ONTAP 9.13.1 commands

security ipsec show-ikesa

Show IKE SA Information

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security ipsec show-ikesa command displays information about IKE Security Associations (SA).

Running this command with the -node parameter displays information relevant to IKE SAs generated at the specified node.

Running this command with the -vserver parameter displays information relevant to IKE SAs associated with the specified vserver.

Running this command with the -policy-name parameter displays information relevant to IKE SAs created based on the specified security policy.

You can specify additional parameters to display only information matching those parameters. For example, to display IKE SAs associated with a specific local address, run the command with the -local-address parameter.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>,…​ parameter, the command displays only the specified fields. Notice that key fields are always displayed.

| [-instance ] }

If you specify the -instance parameter, the command displays all fields of the IKE SAs.

-node <nodename> - Node

This required parameter specifies the node from which the IKE SA information will be collected and displayed.

[-vserver <vserver name>] - Vserver Name

Use this parameter to display the IKE SAs associated with the specified Vserver.

[-policy-name <text>] - Policy Name

Use this parameter to display the IKE SAs created based on the specified security policy.

[-local-address <text>] - Local Address

Use this parameter to display the IKE SAs with the specified local endpoint IP address.

[-remote-address <text>] - Remote Address

Use this parameter to display the IKE SAs with the specified remote endpoint IP address.

[-initiator-spi <text>] - Initiator SPI

Use this parameter to display the IKE SAs with the specified initiator Security Parameter Index (SPI).

[-responder-spi <text>] - Responder SPI

Use this parameter to display the IKE SAs with the specified responder SPI.

[-is-initiator {true|false}] - Is Initiator

Use this parameter to display the IKE SAs created when the given node matches the specified initiator role: true means initiator role and false means responder role in IKE negotiation.

[-ike-version <integer>] - IKE Version

Use this parameter to display the IKE SAs created using the specified IKE version.

[-auth-method <IKE Authentication Method>] - Authentication Method

Use this parameter to display the IKE SAs created using the specified authentication method.

[-state <IKE SA State>] - IKE SA State

Use this parameter to display only the IKE SAs that are in the specified state.

[-cipher-suite <Cipher Suite Type>] - Cipher Suite

Use this parameter to display the IKE SAs created using the specified cipher suite.

[-lifetime <integer>] - Lifetime

Use this parameter to display the IKE SAs with the specified remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.

Examples

This example displays all IKE SAs for node cluster1-node1 :

cluster-1::> security ipsec show-ikesa -node cluster1-node1
            Policy Local           Remote
Vserver     Name   Address         Address         Initator-SPI     State
----------- ------ --------------- --------------- ---------------- -----------
vs1         Policy1
                   192.186.10.1    192.186.10.2    e658e5bc7ece199e ESTABLISHED
vs2         Policy2
                   192.168.20.1    192.168.20.2    8eac392028ab4f12 ESTABLISHED
2 entries were displayed.

This example displays selected fields of all IKE SAs for node cluster1-node1 :

cluster-1::> security ipsec show-ikesa -node cluster1-node1 -fields is-initiator,initiator-spi,responder-spi,auth-method,cipher-suite,lifetime

node           vserver policy-name local-address remote-address initiator-spi    responder-spi    is-initiator auth-method cipher-suite  lifetime
-------------- ------- ----------- ------------- -------------- ---------------- ---------------- ------------ ----------- ------------- --------
cluster1-node1 vs1     Policy1     192.186.10.1  192.186.10.2   e658e5bc7ece199e 9b61befff71e8ca2 false        PSK         SUITEB_GCM256 6300
cluster1-node1 vs2     Policy2     192.186.20.1  192.186.20.2   4d43aaba8ca01cd8 00bdd5aac569e08a true         PSK         SUITEB_GCM256 6720
2 entries were displayed.

This example displays all IKE SAs for vserver vs1 :

cluster-1::> security ipsec show-ikesa -node cluster1-node1
            Policy Local           Remote
Vserver     Name   Address         Address         Initator-SPI     State
----------- ------ --------------- --------------- ---------------- -----------
vs1         Policy1
                   192.186.10.1    192.186.10.2    e658e5bc7ece199e ESTABLISHED

This example displays instance view (all fields) for all IKE SAs associated with node cluster1-node1 , vserver vs1 and created using policy Policy1 :

cluster-1::> security ipsec show-ikesa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance
Node: cluster1-node1
         Vserver Name: vs1
          Policy Name: Policy1
        Local Address: 192.168.10.1
       Remote Address: 192.168.10.2
        Initiator SPI: e658e5bc7ece199e
        Responder SPI: 9b61befff71e8ca2
         Is Initiator: false
          IKE Version: 2
Authentication Method: PSK
         IKE SA State: ESTABLISHED
         Cipher Suite: SUITEB_GCM256
             Lifetime: 6000
Top of Page