Table of Contents
Advertisement
show ipsec ike-sa
show ike sa
Copyright © 2010, Juniper Networks, Inc.
Tunnels" on page 244 in "Configuring IP Tunnels" on page 237 for full descriptions of the
commands.
Example
host1#show gre tunnel detail
Tunnel operational configuration
Tunnel name is 'vr1'
Tunnel mtu is '10240'
Tunnel source address is '10.0.0.2'
Tunnel destination address is '10.0.0.1'
Tunnel transport virtual router is vr1
Tunnel checksum option is disabled
Tunnel up/down trap is enabled
Tunnel server location is 4/0
Tunnel secured by ipsec transport interface 1
Tunnel administrative state is up
. . .
See show dvmrp tunnel.
See show gre tunnel.
NOTE: The show ipsec ike-sa command replaces the show ike sa command, which
may be removed completely in a future release.
Use to display IKE phase 1 SAs running on the router.
When NAT-T is enabled on both the client PC and the E Series router, and the router
has negotiated NAT-T as part of the IKE SA, the local UDP port number displayed in
the Local:Port column is typically 4500. When NAT-T is disabled or not supported on
one or both sides of the IKE SA negotiation, the local UDP port number is 500. (See
the example under Field Descriptions for more information.)
Field descriptions
Local:Port—Local IP address and UDP port number of phase 1 negotiation
Remote:Port—Remote IP address and UDP port number of phase 1 negotiation
Time(Sec)—Time remaining in phase 1 lifetime, in seconds
State—Current state of the phase 1 negotiation. Corresponds to the messaging state
in the main mode and aggressive mode negotiations. Possible states are:
AM_SA_I—Initiator has sent initial aggressive mode SA payload and key exchange
to the responder
AM_SA_R—Responder has sent aggressive mode SA payload and key exchange
to the initiator
AM_FINAL_I—Initiator has finished aggressive mode negotiation
Chapter 12: Securing L2TP and IP Tunnels with IPSec
295
Advertisement
Table of Contents
