IKEv2 and Child SAs
Use the show security command with optional arguments to display IKEv2 and child SA information to include:
- IP address and port of remote end-point
- intervening NAT device (yes | no)
- local IP address
- tunnel state (up | down)
- initiator cookie
- responder cookie
- remote inner (tunnel) IP address
- incoming/outgoing Security Parameter Indexes (SPI) of the child SA
ORACLE# show security sad ike-interface 192.169.204.15
with a specified interface address, displays SA information for a single IKEv2 interface
ORACLE# show security sad ike-interface all
with all, displays SA information for all IKEv2 interfaces
ORACLE# show security sad ike-interface all
Displaying the total (4321) number of entries may take long and could affect system performance.
Continue? [y/n]?: y
Peer: 6.0.0.36:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x23e71b73d5a10c58[I] 0xd2017a6fb84a4fa6[R]
Child Peer IP: 101.0.0.36:0 Child SPI: 4236760138[I] 1721373661[O]
Peer: 6.0.0.28:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0xf64d031d32525730[I] 0xcea2d5ae3c91050f[R]
Child Peer IP: 101.0.0.28:0 Child SPI: 3632387333[I] 1421117246[O]
Peer: 6.0.0.9:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x84ec95a1cd0a4c5d[I] 0x1b61b385c4e627b4[R]
Child Peer IP: 101.0.0.9:0 Child SPI: 2432742837[I] 3872387177[O]
Peer: 6.0.0.25:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x541b2651e88c9368[I] 0xdc393a61af6dc909[R]
Child Peer IP: 101.0.0.25:0 Child SPI: 785656546[I] 148357787[O]
Peer: 6.0.0.27:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x3ba43c5c685e37e6[I] 0x7bfa6f0781dce1a8[R]
Child Peer IP: 101.0.0.27:0 Child SPI: 767765646[I] 3797275291[O]
Peer: 6.0.0.22:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x925e540ecbd58dbb[I] 0x7e1101371a5a5823[R]
Child Peer IP: 101.0.0.22:0 Child SPI: 787745714[I] 876969665[O]
Peer: 6.0.0.2:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0xda0f568684ba5e2c[I] 0x74c533da2fd29901[R]
Child Peer IP: 101.0.0.2:0 Child SPI: 3884481109[I] 1862217459[O]
Peer: 6.0.0.7:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x6166bac4438f3ca7[I] 0x71d1049a0f8520f4[R]
Child Peer IP: 101.0.0.7:0 Child SPI: 2798332266[I] 2789214337[O]
Peer: 6.0.0.15:500 (NAT: No) Host: 172.16.101.2 State: Up
IKE Cookies: 0x0e060701115069bf[I] 0x2e69adbf15438000[R]
Child Peer IP: 101.0.0.15:0 Child SPI: 713005957[I] 1985608540[O]
Continue? [y/n]?: y
...
...
Use show security with the peer address obtained by the previous command to display more detailed information regarding a specific tunnel to include:
- IKE version
- Diffie Hellman group
- the IKE SA hash algorithm
- the IKE SA message authentication code algorithm
- the IKE SA encryption algorithm
- seconds since SA creation
- SA lifetime in seconds
- remaining lifetime in seconds
- IPsec operational mode (tunnel | transport)
- IPsec security protocol (AH |ESP)
- IPsec authentication protocol (SHA1 | MD5 | any)
- IPsec encryption protocol (AES | 3DES | null| any)
ORACLE# show security sad ike-interface <ipAddress> peer <ipAddress>
ORACLE# show security sad ike-interface 172.16.101.2 peer 6.0.0.36:500
IKE SA:
IKE Version : 2
Tunnel State : Up
Last Response [Seconds] : 212
AAA Identity :
NAT : No
IP Addresses [IP:Port]
Peer : 6.0.0.36:500
Server Instance : 172.16.101.2:500
Cookies
Initiator : 0x23e71b73d5a10c58
Responder : 0xd2017a6fb84a4fa6
Algorithms
DH Group : 2
Hash : HMAC-SHA1
MAC : SHA1-96
Cipher : 3DES
SA Times [Seconds]
Creation : 141
Expiry : 86400
Remaining : 86188
IPSec SA:
IP Addresses [IP:Port]
Destination : 101.0.0.36:0
Source : 172.16.101.2:0
SPI
Outbound : 1721373661
Inbound : 4236760138
Algorithms
Mode : TUNNEL
Protocol : ESP
Authentication : SHA1
Encryption : AES
Traffic Selectors [Start IP - End IP]
Destination : 101.0.0.36 - 101.0.0.36
Source : 172.16.101.2 - 172.16.101.2