ipsec -y display

The ipsec -y display command displays information about dynamic tunnels installed in the default stack. Use the -p option to direct the command to another stack or the -z option to direct the command to an NSS IPSec client. A dynamic tunnel must be active before traffic matching a filter rule utilizing an IpDynVpnAction can be permitted.

At times, there might be multiple IPSec security associations that correspond to the same dynamic tunnel. By default, only information about the most current IPSec security association for a dynamic tunnel is displayed. Use the -c option to display information about all IPSec security associations that correspond to a dynamic tunnel

The stack only knows about IPSec security associations that have been successfully negotiated. The IKE daemon knows about IPSec security associations that have been successfully negotiated as well as those currently being negotiated. At times, it is helpful to see information about IPSec security associations that are in the process of being negotiated. The -b option obtains information about IPSec security associations from the IKE daemon rather than the stack.

When a stack is a target for a distributed DVIPA it might contain IPSec security associations for a dynamic tunnel that was negotiated on behalf of the distributing stack. Such security associations are known as shadow security associations. The -s option obtains information about shadowed security associations.