Command of the Day

Reply
Guru Elite
Posts: 20,416
Registered: ‎03-29-2007

COTD: show crypto ipsec sa - reloaded

The "show crypto ipsec sa" command http://airheads.arubanetworks.com/vBulletin/showthread.php?t=1849 has changed as of ArubaOS 5.0.1.0. Before it would show details about every IPSEC connection correctly negotiated. As more endpoints depended on IPSEC connectivity, like access points with CPSEC (Control Plane Security) on, as well as VIA client connectivity, this list became more and more difficult to display without alot of space-bar pressing. Starting with ArubaOS 5.0.1.0, "show crypto ipsec sa" now has a list view:

(m3.arubanetworks.com) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP Responder IP InitiatorID ResponderID Flags Start Time Inner IP
------------ ------------ ----------- ----------- ---------- ---------- --------
61.48.59.9 10.69.69.16 10.69.16.73/32 0.0.0.0/0 UT Jun 25 13:28:48 10.69.16.73
59.180.116.181 10.69.69.16 10.69.16.217/32 0.0.0.0/0 UT Jun 25 11:43:12 10.69.16.217
68.56.31.179 10.69.69.16 10.69.16.128/32 0.0.0.0/0 UT Jun 25 13:23:50 10.69.16.128
173.66.245.181 10.69.69.16 10.69.16.34/32 0.0.0.0/0 UT Jun 25 12:20:18 10.69.16.34
96.241.225.97 10.69.69.16 10.69.16.181/32 0.0.0.0/0 UT Jun 25 13:02:12 10.69.16.181
75.73.89.18 10.69.69.16 10.69.16.2/32 0.0.0.0/0 UT Jun 25 13:09:28 10.69.16.2
138.130.107.167 10.69.69.16 10.69.16.31/32 0.0.0.0/0 UT Jun 25 12:27:40 10.69.16.31
173.70.51.33 10.69.69.16 10.69.16.236/32 0.0.0.0/0 UT Jun 25 13:18:05 10.69.16.236
122.161.102.25 10.69.69.16 10.69.16.216/32 0.0.0.0/0 UT Jun 25 13:16:30 10.69.16.216
75.41.125.174 10.69.69.16 10.69.16.86/32 0.0.0.0/0 UT Jun 25 12:59:11 10.69.16.86
221.148.62.48 10.69.69.16 10.69.16.87/32 0.0.0.0/0 UT Jun 25 13:28:11 10.69.16.87
64.169.70.34 10.69.69.16 10.69.16.194/32 0.0.0.0/0 UT Jun 25 12:00:24 10.69.16.194
206.248.44.72 10.69.69.16 10.69.16.102/32 0.0.0.0/0 UT Jun 25 13:14:21 10.69.16.102
119.80.75.25 10.69.69.16 10.69.16.88/32 0.0.0.0/0 UT Jun 25 13:23:14 10.69.16.88
71.80.54.29 10.69.69.16 10.69.16.153/32 0.0.0.0/0 UT Jun 25 11:55:22 10.69.16.153
66.168.57.194 10.69.69.16 10.69.16.154/32 0.0.0.0/0 UT Jun 25 11:52:05 10.69.16.154
76.247.107.149 10.69.69.16 10.69.16.187/32 0.0.0.0/0 UT Jun 25 12:52:56 10.69.16.187
216.160.3.158 10.69.69.16 10.69.16.218/32 0.0.0.0/0 UT Jun 25 11:54:40 10.69.16.218
72.81.29.75 10.69.69.16 10.69.16.8/32 0.0.0.0/0 UT Jun 25 13:28:41 10.69.16.8
98.232.107.61 10.69.69.16 10.69.16.170/32 0.0.0.0/0 UT Jun 25 12:24:45 10.69.16.170

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client

Total IPSEC SAs: 20



To see details about an IPSEC connection, you can still use the "peer" option:

(m3.arubanetworks.com) #show crypto ipsec sa peer 80.254.65.210


Initiator IP: 80.254.65.210
Responder IP: 10.69.69.16
Initiator: No
Initiator cookie:018006409496dde5 Responder cookie:659f346abddccaf7
SA Creation Date: Fri Jun 25 13:21:23 2010
Life secs: 7200
Initiator Phase2 ID: 10.69.16.7/255.255.255.255
Responder Phase2 ID: 0.0.0.0/0.0.0.0
Phase2 Transform: EncAlg:esp-3des HMAC:esp-sha-hmac
Encapsulation Mode:UDP-encapsulated Tunnel
PFS: No
OUT SPI 1b0aa012, IN SPI 1b5c5300
Inner IP 10.69.16.7, internal type C
Aruba VIA
Reference count: 3



The SA above is a VIA client, as you can tell.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: