display ipsec sa vpn
Usage Guidelines
Usage Scenario
You can run the display ipsec sa command to check whether the SA configurations for outgoing protocol packets on the local end are identical with those for incoming protocol packets on the peer end. The display ipsec sa command output displays the following information:
- SA name
- Security proposal applied to the SA
- Number of times the SA is applied
- SA configurations for incoming Authentication Header (AH)
- SA configurations for outgoing AH
- SA configurations for incoming Encapsulating Security Payload (ESP)
- SA configurations for outgoing ESP
Example
The actual command output varies according to the device. The command output here is only an example.
<HUAWEI> display ipsec sa vpn
==================================
IPSEC SA Information for Slot : 9
==================================
===============================
Interface: Tunnel1
===============================
-----------------------------
IPsec policy name: "pol1"
sequence number: 1
instance id: 0
mode: isakmp
vpn: -
ext: M|B
-----------------------------
connection id: 299
rule number: 1
encapsulation mode: tunnel
tunnel local : 10.1.1.1 tunnel remote: 10.1.1.2
flow source: 10.10.1.1/255.255.255.255 0-65535 0 0x0
flow destination: 10.10.1.2/255.255.255.255 0-65535 0 0x0
input/output security packets: 1231231/2342424
input/output security bytes: 234234242/6575675765
input/output bandwidth limit drop packets: 1231231/2342424
input/output bandwidth limit drop bytes: 234234242/6575675765
[inbound ESP SAs]
establish: 2018-08-06 04:57:54
spi: 4280635 (0x41513b)
vpn: - said: 47
proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 0/2850
max received sequence-number: 10
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
establish: 2018-08-06 04:57:54
spi: 4141662315 (0xf6dcc06b)
vpn: - said: 48
proposal: ESP-ENCRYPT-256-AES ESP-AUTH-SHA2-256
sa remaining key duration (kilobytes/sec): 0/2850
max sent sequence-number: 10
udp encapsulation used for nat traversal: N
| Item | Description |
|---|---|
| sa remaining key duration (kilobytes/sec) | Rekey lifetime. |
| vpn | Ciphertext VPN instance. |
| IPSEC SA Information for Slot | IPsec SA information of a specified board. |
| IPsec policy name | Specifies the name of a security policy. |
| sequence number | Sequence number of an IPsec policy. |
| instance id | Instance ID. |
| connection id | Connection ID. |
| rule number | Security ACL rule ID. |
| encapsulation mode | Encapsulation mode. |
| tunnel local | Local tunnel address. |
| tunnel remote | Peer tunnel address. |
| flow source | Source flow characteristics, including the IP address, port number, protocol number, and DSCP. |
| flow destination | Destination flow characteristics, including the IP address, port number, protocol number, and DSCP. |
| input/output security packets | Number of encrypted packets in the inbound or outbound direction. |
| input/output security bytes | Number of bytes in inbound or outbound encrypted packets. |
| input/output bandwidth limit drop packets | Number of packets discarded in the inbound or outbound direction due to rate limiting. |
| input/output bandwidth limit drop bytes | Number of bytes discarded in the inbound or outbound direction due to rate limiting. |
| inbound ESP SAs | Inbound ESP SA information. |
| max received sequence-number | Maximum receive sequence number. |
| max sent sequence-number | Maximum send sequence number. |
| udp encapsulation used for nat traversal | UDP encapsulation for NAT traversal. |
| outbound ESP SAs | Outbound SA parameters. |
| Interface | Interface to which an IPsec policy is bound. |
| mode | Policy mode:
|
| ext | Extra IPsec SA information. |
| establish | Time when an SA is generated. |
| spi | Security parameter index. |
| proposal | Proposal. |