ONTAP 9.15.1 commands

security ipsec show-ipsecsa

Show IPsec SA Information

Availability: This command is available to cluster and Vserver administrators at the admin privilege level.

Description

The security ipsec show-ipsecsa command displays information about IPsec Security Associations (SA).

Running the command with the -node parameter displays information relevant to IPsec SAs at the specified node.

Running this command with the -vserver parameter displays information relevant to IPsec SAs associated with the specified vserver.

Running this command with the -policy-name parameter displays information relevant to IPsec SAs created using the specified security policy.

You can specify additional parameters to display only information matching those parameters. For example, to display IPsec SAs only about a certain local address, run the command with the -local-address parameter.

Parameters

{ [-fields <fieldname>,…​]

If you specify the -fields <fieldname>,…​ parameter, the command displays only the specified fields. Notice that key fields are always displayed.

| [-instance ] }

If you specify the -instance parameter, the command displays all fields of matching IPsec SAs.

-node <nodename> - Node

This required parameter specifies from which node the IPsec SA information will be collected and displayed.

[-vserver <vserver name>] - Vserver Name

Use this parameter to display the IPsec SAs associated with the specified Vserver.

[-policy-name <text>] - Policy Name

Use this parameter to display the IPsec SAs created based on the specified security policy.

[-local-address <text>] - Local Address

Use this parameter to display the IPsec SAs with the specified local endpoint IP address.

[-remote-address <text>] - Remote Address

Use this parameter to display the IPsec SAs with the specified remote endpoint IP address.

[-inbound-spi <text>] - Inbound SPI

Use this parameter to display the IPsec SA having the specified inbound Security Parameter Index (SPI).

[-outbound-spi <text>] - Outbound SPI

Use this parameter to display the IPsec SA having the specified outbound SPI.

[-action <IPsec Action Type>] - IPsec Action

Use this parameter to display IPsec SAs with the specified security action type, such as ESP_TRA for ESP transport mode protection or BYPASS to bypass IPsec, or DISCARD.

[-state <text>] - IPsec SA State

Use the parameter to display only the IPsec SAs that are in the specified state.

[-cipher-suite <Cipher Suite Type>] - Cipher Suite

Use this parameter to display the IPsec SAs that use the specified cipher-suite.

[-ib-bytes <integer>] - Inbound Bytes Processed

Use this parameter to display the IPsec SAs matching the processed inbound bytes. Notice that ib-bytes keeps changing as inbound packets are processed.

[-ib-pkts <integer>] - Inbound Pkts Processed

Use this parameter to display the IPsec SAs matching the processed inbound packets. Notice that ib-pkts keeps changing as inbound packets are processed.

[-ob-bytes <integer>] - Outbound Bytes Processed

Use this parameter to display the IPsec SAs matching the processed outbound bytes. Notice that ob-bytes keeps changing as outbound packets are processed.

[-ob-pkts <integer>] - Outbound Pkts Processed

Use this parameter to display the IPsec SAs matching the processed outbound packets. Notice that ob-pkts keeps changing as outbound packets are processed.

[-lifetime <integer>] - IPsec SA Lifetime Seconds

Use this parameter to display the IPsec SAs matching the remaining lifetime. Notice that lifetime keeps changing for the duration of the security association.

Examples

The this example displays all IPsec SAs for node cluster1-node1 :

cluster-1::> security ipsec show-ipsecsa -node cluster1-node1
            Policy  Local           Remote          Inbound  Outbound
Vserver     Name    Address         Address         SPI      SPI      State
----------- ------- --------------- --------------- -------- -------- ---------
vs1         Policy1
                    192.186.10.1    192.186.10.2    c68de9db c84f913b INSTALLED
vs2         Policy2
                    192.186.20.1    192.186.20.2    cbc01493 c6ee7424 INSTALLED
2 entries were displayed.

This example displays selected fields of all IPsec SAs for node cluster1-node1 :

cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields local-address,remote-address,inbound-spi,outbound-spi
node           vserver policy-name local-address  remote-address inbound-spi outbound-spi
-------------- ------- ----------- -------------- -------------- ----------- ------------
cluster1-node1 vs1     Policy1     192.186.10.1   192.186.10.2   c68de9db    c84f913b
cluster1-node1 vs2     Policy2     192.186.20.1   192.186.20.2   cbc01493    c6ee7424
2 entries were displayed.
This example displays selected fields of all IPsec SAs associated with node ``_cluster1-node1_``:
cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -fields ib-bytes,ib-pkts,ob-bytes,ob-pkts
node           vserver policy-name local-address  remote-address inbound-spi ib-bytes ib-pkts ob-bytes ob-pkts
-------------- ------- ----------- -------------- -------------- ----------- -------- ------- -------- -------
cluster1-node1 vs1     Policy1     192.186.10.1   192.186.10.2   c68de9db    4704     56      6720     56
cluster1-node1 vs2     Policy2     192.186.20.1   192.186.20.2   cbc01493    20434    115     23082    120
2 entries were displayed.

This example displays instance view (all fields) for all IPsec SAs associated with node cluster1-node1 , vserver vs1 and created using policy Policy1 :

cluster-1::> security ipsec show-ipsecsa -node cluster1-node1 -vserver vs1 -policy-name Policy1 -instance
Node: cluster1-node1
             Vserver Name: vs1
              Policy Name: Policy1
              Inbound SPI: c68de9db
             Outbound SPI: c84f913b
            Local Address: 192.168.10.1
           Remote Address: 192.168.10.2
             IPsec Action: ESP_TRA
           IPsec SA State: INSTALLED
             Cipher Suite: SUITEB_GCM256
  Inbound Bytes Processed: 4704
   Inbound Pkts Processed: 56
 Outbound Bytes Processed: 6720
  Outbound Pkts Processed: 56
IPsec SA Lifetime Seconds: 1800
Top of Page