Last updated on: June 16 2024.

View IPsec Security Association

This page describes how to display an IPsec Security Association (IPsec SA). For information about interpreting the output, refer to the IPsec Security Associations page.

TL;DR

An IPsec-SA is sometimes referred to as a “phase 2” SA.

View in Web UI

The web UI provides a friendly method to filter and observe the state of IPsec SAs.

Network ›› IPsec : IPsec Diagnostics

In the Diagnostics tab search based on the criteria of the tunnel being investigated.

From there, select the traffic selector and a panel with two tabs will render underneath. That panel has two tabs “Traffic Selector Statistics” and “Security Association Details”.

View with TMSH

The “Traffic Selector Statistics” seen in the web UI are much the same as the related tmsh command:

tmsh show net ipsec ipsec-sa all-properties

Example:

[root@bigip-1-1:Active:Standalone] config # tmsh show net ipsec ipsec-sa all-properties
IPsec::SecurityAssociations
172.16.1.1 -> 172.16.2.1                                       
----------------------------------------------------------------------------------------------------
  tmm: 6                                                       
  Direction: out;  SPI: 0xbec2922(200026402);  Policy ID: 0xe991(59793)
  Protocol: esp;  Mode: tunnel;  State: mature                 
  Authenticated Encryption : aes-gcm128                        
  Current Usage: 3634816 bytes                                 
  Hard lifetime: 24158 seconds; unlimited bytes                
  Soft lifetime: 7646 seconds; unlimited bytes                 
  Replay window size: 32                                       
  Last use: 06/13/2024:04:40                                               Create:  06/12/2024:11:23

172.16.2.1 -> 172.16.1.1                                      
---------------------------------------------------------------------------------------------------
  tmm: 6                                                      
  Direction: in;  SPI: 0x7376bf9(121072633);  Policy ID: 0xe990(59792)
  Protocol: esp;  Mode: tunnel;  State: mature                
  Authenticated Encryption : aes-gcm128                       
  Current Usage: 2390188 bytes                                
  Hard lifetime: 24158 seconds; unlimited bytes               
  Soft lifetime: 8612 seconds; unlimited bytes                
  Replay window size: 32                                      
  Last use: 06/13/2024:04:40                                              Create:  06/12/2024:11:23

Total records returned: 2

When multiple tunnels are established the output can become cluttered so it is useful to filter for a specific tunnel.

# tmsh   

(tmos)# show net ipsec ipsec-sa ?
...
Properties:
  "{"               Optional delimiter
  dst-addr          Specifies the destination address of the security associations
  route-domain      Specifies route domain used for traffic. The default value is the default route domain.
  spi               Specifies the SPI of the security associations
  src-addr          Specifies the source address of the security associations
  traffic-selector  Specifies the name of the traffic selector

For information about interpreting the output, refer to the IPsec Security Associations page.

Delete IPsec SAs

All IPsec SAs can be deleted with tmsh del net ipsec ipsec-sa.

Specific IPsec SAs can be deleted via the command options.

# tmsh del net ipsec ipsec-sa ?

  dst-addr          Specifies the destination address of the security associations
  route-domain      Specifies route domain used for traffic. The default value is the default route domain.
  spi               Specifies the SPI of the security associations
  src-addr          Specifies the source address of the security associations
  traffic-selector  Specifies the name of the traffic selector

Top | Flowchart | Contents