display ike sa

Function

The display ike sa command displays information about SAs established through IKE negotiation.

Format

display ike sa [ remote ipv4-address ]

display ike sa [ remote-id-type remote-id-type ] remote-id remote-id

display ike sa verbose [ remote ipv4-address | connection-id connection-id | [ remote-id-type remote-id-type ] remote-id remote-id ]

Parameters

Parameter	Description	Value
remote ipv4-address	Specifies the IPv4 address of the remote peer.	The value is in dotted decimal notation.
remote-id-type remote-id-type	Specifies a remote ID type.	The remote ID type can be ip, key-id, fqdn, or user-fqdn.
remote-id remote-id	Specifies the remote ID.	The remote ID must be an existing one.
verbose	Displays detailed information about SAs. NOTE: If only this parameter is specified (other parameters are not specified), the command displays detailed information about all SAs.	-
connection-id connection-id	Specifies the connection ID of an SA.	The value is an integer that ranges from 1 to 4294967295.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ike sa command to check the following SA information: connection ID, peer IP address, VPN instance name, SA phase, remote ID type, remote ID, and SA status.

After an IPSec tunnel is established successfully, the display ike sa command does not display the latest local ID or remote ID until the IPSec tunnel is re-negotiated if the local ID or remote ID is modified.

Example

# Display IKE SAs and IPSec SAs.

<HUAWEI> display ike sa
IKE SA information :
    Conn-ID       Peer            VPN   Flag(s)   Phase   RemoteType  RemoteID
  ---------------------------------------------------------------------------------
    117477244     10.100.1.1/4500 vrf1  RD|M      v2:2    IP          10.100.1.1
    117477242     10.100.1.1/4500 vrf1  RD|M      v2:1    IP          10.100.1.1
                                                                                
   Number of IKE SA : 2                                                    
  ---------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

**Table 1** Description of the **display ike sa** command output
Item	Description
IKE SA information	Configuration of SAs.
Conn-ID	Connection ID of an SA.
Peer	IP address and UDP port number of the peer.
VPN	VPN instance bound to the interface where the IPSec policy was applied to.
Flag(s)	SA status: RD--READY: The SA has been established successfully. ST--STAYALIVE: This end is the initiator of tunnel negotiation. RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time. FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires. TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout. HRT--HEARTBEAT: The local IKE SA sends heartbeat packets. LKG--LAST KNOWN GOOD SEQ NO: It is the last known sequence number. BCK--BACKED UP: The SA is backed up. M--ACTIVE: The IPSec policy group is in active state. S--STANDBY: The IPSec policy group is in standby state. A--ALONE: The IPSec policy group is not backed up. NEG--NEGOTIATING: The devices are negotiating an SA. Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.
Phase	Phases of the SA: v1:1 or v2:1: v1 and v2 are IKE versions. The digit 1 indicates the phase during which a security channel, that is IKE SA, is established. v1:2 or v2:2: v1 and v2 are IKE versions. The digit 2 indicates the phase during which a security service, that is IPSec SA, is negotiated.
RemoteType	Remote ID type.
RemoteID	Remote ID.

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv1 to negotiate IPSec SAs.

<HUAWEI> display ike sa verbose remote 10.100.1.1
------------------------------------------------
Ike Sa phase   : 2
Establish Time : 2017-02-08 13:10:29
PortCfg Index  : 0x448
IKE Peer Name  : _resv_ikev1__1
Connection Id  : 26
Version        : v1
Flow VPN       :
Peer VPN       :
------------------------------------------------
Initiator Cookie        : 0x33d7a5bbf8ad12bb
Responder Cookie        : 0xf311b3991d739d38
Local Address           : 10.1.1.1/500
Remote Address          : 10.100.1.1/500
PFS                     :
Flags                   : RD|ST|A
------------------------------------------------

------------------------------------------------
Ike Sa phase   : 1
Establish Time : 2017-02-07 20:57:48
PortCfg Index  : 0x448
IKE Peer Name  : _resv_ikev1__1
Connection Id  : 7
Version        : v1
Exchange Mode  : Aggressive
Flow VPN       :
Peer VPN       :
------------------------------------------------
Initiator Cookie               : 0x33d7a5bbf8ad12bb
Responder Cookie               : 0xf311b3991d739d38
Local Address                  : 10.1.1.1/500
Remote Address                 : 10.100.1.1/500
Encryption Algorithm           : 3DES-CBC
Authentication Algorithm       : SHA1
Authentication Method          : Pre-Shared key
DPD Capability                 : Yes
DPD Enable                     : Yes DPD Message Learning Enable    : Yes DPD Message Format             : Seq-Notify-Hash 
Reference Counter              : 0
Flags                          : RD|ST|A
Local Id Type                  : IP
local Id                       : 10.1.1.1
Remote Id Type                 : IP
Remote Id                      : 10.1.1.2
DH Group                       : 2
NAT Traversal Version          : RFC3947 SA Remaining Soft Timeout (sec):100 SA Remaining Hard Timeout (sec):200
------------------------------------------------

  Number of IKE SA : 2
------------------------------------------------

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv2 to negotiate IPSec SAs.

