer
  • localIpAddrVar

NOTE: This command applies to the 'show table' command only.

systemStatistics <sys name>

IPsec system statistics.

  • ikeSaNegotiationsFailed – Number of phase-1 (Main Mode) Security Association negotiation failures.
  • ikeSaNegotiationsSucceeded – Number of phase-1 (Main mode) Security Association negotiations resulting in a phase-1 SA being established.
  • inPacketDiscardDiscarded – Number of incoming Internet Security Association and Key Management Protocol (ISAKMP) packets discarded as a result of matching a discard SPD rule.
  • inPacketDiscardInvalidSpi – Number of incoming ESP packets discarded due to their SPI not matching an existing phase-2 SA.
  • inPacketDiscardNoState – Number of incoming ISAKMP packets discarded as a result of matching a discard no state rule.
  • inPacketDiscardProtected – Number of incoming ISAKMP packets discarded as a result of matching a protect SPD rule.
  • inPacketDiscardSAExpired – Number of incoming ESP packets discarded since they arrived on a phase-2 SA that has expired.
  • inPacketDiscardSelectorMismatch – Number of Incoming ESP packets discarded due to selector mismatch.
  • ipsecSaNegotiationsFailed – Number of phase-2 (Quick Mode) Security Association negotiation failures.
  • ipsecSaNegotiationsSucceeded – Number of successful phase-2 (Quick Mode) Security Association negotiations.
  • outPacketDiscardDiscarded – Number of outgoing ISAKMP packets discarded as a result of matching a discard SPD rule.
  • outPacketDiscardProtected – Number of outgoing ISAKMP packets discarded as a result of matchinga protect SPD rule.
  • outPacketDiscardSAExpired – Number of outgoing ESP packets discarded since they are for a phase-2 SA that has expired.
  • outPacketDiscardSSNWrap – Number of outgoing ESP packets discarded due to wrapping around of the sequence number.

NOTE: The value of inPacketDiscardInvalidSpi will always be 0 on theas it does not store this statistic internally.


Pagebreak