Skip to main content

security ipsec policy show

Display IPsec policies

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security ipsec policy show command displays information about configured IPsec policies. All parameters are optional. This command is supported only when IPsec is enabled.

Running the command with the -vserver parameter displays all policies associated with the specified vserver.

You can specify additional parameters to display only information that matches those parameters. For example, to display policies associated with a certain local ip subnet, run the command with the -local-ip-subnets parameter.

Parameters

{ [-fields <fieldname>, ...]
If you specify the -fields <fieldname>,... parameter, the command displays only the specified fields. Notice that key fields are always displayed.
| [-instance ]}
If you specify the -instance parameter, the command displays all fields of the policies.
[-vserver <vserver name>] - Vserver
If you specify this parameter, only policies associated with this Vserver will be displayed.
[-name <text>] - Policy Name
This parameter specifies the policy to be displayed.
[-local-ip-subnets <IP Address/Mask>, ...] - Local IP Subnets
If you specify this parameter, information about local-ip-subnets will be displayed.
[-remote-ip-subnets <IP Address/Mask>, ...] - Remote IP Subnets
If you specify this parameter, information about remote-ip-subnets will be displayed.
[-local-ports {<Number>|<StartingNumber>-<EndingNumber>}, ...] - Local Ports
If you specify this parameter, information about local-ports will be displayed.
[-remote-ports {<Number>|<StartingNumber>-<EndingNumber>}, ...] - Remote Ports
If you specify this parameter, information about remote-ports will be displayed.
[-protocols {<Protocol Number>|<Protocol Name>}, ...] - Protocols
If you specify this parameter, information about protocols will be displayed.
[-action <IPsec Action Type>] - Action
If you specify this parameter, information about action will be displayed.
[-cipher-suite <Cipher Suite Type>] - Cipher Suite
If you specify this parameter, information about cipher-suite will be displayed.
[-ike-lifetime <integer>] - IKE Security Association Lifetime
If you specify this parameter, information about ike-lifetime will be displayed.
[-ipsec-lifetime <integer>] - IPsec Security Association Lifetime
If you specify this parameter, information about ipsec-lifetime will be displayed.
[-ipsec-lifetime-bytes <integer>] - IPsec Security Association Lifetime (bytes)
If you specify this parameter, information about ipsec-lifetime-bytes will be displayed.
[-is-enabled {true|false}] - Is Policy Enabled
If you specify this parameter, information about is-enabled will be displayed.
[-local-identity <text>] - Local Identity
If you specify this parameter, information about local IKE endpoint's identity, if configured, will be displayed.
[-remote-identity <text>] - Remote Identity
If you specify this parameter, information about remote IKE endpoint's identity, if configured, will be displayed.

Examples

The this example displays all policies in all Vservers:

cluster-1::> security ipsec policy show
        Policy                                           Cipher
Vserver Name       Local IP Subnet    Remote IP Subnet   Suite          Action
------- ---------- ------------------ ------------------ -------------- -------
vs_data1
        Policy1    192.168.10.1/32    192.168.20.1/32    SUITEB_GCM256  ESP_TRA
        Policy3    192.158.10.10/32   192.158.10.20/32   SUITEB_GCM256  DISCARD
vs_data2
        Policy2    10.10.10.10/32     20.20.20.20/32     SUITE_AESCBC   ESP_TRA
3 entries were displayed.

This example displays all of the IPsec policies from a single Vserver:

cluster-1::> security ipsec policy show -vserver vs_data1
        Policy                                           Cipher
Vserver Name       Local IP Subnet    Remote IP Subnet   Suite          Action
------- ---------- ------------------ ------------------ -------------- -------
vs_data1
        Policy1    192.168.10.1/32    192.168.20.1/32    SUITEB_GCM256  ESP_TRA
        Policy3    192.158.10.10/32   192.158.10.20/32   SUITEB_GCM256  DISCARD
2 entries were displayed.

This example displays a specific policy:

cluster-1::> security ipsec policy show -vserver vs_data1 -name Policy1

                               Vserver Name: vs_data1
                                Policy Name: Policy1
                           Local IP Subnets: 192.168.10.1/32
                          Remote IP Subnets: 192.168.20.1/32
                                Local Ports: 0-0
                               Remote Ports: 0-0
                                  Protocols: any
                                     Action: ESP_TRA
                               Cipher Suite: SUITEB_GCM256
          IKE Security Association Lifetime: 10800
        IPsec Security Association Lifetime: 3600
IPsec Security Association Lifetime (bytes): 0
                          Is Policy Enabled: true
                             Local Identity:
                            Remote Identity:

This example displays a specific field from all policies:

cluster-1::> security ipsec policy show -fields local-ip-subnets
vserver  name    local-ip-subnets
-------- ------- ----------------
vs_data1 Policy1 192.168.10.1/32
vs_data1 Policy3 192.158.10.10/32
vs_data2
         Policy2 10.10.10.10/32
3 entries were displayed.