Juniper IP SERVICES - CONFIGURATION GUIDE V 11.1.X Configuration Manual page 335

host1# show ipsec ike-sa
IKE Phase 1 SA's:
Local:Port Remote:Port
21.227.9.8:500 21.227.9.10:500
21.227.9.8:4500 21.227.9.11:4500
21.227.9.8:4500 21.227.9.11:14500
show ipsec option
show ipsec transport interface
Local Cookie Unique identifier (SPI) for the local phase 1 IKE SA
Remote Cookie Unique identifier (SPI) for the remote phase 1 IKE SA
Example
The following example displays the IKE phase 1 SAs for three remote client PCs
that are accessing an E Series router (IP address 21.227.9.8).
The first client PC listed (IP address 21.227.9.10) is not located behind a NAT
device, and is therefore not using NAT-T to access the router. This PC appears
in the Remote:Port column with its own IP address (21.227.9.10) and UDP port
number 500.
The remaining two client PCs are located behind a NAT device that has IP address
21.227.9.11, and are using NAT-T to access the router. These PCs appear in the
Remote:Port column with the same IP address (21.227.9.11) but with two
different UDP port numbers, 4500 and 14500.
Time(Sec) State
26133
28774
28729
See show ipsec ike-sa.
See show ike sa.
Use to display whether NAT-T is enabled or disabled on the current virtual router.
The show ipsec option command also displays the status of dead peer detection
(DPD) on the virtual router. For information about configuring and monitoring
DPD, see "Configuring IPSec" on page 125.
Example
host1:westford#show ipsec option
IPsec options:
Dead Peer Detection: disabled
NAT Traversal : enabled
See show ipsec option.
Use to display information about transport connections.
Field descriptions
IPSec transport interface Number and status of the IPSec transport
connection
Configuration
Monitoring DVMRP/IPSec, GRE/IPSec, and L2TP/IPSec Tunnels
Chapter 12: Securing L2TP and IP Tunnels with IPSec
Local Cookie
DONE 0x87a943562124c711 0xafa2cf4a260399a4
DONE 0x01f9efa234d45ad8 0xada4cb7cafee9243
DONE 0x0c5ccb6b94b00051 0xe975c0ae3b9ca8bf
Remote Cookie
309