<HUAWEI> display ike sa verbose remote 10.100.1.1
------------------------------------------------
Ike Sa phase   : 2
Establish Time : 2017-02-20 22:07:57
PortCfg Index  : 0x98
IKE Peer Name  : _resv_ikev2__1
Connection Id  : 4
Version        : v2
Flow VPN       :
Peer VPN       :
------------------------------------------------
Initiator Cookie        : 0x039b87ea4e1e91b2
Responder Cookie        : 0xdedd86121d2038d7
Local Address           : 10.1.1.1/500
Remote Address          : 10.100.1.1/4500
PFS                     :
Flags                   : RD|ST|A
------------------------------------------------

------------------------------------------------
Ike Sa phase   : 1
Establish Time : 2017-02-20 22:07:57
PortCfg Index  : 0x98
IKE Peer Name  : _resv_ikev2__1
Connection Id  : 3
Version        : v2
Flow VPN       :
Peer VPN       :
------------------------------------------------
Initiator Cookie                       : 0x039b87ea4e1e91b2
Responder Cookie                       : 0xdedd86121d2038d7
Local Address                          : 10.1.1.1/500
Remote Address                         : 10.100.1.1/4500
Encryption Algorithm                   : 3DES-CBC
Authentication Method                  : Pre-Shared key
Integrity Algorithm                    : hmac-sha1-96
Prf Algorithm                          : hmac-sha1
DPD Capability                         : Yes
DPD Enable                             : Yes
Reference Counter                      : 1
Flags                                  : RD|ST|A
Local Id Type                          : IP
Local Id                               : huawei1
Remote Id Type                         : IP 
Remote Id                              : huawei
DH Group                               : 14 Re-authentication remaining time (sec) : -   SA Remaining Soft Timeout (sec)        :100 SA Remaining Hard Timeout (sec)        :200
------------------------------------------------

  Number of IKE SA : 2
------------------------------------------------

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

**Table 2** Description of the **display ike sa verbose** command output
Item	Description
Ike Sa phase	Phases of the SA: 1: IKE peers establish an IPSec tunnel. An IKE SA is established in this phase. 2: IKE peers negotiate security services. An IPSec SA is established in this phase.
Establish Time	Time when the SA was created.
PortCfg Index	Index of the interface where the IPSec policy was applied to.
IKE Peer Name	IKE peer name.
Connection Id	Connection ID of an SA.
Version	IKE version of the IKE peer: v1: IKEv1 is enabled. v2: IKEv2 is enabled. v1v2: Both IKEv1 and IKEv2 are enabled.
Exchange Mode	Negotiation mode of the IKEv1 phase 1. Main: main mode. Aggressive: aggressive mode.
Flow VPN	VPN to which the data flow belongs.
Peer VPN	VPN to which the peer belongs.
Initiator Cookie	Cookie of the initiator.
Responder Cookie	Cookie of the responder.
Local Address	Local IP address of an IPSec tunnel.
Remote Address	Remote IP address and UDP port number of an IPSec tunnel.
Encryption Algorithm	Encryption algorithm in the IKE proposal.
Authentication Algorithm	Authentication algorithm in the IKE proposal.
Authentication Method	Authentication method in the IKE proposal.
Integrity Algorithm	Integrity algorithm used in an IKEv2 proposal.
Prf Algorithm	Pseudo-random function (PRF) used in an IKEv2 proposal.
DPD Capability	Whether DPD capability is successfully negotiated. yes no
DPD Enable	Whether the DPD function is enabled. yes no
DPD Message Learning Enable	Whether automatic learning of the payload sequence of DPD packets is enabled. Yes No To configure the automatic learning function, run the dpd msg notify-hash-sequence learning command.
DPD Message Format	Sequence of the payload in DPD packets. Seq-Notify-Hash Seq-Hash-Notify
Reference Counter	Number of IPSec SAs negotiated by the IKE SA.
PFS	Perfect Forward Secrecy (PFS) when the local end initiates negotiation.
Flags	SA status: RD--READY: The SA has been established successfully. ST--STAYALIVE: This end is the initiator of tunnel negotiation. RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time. FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires. TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout. HRT--HEARTBEAT: The local IKE SA sends heartbeat packets. LKG--LAST KNOWN GOOD SEQ NO: It is the last known sequence number. BCK--BACKED UP: The SA is backed up. M--ACTIVE: The IPSec policy group is in active state. S--STANDBY: The IPSec policy group is in standby state. A--ALONE: The IPSec policy group is not backed up. NEG--NEGOTIATING: The devices are negotiating an SA. Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.
Local Id Type	Local ID type.
Local Id	Local ID for IKE negotiation.
Remote Id Type	Remote ID type.
Remote Id	Remote ID for IKE negotiation.
DH Group	DH group in the IKE proposal.
NAT Traversal Version	Version of NAT traversal. draft-ietf-ipsec-nat-t-ike-00 draft-ietf-ipsec-nat-t-ike-02 RFC3947
Re-authentication remaining time (sec)	Remaining time for IKEv2 to initiate re-authentication, in seconds.
SA Remaining Soft Timeout (sec)	Soft remaining lifetime of an IKE SA, in seconds.
SA Remaining Hard Timeout (sec)	Hard remaining lifetime of an IKE SA, in seconds.
Number of IKE SA	Total number of IKE SAs and IPSec SAs.