display ipsec sa efficient-vpn

Function

The display ipsec sa efficient-vpn command displays IPSec SA information.

Format

display ipsec sa efficient-vpn efficient-vpn-name

Parameters

Parameter	Description	Value
brief	Displays brief information about all IPSec SAs.	-
duration	Displays detailed information about IPSec SAs with specified lifetime.	-
policy policy-name	Displays detailed information about IPSec SAs established using an IPSec policy with a specified name.	The value must be an existing IPSec policy name.
seq-number	Displays detailed information about IPSec SAs established using an IPSec policy with a specified sequence number.	The value must be an existing IPSec policy sequence number.
profile profile-name	Displays detailed information about IPSec SAs established using a specified IPSec profile.	The value must be an existing IPSec profile name.
remote ipv4-address	Displays detailed information about IPSec SAs with the specified remote IPv4 address.	The value is in dotted decimal notation.

Parameter	Description	Value
efficient-vpn-name	Displays SA information of an Efficient VPN policy with a specified name.	The value is an existing Efficient VPN policy name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view Efficient VPN SA information, such as the local and remote addresses of the IPSec tunnel, source and destination addresses of data flows, and the SA lifetime.

Example

# Display information about the IPSec SA of Efficient VPN policy.

<HUAWEI> display ipsec sa efficient-vpn evpn

ipsec sa information:

===============================
Interface: Vlanif20
===============================

  -----------------------------
  IPSec efficient-vpn name: "evpn"
  Mode                    : EFFICIENTVPN-CLIENT MODE
  -----------------------------
    Connection ID     : 268435456
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 4m 29s
    Tunnel local      : 10.10.10.1/4500
    Tunnel remote     : 10.2.1.2/4500
    Flow source       : 10.1.1.6/255.255.255.255 0/0
    Flow destination  : 0.0.0.0/0.0.0.0 0/0
    Flow dscp         : af11 

    [Outbound ESP SAs]
      SPI: 2703436139 (0xa123296b)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key soft duration (kilobytes/sec): 4666163/2960
      SA remaining key hard duration (kilobytes/sec): 5242880/3355
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: Y
      SA encrypted packets (number/bytes): 0/0

    [Inbound ESP SAs]
      SPI: 2303751342 (0x895074ae)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key soft duration (kilobytes/sec): 4666163/2960
      SA remaining key hard duration (kilobytes/sec): 5242880/3355
      Max received sequence-number: 0
      UDP encapsulation used for NAT traversal: Y
      SA decrypted packets (number/bytes): 0/0
      Anti-replay : Enable
      Anti-replay window size: 1024

**Table 1** Description of the **display ipsec sa efficient-vpn** command output
Item	Description
ipsec sa information	Information about the IPSec SA.
Interface	Interface to which the Efficient VPN policy is applied.
IPSec efficient-vpn name	Name of the IPSec efficient-vpn policy. To configure the IPSec efficient-vpn policy name, run the ipsec efficient-vpn command.
Mode	Mode in which an Efficient VPN policy is created.
Connection ID	ID of the IPSec SA connection.
Encapsulation mode	Encapsulation mode in an IPSec proposal.
Holding time	Time elapsed since an IPSec tunnel was created.
Tunnel local	IP address and NAT traversal port of the local interface. To configure the IP address of the local interface, run the tunnel local command.
Tunnel remote	IP address and NAT traversal port of the remote interface. To configure the IP address of the remote interface, run the remote-address command.
Flow source	Source IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL.
Flow destination	Destination IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL.
Flow dscp	DSCP value of the data flow sent from the local end.
Outbound ESP SAs	Outbound IPSec SA information using ESP.
SPI	SPI of an SA.
Proposal	IPSec proposal.
SA remaining key soft duration (kilobytes/sec)	Soft remaining lifetime of an SA, in kilobytes or seconds.
SA remaining key hard duration (kilobytes/sec)	Hard remaining lifetime of an SA, in kilobytes or seconds. To set the SA lifetime, run the ipsec sa global-duration command.
Max sent sequence-number	Maximum sequence number of sent packets. The sequence number increases during communication and is used for anti-replay.
UDP encapsulation used for NAT traversal	Whether NAT traversal is enabled: Y N
SA encrypted packets (number/bytes)	Number of packets that are successfully encrypted using the IPSec SA.
Inbound ESP SAs	Inbound IPSec SA information using ESP.
Max received sequence-number	Maximum sequence number of received packets.
SA decrypted packets (number/bytes)	Number of packets that are successfully decrypted using the IPSec SA.
Anti-replay	Whether the anti-replay function is enabled for an IPSec tunnel: Enable disable To configure the anti-replay function for an IPSec tunnel, run the ipsec anti-replay enable command.
Anti-replay window size	IPSec anti-replay window size. This field is valid only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window or ipsec anti-replay window command.