display ipsec sa

Function

The display ipsec sa command displays information about an SA.

Format

display ipsec sa [ [ brief ] [ slot slot-id ] ]

Parameters

Parameter Description Value
brief

Displays brief information of an SA, such as the SA name and the Security Parameter Index (SPI) value.

-
slot slot-id

Specifies a slot ID.

-

Views

All views

Default Level

1: Monitoring level

Task Name and Operations

Task Name Operations
ipsec read

Usage Guidelines

Usage Scenario

You can run the display ipsec sa command to check whether the SA configurations for outgoing protocol packets on the local end are identical with those for incoming protocol packets on the peer end. The display ipsec sa command output displays the following information:

  • SA name
  • Security proposal applied to the SA
  • Number of times the SA is applied
  • SA configurations for incoming Authentication Header (AH)
  • SA configurations for outgoing AH
  • SA configurations for incoming Encapsulating Security Payload (ESP)
  • SA configurations for outgoing ESP

Example

The actual command output varies according to the device. The command output here is only an example.

# Display configurations of the SA.
<HUAWEI> display ipsec sa brief
Total Manual IP security association number: 1

IP security association name: 11

current IPsec sa number: 2
-------------------------------------------------------------------------------------------
Src Address     Dst Address     SPI        Protocol Algorithm                       VPN 
-------------------------------------------------------------------------------------------
10.1.1.1        10.1.1.2        852978435  ESP      E:AES      A:SHA2-256-128        -    
10.1.1.2        10.1.1.1        195316743  ESP      E:AES      A:SHA2-256-128        -
# Display the detailed configuration of the SA.
<HUAWEI> disp ipsec sa
2021-07-23 11:24:18.392 

IKE IP Security Association :
================================== 
IPsec SA Information for Slot : 1
==================================

=============================== 
Interface: Tunnel1015
===============================

  -----------------------------
  IPsec policy name: "client_1015"
  sequence number: 1
  instance id: 0
  mode: isakmp
  vpn: ipsec_tunnel_1015
  ext: -
  -----------------------------
    connection id: 48467
    rule number: 5
    encapsulation mode: tunnel
    tunnel local: 10.16.4.247    tunnel remote: 10.16.1.1
    flow      source: 10.16.4.247/255.255.255.255 0-65535 0 0xFF 
    flow destination: 10.16.1.1/255.255.255.255 0-65535 0 0xFF 
    input/output security packets: 4810242/1603626
    input/output security kilobytes: 582490/194189
    input/output bandwidth limit drop packets: 0/0
    input/output bandwidth limit drop kilobytes: 0/0

    [inbound ESP SAs] 
      establish: 2021-07-22 21:27:46 
      spi: 1750602558 (0x6858133e)
      vpn: ipsec_tunnel_1015 said: 41647
      proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): --/554608
      max received sequence-number: 4810242
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs] 
      establish: 2021-07-22 21:27:46 
      spi: 1843820463 (0x6de677af)
      vpn: ipsec_tunnel_1015 said: 41648
      proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): --/554608
      max sent sequence-number: 1603626
      udp encapsulation used for nat traversal: N
Table 1 Description of the display ipsec sa command output
Item Description
sa remaining key duration (kilobytes/sec)

Rekey Lifetime.
Total Manual IP security association number

Number of all manual IPsec SAs.
IP security association name

Name of a manual IPsec SA.
current IPsec sa number

Number of automatic IPsec SAs.
IPsec SA Information for Slot

IPsec SA information of a specified board.
IPsec policy name

Name of the IPSec policy used by an SA.
Src Address

Source IP address.
Dst Address

Destination IP address.
SPI

Stateful packet inspection.
Protocol Algorithm

Protocol algorithm.
VPN

VPN.
sequence number

Sequence number of the security policy.
instance id

Instance ID.
connection id

Connection ID.
rule number

Security ACL rule ID.
encapsulation mode

Encapsulation mode.
tunnel local

Local tunnel address.
tunnel remote

IP address of the peer tunnel.
flow source

Source flow characteristics, including the IP address, port number, protocol number, and DSCP.
flow destination

Destination flow characteristics, including the IP address, port number, protocol number, and DSCP.
input/output security packets

Number of incoming or outgoing encrypted packets.
input/output security kilobytes

Number of bytes in inbound or outbound encrypted packets.
input/output bandwidth limit drop packets

Number of packets discarded in the inbound or outbound direction due to rate limiting.
input/output bandwidth limit drop kilobytes

Number of bytes discarded in the inbound or outbound direction due to rate limiting.
inbound ESP SAs

ESP SA information in the inbound direction.
max received sequence-number

Maximum receiving sequence number.
max sent sequence-number

Maximum sending sequence number.
udp encapsulation used for nat traversal

UDP encapsulation during NAT traversal.
outbound ESP SAs

SA parameters in the outbound direction.
Interface

Interface to which the IPSec policy is bound.
mode

Policy mode:

isakmp: automatic mode.

dynatemplate: template mode.
vpn

Ciphertext VPN instance.
ext

Additional information about the IPSec SA.
establish

Time when the SA is generated.
spi

Security Parameter Index (SPI).
said

SA Index.
proposal

Proposal.
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >