Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual page 334

JUNOSe 11.1.x IP Services Configuration Guide
show ipsec ike-sa
show ike sa
NOTE: The show ipsec ike-sa command replaces the show ike sa command, which
may be removed completely in a future release.
308
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels
Use to display IKE phase 1 SAs running on the router.
When NAT-T is enabled on both the client PC and the E Series router, and the
router has negotiated NAT-T as part of the IKE SA, the local UDP port number
displayed in the Local:Port column is typically 4500. When NAT-T is disabled or
not supported on one or both sides of the IKE SA negotiation, the local UDP port
number is 500. (See the example under Field Descriptions for more information.)
Field descriptions
Local:Port Local IP address and UDP port number of phase 1 negotiation
Remote:Port Remote IP address and UDP port number of phase 1
negotiation
Time(Sec) Time remaining in phase 1 lifetime, in seconds
State Current state of the phase 1 negotiation. Corresponds to the messaging
state in the main mode and aggressive mode negotiations. Possible states
are:
AM_SA_I Initiator has sent initial aggressive mode SA payload and key
exchange to the responder
AM_SA_R Responder has sent aggressive mode SA payload and key
exchange to the initiator
AM_FINAL_I Initiator has finished aggressive mode negotiation
AM_DONE_R Responder has finished aggressive mode negotiation
MM_SA_I Initiator has sent initial main mode SA payload to the
responder
MM_SA_R Responder has sent a response to the initial main mode SA
MM_KE_I Initiator has sent initial main mode key exchange to the
responder
MM_KE_R Responder has sent a response to the key exchange
MM_FINAL_I Initiator has sent the final packet in the main mode
negotiation
MM_FINAL_R Responder has finished main mode negotiation
MM_DONE_I Initiator has finished main mode negotiation
DONE Phase 1 SA negotiation is complete, as evidenced by receipt of
some phase 2 messages