Syntax SHow IPSec POLIcy[=name]
Description This command displays configuration details for IPsec policies.
When name is specified, the configuration details for the specified policy are displayed (Figure 49-17 on page 49-137, Table 49-13 on page 49-138). The policy name must already exist. Name is a string 1 to 23 characters long. Valid
characters are any printable character. If name contains spaces, it must be in double quotes.
When name is not specified, summary details about all policies are displayed (Figure 49-16, Table 49-12).
Figure 49-16: Example output from the show ipsec policy command
Interface Name Action KeyManagement Position ---PPP0 MY_PPP_POLICY1 IPSEC ISAKMP 1 PPP0 MY_PPP_POLICY2 IPSEC ISAKMP 2 PPP0 MY_PPP_POLICY3 DENY - 3
Table 49-12: Parameters in output of the show ipsec policy command
Parameter Meaning
Interface A interface name and logical index.
Name A character string to identify the policy.
Action Whether the required action is IPSEC, permit, or deny.
keymanagement Whether the key management method is manual or ISAKMP.
Position A number specifying the position of the policy.
IP Security (IPsec) show ipsec policy 49-137
Figure 49-17: Example output from the show ipsec policy command for a specific policy.
IPsec Policy Information
Isakmp Policy Name ... my_isakmp_policy Bundle Specification ... 2
Peer IP Address Dynamic ... FALSE Peer IP address Any ... FALSE Local IP Address Dynamic ... FALSE
Peer IP Address ... 192.168.10.1 Local IP Address ... 232.163.2.3 Use PFS Key ... TRUE
Respond Bad SPI... TRUE Group ... 1 Filter:
Local Address ... 192.167.2.0 Local Mask ... 255.255.255.255 Local Port ... ANY
Local Name ... main_office Remote Address ... 232.163.2.20 Remote Mask ... 255.255.255.255 Remote Port ... ANY
Remote Name ... ANY Transport Protocol ... ANY SA Selector from Packet ... 00000000 DF Bit ... COPY UDP Tunnel ... TRUE Peer Port ... 14997
Peer IP Address ... 202.36.163.204 Internal IP Address ... 192.168.1.1 HeartBeats Enabled ... FALSE Debug device ... 16 Filter debug flags ... 00000000 Packet debug flags ... 00000000 Trace debug flags ... 00000000 Packet debug length ... 72 Max Out Packet queue length .... 20 Number of Out Packets queued ... 0 Bundles
49-138 show ipsec policy AlliedWare OS Software Reference
Table 49-13: Parameters in output of the show ipsec policy command for a specific policy
Parameter Meaning
Name The manager-assigned name of the policy.
Interface The logical interface to which the policy is attached.
Position The position of this policy in the list of policies attached to the interface.
Action Whether the action for this policy is IPsec, permit, or deny.
Key Manage Whether the key management method for this policy is MANUAL or ISAKMP.
Isakmp Policy Name The name of the ISAKMP policy name to be used in phase 1 negotiations.
Bundle Specification The identification number of the SA bundle specification to be used by this policy.
Peer IP Address Dynamic Whether the peer IP address is dynamically assigned.
Peer IP Address Any Whether the policy can be used to negotiate IPsec SAs for any peer.
Local IP Address Dynamic Whether the policy is attached to a dynamic IP interface.
Peer IP Address The IP address of the remote end of the IPsec tunnel.
IP Route Template The name of the IP route template this policy uses Local IP Address The IP address of the local end of the IPsec tunnel Use PFS Key Whether to use Perfect Forward Security (PFS).
Respond Bad SPI Whether the switch sends a notification message to the peer, if the switch receives an IPsec packet with an unknown SPI value.
Group The Diffie-Hellman group to be used.
Filter Information about the packet matching filter, or selectors, for this policy.
Local Address The local address packet selector field for the policy. For IPv6 addresses, slash notation may be used to indicate the prefix length.
Local Mask The local mask packet selector field for the policy, for IPv4.
Local Port The local port packet selector field for the policy.
Local Name The local name packet selector field for the policy.
Remote Address The remote IP address packet selector field for the policy. For IPv6 addresses, slash notation may be used to indicate the prefix length.
Remote Mask The remote mask packet selector field for the policy, for IPv4.
Remote Port The remote port packet selector field for the policy.
Remote Name The remote name packet selector field for the policy.
Transport Protocol The transport protocol packet selector field for the policy.
SA Selector From Pkt A flag specifying which packet selector fields from the packet are used to find a matching SA.
DF Bit The value to be set for the Don't Fragment bit in the outer IP header. either COPY, SET, or CLEAR
IP Security (IPsec) show ipsec policy 49-139
Examples To display a policy with the name "my_vpn", use the command:
show ipsec policy="my_vpn"
Related Commands create ipsec policy
UDP Tunnel The status of UDP tunnelling for this policy; either TRUE (enabled) or FALSE (disabled).
Peer Port The port to which UDP tunnelled traffic is sent.
Peer IP Address The IP address to which UDP tunnelled traffic is sent.
Internal IP Address The IP address to be used for the destination of the IPsec tunnelled packets.
HeartBeats Enabled Whether UDP heartbeat mode is enabled or disabled.
Debug device The device (port number) to which debugging output is sent.
Filter debug flags A flag indicating the policy selectors and pass/fail results for which filter debugging is enabled.
Packet debug flags A flag indicating the processing units and directions for which packet debugging is enabled, and the portions of packets to be displayed.
Trace debug flags A flag indicating whether trace debugging is enabled.
Packet debug length The length of the packet displayed for debugging.
Max Out Packet queue length The maximum number of packets that can be queued before processing.
Number of Out Packets queued
The number of packets currently queued for processing.
Bundles Information about the SA bundles attached to this policy.
Index The identification number of an SA bundle attached to this policy.
SAs The SA identification numbers of the SAs in the SA bundle.
State The state of the SA bundle; either VALID, INVALID, CREATING, or REMOVING.
Expiry Limits - hard/soft/used Information about the limits used to expire SAs created from this bundle. When a soft limit is exceed the SAs are renegotiated. When a hard limit is exceeded the SAs are removed from the Security Policy Database (SPD).
ExpiryBytes The expiry information in bytes for each SA bundle. The first figure displays the hard expiry limit, the second figure displays the soft expiry limit and the third figure displays the number of bytes already used.
ExpirySeconds The expiry information in seconds for each SA bundle. The first figure displays the hard expiry limit, the second figure displays the soft expiry limit and the third figure displays the seconds already used.
Table 49-13: Parameters in output of the show ipsec policy command for a specific policy (cont)
Parameter Meaning
49-140 show ipsec policy counter AlliedWare OS Software Reference