Displaying the quick start Security Associations
Use the ipsec command to display both the phase 1 and phase 2 Security Associations between 9.1.1.1 and 9.1.1.2. The following command displays the phase 1 Security Associations:
ipsec -k display -r detail
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 10:38:12 2010
Primary: IKE tunnel Function: Display Format: Detail
Source: IKED Scope: Current TotAvail: n/a
TunnelID: K1
Generation: 1
IKEVersion: 1.0
KeyExchangeRuleName: QuickStart_KeyExRule
KeyExchangeActionName: QuickStart_KeyExAction
LocalEndPoint: 9.1.1.1
LocalIDType: ID_IPV4_ADDR
LocalID: 9.1.1.1
RemoteEndPoint: 9.1.1.2
RemoteIDType: ID_IPV4_ADDR
RemoteID: 9.1.1.2
ExchangeMode: Main
State: DONE
AuthenticationAlgorithm: HMAC-MD5
EncryptionAlgorithm: DES-CBC
KeyLength: n/a
PseudoRandomFunction: HMAC-MD5
DiffieHellmanGroup: 1
LocalAuthenticationMethod: PresharedKey
RemoteAuthenticationMethod: PresharedKey
InitiatorCookie: 0x7456F943AA0154BB
ResponderCookie: 0xA344ED85C5D00154
Lifesize: 0K
CurrentByteCount: 288b
Lifetime: 480m
LifetimeRefresh: 2010/02/16 18:26:45
LifetimeExpires: 2010/02/16 18:37:43
ReauthInterval: 480m
ReauthTime: 2010/02/16 18:26:45
Role: Initiator
AssociatedDynamicTunnels: 1
NATTSupportLevel: None
NATInFrntLclScEndPnt: No
NATInFrntRmtScEndPnt: No
zOSCanInitiateP1SA: Yes
AllowNat: No
RmtNAPTDetected: No
RmtUdpEncapPort: n/a
***********************************************************************
1 entries selected
In addition to information relating specifically to the phase 2 Security Association, use the ipsec -y display command to find the phase 1 that protects it. The ParentIKETunnelID field shows the associated phase 1, which is the same as the TunnelID from the previous ipsec -k display command.
ipsec -y display -r detail
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 10:39:25 2010
Primary: Dynamic tunnel Function: Display Format: Detail
Source: Stack Scope: Current TotAvail: 1
TunnelID: Y2
Generation: 1
IKEVersion: 1.0
ParentIKETunnelID: K1
VpnActionName: TransportMode
LocalDynVpnRule: n/a
State: Active
HowToEncap: Transport
LocalEndPoint: 9.1.1.1
RemoteEndPoint: 9.1.1.2
LocalAddressBase: 9.1.1.1
LocalAddressPrefix: n/a
LocalAddressRange: n/a
RemoteAddressBase: 9.1.1.2
RemoteAddressPrefix: n/a
RemoteAddressRange: n/a
HowToAuth: ESP
AuthAlgorithm: HMAC-MD5
AuthInboundSpi: 1878088104 (0x6FF159A8)
AuthOutboundSpi: 270783814 (0x1023D546)
HowToEncrypt: DES-CBC
KeyLength: n/a
EncryptInboundSpi: 1878088104 (0x6FF159A8)
EncryptOutboundSpi: 270783814 (0x1023D546)
Protocol: ALL(0)
LocalPort: n/a
LocalPortRange: n/a
RemotePort: n/a
RemotePortRange: n/a
Type: n/a
TypeRange: n/a
Code: n/a
CodeRange: n/a
OutboundPackets: 1
OutboundBytes: 264
InboundPackets: 1
InboundBytes: 264
Lifesize: 0K
LifesizeRefresh: 0K
CurrentByteCount: 0b
LifetimeRefresh: 2010/02/16 14:26:22
LifetimeExpires: 2010/02/16 14:37:43
CurrentTime: 2010/02/16 10:39:25
VPNLifeExpires: 2010/02/17 10:37:43
NAT Traversal Topology:
UdpEncapMode: No
LclNATDetected: No
RmtNATDetected: No
RmtNAPTDetected: No
RmtIsGw: n/a
RmtIsZOS: n/a
zOSCanInitP2SA: n/a
RmtUdpEncapPort: n/a
SrcNATOARcvd: n/a
DstNATOARcvd: n/a
PassthroughDF: n/a
PassthroughDSCP: n/a
***********************************************************************
1 entries selected