Displaying IPsec security association information

Use the following procedure to display IPsec security association information.

Procedure

Enter Privileged EXEC mode:

enable
Display all IPsec security associations:

show ipsec sa all
Display a specific IPsec security association:

show ipsec sa name WORD<1–32>
Display all security associations linked to a specific policy:

show ipsec sa-policy

Example

Display information on IPsec security association policies:

Switch:1>enable
Switch:1#show ipsec sa all
=========================================================================
                        IPSEC Security Association Table
=========================================================================
sa-name: ospf1
key-Mode: manual
Encap protocol: ESP
SPI Value: 9
Encrypt Algorithm: 3dec-cbc
Encrypt-key: 52fb29f723b0800870dc83e3
Encrypt-key-Len: 24
Auth Algorithm: hmac-md5
Auth-key: 123456789abcdef0
Auth-key-Len: 16
Mode: transport
Lifetime-Sec: 1000
Lifetime-Byte: 20000

Switch:1#show ipsec sa name ospf1

=========================================================================
                        IPSEC Security Association Table
=========================================================================
sa-name: ospf1
key-Mode: manual
Encap protocol: ESP
SPI Value: 9
Encrypt Algorithm: 3dec-cbc
Encrypt-key: 52fb29f723b0800870dc83e3
Encrypt-key-Len: 24
Auth Algorithm: hmac-md5
Auth-key: 123456789abcdef0
Auth-key-Len: 16
Mode: transport
Lifetime-Sec: 1000
Lifetime-Byte: 20000

Switch:1#show ipsec sa-policy          

=========================================================================
                                SA POLICY TABLE
=========================================================================
 Policy Name       Security Association 
-------------------------------------------------------------------------
 ospf1             ospf1
-------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the show ipsec sa command.


Variable	Value
all	Displays all security associations.
name `WORD<1–32>`	Displays a specific security association based on name.

Use the data in the following table to use the show ipsec command.


Variable	Value
sa-policy	Displays all security associations linked to a specific policy.

Job aid

The following table describes the fields in the output for the show ipsec sa all and show ipsec saname commands.


Parameter	Description
sa-name	Specifies all of the IPsec security association names.
key-Mode	Specifies the key mode as manual or automatic. The default is automatic.
Encap protocol	Specifies the encapsulation protocol.
SPI Value	Specifies the SPI value, which is a tag added to the IP header. For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy.
Encrypt Algorithm	Specifies the encrypt algorithm as one of the following: 3DES-CBC AES-CBC AES-CTR NULL—Only used to debug.
Encrypt-key	Specifies the encrypt-key parameter for the authentication key in either: hex– Specifies hexadecimal. ascii–Specifies ASCII, the American Standard Code for Information Interchange character encoding scheme.
Encrypt-key-Len	Specifies the key length value in a string from 1 to 256 characters. The default KeyLength is 128.
Mode	Specifies the mode value as one of the following: tunnel—Tunnel mode encapsulates the entire IP packet and provides a secure tunnel. transport—Transport mode encapsulates the IP payload and provides a secure connection between two endpoints. The default is transport mode.
Lifetime-Sec	Specifies the lifetime value in seconds. The default is 28800.
Lifetime-Byte	Specifies the lifetime value in bytes. The default is 4294966272.

The following table describes the fields in the output for the show ipsec sa-policy command.


Parameter	Description
Policy Name	Specifies the IPsec policy name.
Security Association	Specifies the security association name.