Usage Guidelines
If no optional
argument or keyword is used, all SAs are displayed within a flow. Within a
flow, the SAs are listed by protocol (Encapsulating Security Payload [ESP] or
Authentication Header [AH]) and direction (inbound or outbound).
The
detail
keyword provides additional information only for SAs that are configured in a
software crypto engine. The SAs are configured by using tunnel-ipsec and
transport.
Examples
The following
sample output is from the
show crypto ipsec sa
command:
RP/0/0/CPU0:router# show crypto ipsec sa
SSA id: 510
Node id: 0/1/0
SA Type: MANUAL
interface: service-ipsec22
profile : p7
local ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.255/512/0)
remote ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.0/512/0)
local crypto endpt: 0.0.0.0, remote crypto endpt: 0.0.0.0, vrf default
#pkts tx :0 #pkts rx :0
#bytes tx :0 #bytes rx :0
#pkts encrypt :0 #pkts decrypt :0
#pkts digest :0 #pkts verify :0
#pkts encrpt fail:0 #pkts decrpt fail:0
#pkts digest fail:0 #pkts verify fail:0
#pkts replay fail:0
#pkts tx errors :0 #pkts rx errors :0
outbound esp sas:
spi: 0x322(802)
transform: esp-3des-md5
in use settings = Tunnel
sa agreed lifetime: 3600s, 4194303kb
sa timing: remaining key lifetime: 3142303931sec/0kb
sa DPD: disable, mode none, timeout 0s
sa idle timeout: disable, 0s
sa anti-replay (HW accel): enable, window 64
inbound esp sas:
spi: 0x322(802)
transform: esp-3des-md5
in use settings = Tunnel
sa agreed lifetime: 3600s, 4194303kb
sa timing: remaining key lifetime: 3142303931sec/0kb
sa DPD: disable, mode none, timeout 0s
sa idle timeout: disable, 0s
sa anti-replay (HW accel): enable, window 64
This table
describes the significant fields shown in the display.
Table 1 show crypto
ipsec sa Field Descriptions
Field
|
Description
|
SA id
|
Identifier
for the SA.
|
interface
|
Identifier
for the interface.
|
profile
|
String of
alphanumeric characters that specify the name of a security profile.
|
local
ident
|
IP
address, mask, protocol, and port of the local peer.
|
remote
ident
|
IP
address, mask, protocol and port of the remote peer.
|
outbound
esp sas
|
Outbound
ESP SAs.
|
inbound
esp sas
|
Inbound
ESP SAs.
|
transform
|
The
transform being used in the SA.
|
sa
lifetime
|
The
lifetime value used in the SA.
|
The following
sample output is from the
show crypto ipsec sa
command for the
profile
keyword for a profile named pn1:
RP/0/0/CPU0:router# show crypto ipsec sa profile pn1
SA id: 2
interface: tunnel0
profile: pn1
local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)
local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120
outbound esp sas:
spi: 0x8b0e950f (2332988687)
transform: esp-3des-sha
in use settings = Tunnel
sa lifetime: 3600s, 4194303kb
SA id: 2
interface: tunnel0
profile: pn1
local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)
local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92
inbound esp sas:
spi: 0x2777997c (662149500)
transform: esp-3des-sha
in use settings = Tunnel
sa lifetime: 3600s, 4194303kb
The following
sample output is from the
show crypto ipsec sa
command for the
peer keyword:
RP/0/0/CPU0:router# show crypto ipsec sa peer 172.19.72.120
SA id: 2
interface: tunnel0
profile: pn1
local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)
local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120
outbound esp sas:
spi: 0x8b0e950f (2332988687)
transform: esp-3des-sha
in use settings = Tunnel
sa lifetime: 3600s, 4194303kb
SA id: 2
interface: tunnel0
profile: pn1
local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0)
local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92
inbound esp sas:
spi: 0x2777997c (662149500)
transform: esp-3des-sha
in use settings = Tunnel
sa lifetime: 3600s, 4194303kb