Displaying IPsec security association information

Use the following procedure to display IPsec security association information.

Procedure

  1. Enter Privileged EXEC mode:

    enable

  2. Display all IPsec security associations:

    show ipsec sa all

  3. Display a specific IPsec security association:

    show ipsec sa name WORD<1–32>

  4. Display all security associations linked to a specific policy:

    show ipsec sa-policy

Example

Display information on IPsec security association policies:

Switch:1>enable
Switch:1#show ipsec sa all
=========================================================================
                        IPSEC Security Association Table
=========================================================================
sa-name: ospf1
key-Mode: manual
Encap protocol: ESP
SPI Value: 9
Encrypt Algorithm: 3dec-cbc
Encrypt-key: 52fb29f723b0800870dc83e3
Encrypt-key-Len: 24
Auth Algorithm: hmac-md5
Auth-key: 123456789abcdef0
Auth-key-Len: 16
Mode: transport
Lifetime-Sec: 1000
Lifetime-Byte: 20000

Switch:1#show ipsec sa name ospf1

=========================================================================
                        IPSEC Security Association Table
=========================================================================
sa-name: ospf1
key-Mode: manual
Encap protocol: ESP
SPI Value: 9
Encrypt Algorithm: 3dec-cbc
Encrypt-key: 52fb29f723b0800870dc83e3
Encrypt-key-Len: 24
Auth Algorithm: hmac-md5
Auth-key: 123456789abcdef0
Auth-key-Len: 16
Mode: transport
Lifetime-Sec: 1000
Lifetime-Byte: 20000

Switch:1#show ipsec sa-policy          

=========================================================================
                                SA POLICY TABLE
=========================================================================
 Policy Name       Security Association 
-------------------------------------------------------------------------
 ospf1             ospf1
-------------------------------------------------------------------------

Variable Definitions

The following table defines parameters for the show ipsec sa command.

Variable

Value

all

Displays all security associations.

name WORD<1–32>

Displays a specific security association based on name.

Use the data in the following table to use the show ipsec command.

Variable

Value

sa-policy

Displays all security associations linked to a specific policy.

Job aid

The following table describes the fields in the output for the show ipsec sa all and show ipsec saname commands.

Parameter

Description

sa-name

Specifies all of the IPsec security association names.

key-Mode

Specifies the key mode as manual or automatic. The default is automatic.

Encap protocol

Specifies the encapsulation protocol.

SPI Value

Specifies the SPI value, which is a tag added to the IP header. For IPsec to function, each peer must have the same SPI value configured on both peers for a particular policy.

Encrypt Algorithm

Specifies the encrypt algorithm as one of the following:
  • 3DES-CBC

  • AES-CBC

  • AES-CTR

  • NULL—Only used to debug.

Encrypt-key

Specifies the encrypt-key parameter for the authentication key in either:
  • hex– Specifies hexadecimal.

  • ascii–Specifies ASCII, the American Standard Code for Information Interchange character encoding scheme.

Encrypt-key-Len

Specifies the key length value in a string from 1 to 256 characters. The default KeyLength is 128.

Mode

Specifies the mode value as one of the following:
  • tunnel—Tunnel mode encapsulates the entire IP packet and provides a secure tunnel.

  • transport—Transport mode encapsulates the IP payload and provides a secure connection between two endpoints.

The default is transport mode.

Lifetime-Sec

Specifies the lifetime value in seconds. The default is 28800.

Lifetime-Byte

Specifies the lifetime value in bytes. The default is 4294966272.

The following table describes the fields in the output for the show ipsec sa-policy command.

Parameter

Description

Policy Name

Specifies the IPsec policy name.

Security Association

Specifies the security association name.