IP security configuration such as security policy database and IKE SA information.
Command Syntax
> show table addressContext <addressContext_name> ipsec
ikeSaStatistics
ikeSaStatus
ipsecSaStatistics
ipsecSaStatus
peer
spd
systemStatistics
Command Parameters
Parameter | Description |
---|
ipsec | IP security configuration such as security policy database and IKE SA information. |
ikeSaStatistics <sai>
| This object displays IKE SA statistics. The fields displayed include: <sa index> – The unique SAI (Security Association Index).ikeVersion – The IKE version of this IPsec configuration.ipsecSaNegotiationsFailed – Number of IPsec SAs negotiations failed on this IKE SA
ipsecSaNegotiationsSucceeded – Number of IPsec SAs negotiated using this IKE SA
localIpAddr – Displays local IP address
peerIpAddr – Displays peer IP address
|
ikeSaStatus <sai>
| This object displays IKE SA status details. The fields displayed include: <sa index> – The unique SAI (Security Association Index).
dhGroup – DH group supported in the IKE exchange
encType – Encryption cipher type for this SA ikeVersion – The IKE version of this IPsec configuration.
integrityType – Integrity cipher type for this SA localId – Local identity type (fqdn/ipV4Addr/ipV6Addr)
localIpAddr – Displays local IP address
peerId – Remote identity type (fqdn/ipV4Addr/ipV6Addr)
peerIpAddr – Displays remote IP address
secondsRemaining – Number of seconds remaining for this SA
|
ipsecSaStatistics <spi>
| This object displays IPsec SA statistics details. The fields displayed include: inBytesCount – Number of ESP bytes received.
inPacketDiscardAntiReplay – Number of packets discarded due to anti-replay.
inPacketDiscardFailedIntegrity – Number of packets discarded due to integrity check failure.
inPacketsCount – Number of ESP packets received.
localIpAddr – Local IP address.
outBytesCount – Number of ESP bytes sent.
outPacketsCount – Number of ESP packets sent.
peerIpAddr –Remote IP address.
remoteSpi – Remote Security Policy Index (SPI).
|
ipsecSaStatus <local spi>
| IPsec SA status. The fields displayed include: bytesRemaining – Number of bytes remaining if used for SA lifetime.
encType – Encryption type (aes/3des).
ikeSaIndex – Unique internally-assigned ID.
ikeVersion – The IKE version of this IPsec configuration.
integrityType – Integrity type (sha1/md5).
localSelector – Local SA traffic selector
localSPI – Local Security Policy Index (SPI) namelocalTerminationAddr – IP Address of the local termination point
remoteSelector – Remote SA traffic selector
remoteSPI – Remote SPI nameremoteTerminationAddr – IP Address of the remote termination point
secondsRemaining – Number of seconds remaining in SA lifetime.
selectorName – Name of the Security Policy Database (SPD) used for this SA
upperLayerProtocol – Upper layer protocol of the SA.
|
peer | IPsec remote key management protocol details for the peer. The fields displayed include: name ipAddress protocol type ipAddress domainName ipAddressVar type ipAddress domainName preSharedKey protectionProfile
NOTE: This command applies to the 'show table' command only. |
spd | IPsec security policy configuration. The fields displayed include: name state precedence localIpAddr localIpPrefixLen localPort remoteIpAddr remoteIpPrefixLen remotePort protocol action mode protectionProfile peer localIpAddrVar
NOTE: This command applies to the 'show table' command only. |
systemStatistics <sys name>
| IPsec system statistics. ikeSaNegotiationsFailed – Number of phase-1 (Main Mode) Security Association negotiation failures.ikeSaNegotiationsSucceeded – Number of phase-1 (Main mode) Security Association negotiations resulting in a phase-1 SA being established.inPacketDiscardDiscarded – Number of incoming Internet Security Association and Key Management Protocol (ISAKMP) packets discarded as a result of matching a discard SPD rule.inPacketDiscardInvalidSpi – Number of incoming ESP packets discarded due to their SPI not matching an existing phase-2 SA.inPacketDiscardNoState – Number of incoming ISAKMP packets discarded as a result of matching a discard no state rule.inPacketDiscardProtected – Number of incoming ISAKMP packets discarded as a result of matching a protect SPD rule.inPacketDiscardSAExpired – Number of incoming ESP packets discarded since they arrived on a phase-2 SA that has expired.inPacketDiscardSelectorMismatch – Number of Incoming ESP packets discarded due to selector mismatch.ipsecSaNegotiationsFailed – Number of phase-2 (Quick Mode) Security Association negotiation failures.ipsecSaNegotiationsSucceeded – Number of successful phase-2 (Quick Mode) Security Association negotiations.outPacketDiscardDiscarded – Number of outgoing ISAKMP packets discarded as a result of matching a discard SPD rule.outPacketDiscardProtected – Number of outgoing ISAKMP packets discarded as a result of matchinga protect SPD rule.outPacketDiscardSAExpired – Number of outgoing ESP packets discarded since they are for a phase-2 SA that has expired.outPacketDiscardSSNWrap – Number of outgoing ESP packets discarded due to wrapping around of the sequence number.
NOTE: The value of inPacketDiscardInvalidSpi will always be 0 on theas it does not store this statistic internally. |