display ike sa

Function

The display ike sa command displays the IPSec tunnels set up by IKE.

This command is supported only on the NetEngine 8000 F1A.

Format

display ike sa [ { remote remoteaddr } | verbose { { remote remoteaddr } | { conn_id connid slot slotnumber } | { peer peername [ identity peeridentity ] } } | slot slotnumber | { peer peername [ identity peeridentity ] } ]

Parameters

Parameter	Description	Value
remote remoteaddr	Indicates the IP address of the remote peer.	The value is in dotted decimal notation.
verbose	Displays the detailed configurations of IKE SAs.	-
conn_id connid	Indicates the index of IKE SAs.	It is an integer that ranges from 1 to 65535.
slot slotnumber	Indicates the slot ID.	The value is an integer that ranges from 0 to 32.
peer peername	Indicates the peer name.	It is a string of 1 to 15 characters.
identity peeridentity	Indicates the peer identity.	It is a string of 1 to 255 characters.

Views

All views

Default Level

1: Monitoring level

Task Name and Operations

Task Name	Operations
ike	read

Usage Guidelines

The output of the display ike sa command provides the following information:

The IPSec tunnel ID
IP address of the peer
Name of the VPN instance
Phases in setting up the SA
Interpretation domain of the SA
Status of the SA
Connect status of the bfd

Example

The actual command output varies according to the device. The command output here is only an example.

# Display the detailed configurations of IKE SAs.

<HUAWEI> display ike sa
 current sa Num :2                                                             
   Single-homing :2     Multi-homing master :0    Multi-homing slave :0
   None-backup sa :2    Backup sa :0 
Spu board slot 1, IKE SA Information:
 Current IKE SA number: 2
-----------------------------------------------------------------------
conn-id    peer               flag        phase   bfd   ext    vpn      
-----------------------------------------------------------------------
373        10.1.2.2           RD|ST       V2:2     up    -      -                               
372        10.1.2.2           RD|ST       V2:1     -     -      -

**Table 1** Description of the **display ike sa** command output
Item	Description
current sa Num	Number of the current SA.
Single-homing	Number of IKE SAs in single-homing scenarios.
Multi-homing master	Number of IKE SAs on the master device in multi-homing scenarios.
Multi-homing slave	Number of IKE SAs on the slave device in multi-homing scenarios.
None-backup sa	Number of non-backup IKE SAs.
Backup sa	Number of backup IKE SAs.
Spu board slot 1, IKE SA Information	Indicates configurations of SAs.
Current IKE SA number	Indicates the number of SAs.
conn-id	Indicates IPSec tunnel ID.
peer	Indicates IP address of the peer.
flag	The state of SA: RD (READY) means this SA has been established successfully. C means that Dead Peer Detection (DPD) is enabled for this SA. ST (STAYALIVE) means this end is the initiator of the channel negotiation. RL (REPLACED) means that this SA has been replaced by a new one, and is deleted after a period of time. FD (FADING) means this SA has been soft timeout, but is still in use, and is deleted at the time of hard timeout. TO (TIMEOUT) means this SA has not received any keepalive packet after the previous keepalive timeout occurred. If this SA still does not receive any keepalive packet till the next keepalive period times out, this SA is deleted. NEG means that this SA is being negotiated. NOSTATE means that this SA is being initially created but not complete. This SA will be deleted if not being created after a specific period. TD (TOBEDELETED) means this SA will be deleted after a while.
phase	SA phases: v2:1 indicates that IKEv2 is adopted for SA negotiation. The establishment of the SA in phase 1 succeeds. v2:2 indicates that IKEv2 is adopted for SA negotiation. The establishment of the SA in phase 2 succeeds.
bfd	connect status of the bfd, only reflected in the second stage of negotiation.
ext	Indicates interpretation domain of the SA.
vpn	Indicates VPN instance on the ciphertext side. - indicates the root instance.