security ipsec show-ipsecsa
Show IPsec SA Information
Availability: This command is available to cluster and Vserver administrators at the admin privilege level.
Description
The security ipsec show-ipsecsa command displays information about IPsec Security Associations (SA).
Running the command with the -node parameter displays information relevant to IPsec SAs at the specified node.
Running this command with the -vserver parameter displays information relevant to IPsec SAs associated with the specified vserver.
Running this command with the -policy-name parameter displays information relevant to IPsec SAs created using the specified security policy.
You can specify additional parameters to display only information matching those parameters. For example, to display IPsec SAs only about a certain local address, run the command with the -local-address parameter.
Parameters
- { [-fields <fieldname>, ...]
- If you specify the -fields <fieldname>,... parameter, the command displays only the specified fields. Notice that key fields are always displayed.
- | [-instance ]}
- If you specify the -instance parameter, the command displays all fields of matching IPsec SAs.
- -node <nodename> - Node
- This required parameter specifies from which node the IPsec SA information will be collected and displayed.
- [-vserver <vserver name>] - Vserver Name
- Use this parameter to display the IPsec SAs associated with the specified Vserver.
- [-policy-name <text>] - Policy Name
- Use this parameter to display the IPsec SAs created based on the specified security policy.
- [-local-address <text>] - Local Address
- Use this parameter to display the IPsec SAs with the specified local endpoint IP address.
- [-remote-address <text>] - Remote Address
- Use this parameter to display the IPsec SAs with the specified remote endpoint IP address.
- [-inbound-spi <text>] - Inbound SPI
- Use this parameter to display the IPsec SA having the specified inbound Security Parameter Index (SPI).
- [-outbound-spi <text>] - Outbound SPI
- Use this parameter to display the IPsec SA having the specified outbound SPI.
- [-action <IPsec Action Type>] - IPsec Action
- Use this parameter to display IPsec SAs with the specified security action type, such as ESP_TRA for ESP transport mode protection or BYPASS to bypass IPsec, or DISCARD.
- [-state <text>] - IPsec SA State
- Use the parameter to display only the IPsec SAs that are in the specified state.
- [-cipher-suite <Cipher Suite Type>] - Cipher Suite
- Use this parameter to display the IPsec SAs that use the specified cipher-suite.
- [-ib-bytes <integer>] - Inbound Bytes Processed
- Use this parameter to display the IPsec SAs matching the processed inbound bytes. Notice that ib-bytes keeps changing as inbound packets are processed.
- [-ib-pkts <integer>] - Inbound Pkts Processed
- Use this parameter to display the IPsec SAs matching the processed inbound packets. Notice that ib-pkts keeps changing as inbound packets are processed.
- [-ob-bytes <integer>] - Outbound Bytes Processed
- Use this parameter to display the IPsec SAs matching the processed outbound bytes. Notice that ob-bytes keeps changing as outbound packets are processed.
- [-ob-pkts <integer>] - Outbound Pkts Processed
- Use this parameter to display the IPsec SAs matching the processed outbound packets. Notice that ob-pkts keeps changing as outbound packets are processed.
- [-lifetime <integer>] - IPsec SA Lifetime Seconds
- Use this parameter to display the IPsec SAs matching the remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.
Examples
The this example displays all IPsec SAs for node cluster1-node1:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1
Policy Local Remote Inbound Outbound
Vserver Name Address Address SPI SPI State
----------- ------- --------------- --------------- -------- -------- ---------
vs1 Policy1
192.186.10.1 192.186.10.2 c68de9db c84f913b INSTALLED
vs2 Policy2
192.186.20.1 192.186.20.2 cbc01493 c6ee7424 INSTALLED
2 entries were displayed.
This example displays selected fields of all IPsec SAs for node cluster1-node1:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields local-address,remote-address,inbound-spi,
outbound-spi
node vserver policy-name local-address remote-address inbound-spi outbound-spi
-------------- ------- ----------- -------------- -------------- ----------- ------------
cluster1-node1 vs1 Policy1 192.186.10.1 192.186.10.2 c68de9db c84f913b
cluster1-node1 vs2 Policy2 192.186.20.1 192.186.20.2 cbc01493 c6ee7424
2 entries were displayed.
This example displays selected fields of all IPsec SAs associated with node cluster1-node1:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields ib-bytes,ib-pkts,ob-bytes,ob-pkts
node vserver policy-name local-address remote-address inbound-spi ib-bytes ib-pkts ob-bytes ob-pkts
-------------- ------- ----------- -------------- -------------- ----------- -------- ------- -------- -------
cluster1-node1 vs1 Policy1 192.186.10.1 192.186.10.2 c68de9db 4704 56 6720 56
cluster1-node1 vs2 Policy2 192.186.20.1 192.186.20.2 cbc01493 20434 115 23082 120
2 entries were displayed.
This example displays instance view (all fields) for all IPsec SAs associated with node cluster1-node1 , vserver vs1 and created using policy Policy1:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance
Node: cluster1-node1
Vserver Name: vs1
Policy Name: Policy1
Inbound SPI: c68de9db
Outbound SPI: c84f913b
Local Address: 192.168.10.1
Remote Address: 192.168.10.2
IPsec Action: ESP_TRA
IPsec SA State: INSTALLED
Cipher Suite: SUITEB_GCM256
Inbound Bytes Processed: 4704
Inbound Pkts Processed: 56
Outbound Bytes Processed: 6720
Outbound Pkts Processed: 56
IPsec SA Lifetime Seconds: 1800
Give documentation feedback