View IPsec Security Association¶
This page describes how to display an IPsec Security Association (IPsec SA). For information about interpreting the output, refer to the IPsec Security Associations page.
TL;DR¶
An IPsec-SA is sometimes referred to as a “phase 2” SA.
View in Web UI¶
The web UI provides a friendly method to filter and observe the state of IPsec SAs.
Network ›› IPsec : IPsec Diagnostics
In the Diagnostics tab search based on the criteria of the tunnel being investigated.
From there, select the traffic selector and a panel with two tabs will render underneath. That panel has two tabs “Traffic Selector Statistics” and “Security Association Details”.
View with TMSH¶
The “Traffic Selector Statistics” seen in the web UI are much the same as the related tmsh command:
tmsh show net ipsec ipsec-sa all-properties
Example:
[root@bigip-1-1:Active:Standalone] config # tmsh show net ipsec ipsec-sa all-properties
IPsec::SecurityAssociations
172.16.1.1 -> 172.16.2.1
----------------------------------------------------------------------------------------------------
tmm: 6
Direction: out; SPI: 0xbec2922(200026402); Policy ID: 0xe991(59793)
Protocol: esp; Mode: tunnel; State: mature
Authenticated Encryption : aes-gcm128
Current Usage: 3634816 bytes
Hard lifetime: 24158 seconds; unlimited bytes
Soft lifetime: 7646 seconds; unlimited bytes
Replay window size: 32
Last use: 06/13/2024:04:40 Create: 06/12/2024:11:23
172.16.2.1 -> 172.16.1.1
---------------------------------------------------------------------------------------------------
tmm: 6
Direction: in; SPI: 0x7376bf9(121072633); Policy ID: 0xe990(59792)
Protocol: esp; Mode: tunnel; State: mature
Authenticated Encryption : aes-gcm128
Current Usage: 2390188 bytes
Hard lifetime: 24158 seconds; unlimited bytes
Soft lifetime: 8612 seconds; unlimited bytes
Replay window size: 32
Last use: 06/13/2024:04:40 Create: 06/12/2024:11:23
Total records returned: 2
When multiple tunnels are established the output can become cluttered so it is useful to filter for a specific tunnel.
# tmsh
(tmos)# show net ipsec ipsec-sa ?
...
Properties:
"{" Optional delimiter
dst-addr Specifies the destination address of the security associations
route-domain Specifies route domain used for traffic. The default value is the default route domain.
spi Specifies the SPI of the security associations
src-addr Specifies the source address of the security associations
traffic-selector Specifies the name of the traffic selector
For information about interpreting the output, refer to the IPsec Security Associations page.
Delete IPsec SAs¶
All IPsec SAs can be deleted with tmsh del net ipsec ipsec-sa.
Specific IPsec SAs can be deleted via the command options.
# tmsh del net ipsec ipsec-sa ?
dst-addr Specifies the destination address of the security associations
route-domain Specifies route domain used for traffic. The default value is the default route domain.
spi Specifies the SPI of the security associations
src-addr Specifies the source address of the security associations
traffic-selector Specifies the name of the traffic selector