display ipsec sa remote

Function

The display ipsec sa command displays information about a Security Association (SA).

Format

display ipsec sa [ vpn ] remote remote-ip [ slot slot-id ]

display ipsec sa [ vpn-instance vpn-instance-name ] flow-destination flow-destination-ip flow-destination-mask [ slot slot-id ]

Parameters

Parameter Description Value
vpn

Specifies the VPN instance in ciphertext.

-
remote remote-ip

Specifies the IP address of a remote peer.

This value is in dotted decimal notation.
slot slot-id

Specifies a slot ID.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported.
vpn-instance vpn-instance-name

Specifies the name of the VPN instance used to query SAs.

The value is a string of 1 to 31 case-sensitive characters, spaces not supported.
flow-destination flow-destination-ip

Specifies the IP address of flow destination.

This value is in dotted decimal notation.
flow-destination flow-destination-mask

Specifies the IP address mask of flow destination.

This value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Task Name and Operations

Task Name Operations
ipsec read

Usage Guidelines

Usage Scenario

You can run the display ipsec sa command to check whether the SA configurations for outgoing protocol packets on the local end are identical with those for incoming protocol packets on the peer end. The display ipsec sa command output displays the following information:

  • SA name
  • Security proposal applied to the SA
  • Number of times the SA is applied
  • SA configurations for incoming Authentication Header (AH)
  • SA configurations for outgoing AH
  • SA configurations for incoming Encapsulating Security Payload (ESP)
  • SA configurations for outgoing ESP

Example

The actual command output varies according to the device. The command output here is only an example.

# Display configurations of the SA.
<HUAWEI> display ipsec sa remote 192.168.1.1
Total IP security association number: 1

IP security association name: sa1
Number of references: 0   
  proposal name: p1
 State: Complete
  inbound AH setting: 
     AH spi: 267 (0x10b)
     AH string-key: 
     AH authentication hex key: $@$@'RCZaI8Z:_E!Q8T!3,AO_OKZ>\U!O]*>(U(9CS9!$@$@
  inbound ESP setting: 
     ESP spi: 789 (0x315)
     ESP string-key: DN]I8$];]3+Q=^Q`MAF4<1!!
     ESP encryption hex key: 
     ESP authentication hex key: 
  outbound AH setting: 
     AH spi: 267 (0x10b)
     AH string-key: 
     AH authentication hex key: $@$@'RCZaI8Z:_E!Q8T!3,AO_OKZ>\U!O]*>(U(9CS9!$@$@
  outbound ESP setting: 
     ESP spi: 789 (0x315)
     ESP string-key: DN]I8$];]3+Q=^Q`MAF4<1!!
     ESP encryption hex key: 
     ESP authentication hex key:                

IKE IP Security Association :
================================== 
IPSEC SA Information for Slot : 9
==================================
                
=============================== 
Interface: Tunnel1
===============================
                
  -----------------------------
  IPsec policy name: "pol1"
  sequence number: 1
  instance id: 0
  mode: isakmp  
  vpn: - 
  ext: M|B
  -----------------------------
    connection id: 299
    rule number: 1
    encapsulation mode: tunnel
    tunnel local : 10.1.1.1    tunnel remote: 10.1.1.2
    flow source: 10.10.1.1/255.255.255.255 0-65535 0 0x0 
    flow destination: 10.10.1.2/255.255.255.255 0-65535 0 0x0
    input/output security packets: 1231231/2342424
    input/output security bytes: 234234242/6575675765
    input/output bandwidth limit drop packets: 1231231/2342424
    input/output bandwidth limit drop bytes: 234234242/6575675765

    [inbound ESP SAs] 
      establish: 2018-08-06 04:57:54 
      spi: 4280635 (0x41513b)
      vpn: - said: 47
      proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): 0/2850
      max received sequence-number: 10
      udp encapsulation used for nat traversal: N

    [outbound ESP SAs] 
      establish: 2018-08-06 04:57:54 
      spi: 4141662315 (0xf6dcc06b)
      vpn: - said: 48
      proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256
      sa remaining key duration (kilobytes/sec): 0/2850
      max sent sequence-number: 10
      udp encapsulation used for nat traversal: N
Table 1 Description of the display ipsec sa remote command output
Item Description
sa remaining key duration (kilobytes/sec)

Rekey lifetime.
Total IP security association number

Total number of SAs configured.
IP security association name

SA name.
Number of references

Number of times the SA is applied.
proposal name

Security proposal applied to the SA.
proposal

Proposal.
inbound AH setting

Inbound AH protocol settings.
inbound ESP setting

Inbound ESP settings.
inbound ESP SAs

Inbound ESP SA information.
AH spi

SPI for AH.
AH string-key

Authentication key for AH in the string format.
AH authentication hex key

Authentication key for AH in ciphertext.
ESP spi

SPI for ESP.
ESP string-key

Authentication key for ESP in the string format.
ESP encryption hex key

Encryption key for ESP in ciphertext.
ESP authentication hex key

Authentication key for ESP in ciphertext.
outbound AH setting

SA configurations for outgoing AH packets.
outbound ESP setting

SA configurations for outgoing ESP packets.
outbound ESP SAs

Outbound SA parameters.
IKE IP Security Association

IKE security association.
IPSEC SA Information for Slot

IPsec SA information of a specified board.
IPsec policy name

Name of a security policy.
sequence number

Sequence number of an IPsec policy.
instance id

Instance ID.
connection id

Connection ID.
rule number

ACL rule number.
encapsulation mode

Encapsulation mode.
tunnel local

Local tunnel address.
tunnel remote

Peer tunnel address.
flow source

Source flow characteristics, including the IP address, port number, protocol number, and DSCP.
flow destination

Destination flow characteristics, including the IP address, port number, protocol number, and DSCP.
input/output security packets

Number of encrypted packets in the inbound or outbound direction.
input/output security bytes

Number of bytes in inbound or outbound encrypted packets.
input/output bandwidth limit drop packets

Number of packets discarded in the inbound or outbound direction due to rate limiting.
input/output bandwidth limit drop bytes

Number of bytes discarded in the inbound or outbound direction due to rate limiting.
max received sequence-number

Maximum receive sequence number.
max sent sequence-number

Maximum send sequence number.
udp encapsulation used for nat traversal

UDP encapsulation for NAT traversal.
State

SA state:

  • Complete.
  • Incomplete.
Interface

Interface to which an IPsec policy is bound.
mode

Policy mode:

  • isakmp: automatic mode.
  • dynatemplate: template mode.
vpn

Ciphertext VPN instance.
ext

Extra IPsec SA information.
establish

Time when an SA is generated.
spi

Security parameter index.
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >