ONTAP 9.12.1 commands

50←PDF
  • ONTAP 9.12.1 commands(CA08871-263en.pdf)
  • security ipsec show-ikesa

    Show IKE SA Information

    Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

    Description

    The security ipsec show-ikesa command displays information about IKE Security Associations (SA).

    Running this command with the -node parameter displays information relevant to IKE SAs generated at the specified node.

    Running this command with the -vserver parameter displays information relevant to IKE SAs associated with the specified vserver.

    Running this command with the -policy-name parameter displays information relevant to IKE SAs created based on the specified security policy.

    You can specify additional parameters to display only information matching those parameters. For example, to display IKE SAs associated with a specific local address, run the command with the -local-address parameter.

    Parameters

    { [-fields <fieldname>,…​]

    If you specify the -fields <fieldname>,…​ parameter, the command displays only the specified fields. Notice that key fields are always displayed.

    | [-instance ] }

    If you specify the -instance parameter, the command displays all fields of the IKE SAs.

    -node <nodename> - Node

    This required parameter specifies the node from which the IKE SA information will be collected and displayed.

    [-vserver <vserver name>] - Vserver Name

    Use this parameter to display the IKE SAs associated with the specified Vserver.

    [-policy-name <text>] - Policy Name

    Use this parameter to display the IKE SAs created based on the specified security policy.

    [-local-address <text>] - Local Address

    Use this parameter to display the IKE SAs with the specified local endpoint IP address.

    [-remote-address <text>] - Remote Address

    Use this parameter to display the IKE SAs with the specified remote endpoint IP address.

    [-initiator-spi <text>] - Initiator SPI

    Use this parameter to display the IKE SAs with the specified initiator Security Parameter Index (SPI).

    [-responder-spi <text>] - Responder SPI

    Use this parameter to display the IKE SAs with the specified responder SPI.

    [-is-initiator {true|false}] - Is Initiator

    Use this parameter to display the IKE SAs created when the given node matches the specified initiator role: true means initiator role and false means responder role in IKE negotiation.

    [-ike-version <integer>] - IKE Version

    Use this parameter to display the IKE SAs created using the specified IKE version.

    [-auth-method <IKE Authentication Method>] - Authentication Method

    Use this parameter to display the IKE SAs created using the specified authentication method.

    [-state <IKE SA State>] - IKE SA State

    Use this parameter to display only the IKE SAs that are in the specified state.

    [-cipher-suite <Cipher Suite Type>] - Cipher Suite

    Use this parameter to display the IKE SAs created using the specified cipher suite.

    [-lifetime <integer>] - Lifetime

    Use this parameter to display the IKE SAs with the specified remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.

    Examples

    This example displays all IKE SAs for node cluster1-node1 :

    cluster-1::> security ipsec show-ikesa -node cluster1-node1
                Policy Local           Remote
    Vserver     Name   Address         Address         Initator-SPI     State
    ----------- ------ --------------- --------------- ---------------- -----------
    vs1         Policy1
                       192.186.10.1    192.186.10.2    e658e5bc7ece199e ESTABLISHED
    vs2         Policy2
                       192.168.20.1    192.168.20.2    8eac392028ab4f12 ESTABLISHED
    2 entries were displayed.

    This example displays selected fields of all IKE SAs for node cluster1-node1 :

    cluster-1::> security ipsec show-ikesa -node cluster1-node1 -fields is-initiator,initiator-spi,responder-spi,auth-method,cipher-suite,lifetime
    
    node           vserver policy-name local-address remote-address initiator-spi    responder-spi    is-initiator auth-method cipher-suite  lifetime
    -------------- ------- ----------- ------------- -------------- ---------------- ---------------- ------------ ----------- ------------- --------
    cluster1-node1 vs1     Policy1     192.186.10.1  192.186.10.2   e658e5bc7ece199e 9b61befff71e8ca2 false        PSK         SUITEB_GCM256 6300
    cluster1-node1 vs2     Policy2     192.186.20.1  192.186.20.2   4d43aaba8ca01cd8 00bdd5aac569e08a true         PSK         SUITEB_GCM256 6720
    2 entries were displayed.

    This example displays all IKE SAs for vserver vs1 :

    cluster-1::> security ipsec show-ikesa -node cluster1-node1
                Policy Local           Remote
    Vserver     Name   Address         Address         Initator-SPI     State
    ----------- ------ --------------- --------------- ---------------- -----------
    vs1         Policy1
                       192.186.10.1    192.186.10.2    e658e5bc7ece199e ESTABLISHED

    This example displays instance view (all fields) for all IKE SAs associated with node cluster1-node1 , vserver vs1 and created using policy Policy1 :

    cluster-1::> security ipsec show-ikesa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance
    Node: cluster1-node1
             Vserver Name: vs1
              Policy Name: Policy1
            Local Address: 192.168.10.1
           Remote Address: 192.168.10.2
            Initiator SPI: e658e5bc7ece199e
            Responder SPI: 9b61befff71e8ca2
             Is Initiator: false
              IKE Version: 2
    Authentication Method: PSK
             IKE SA State: ESTABLISHED
             Cipher Suite: SUITEB_GCM256
                 Lifetime: 6000
    Top of Page