Last updated on: June 16 2024.

View ISAKMP Security Association

This page explains how to view the ISAKMP SA.

An ISAKMP-SA is sometimes referred to as a “phase 1” SA.

For information about understanding output from the show commands and ISAKMP SAs, refer to the ISAKMP Security Association page.

TL;DR

An ISAKMP SA can only be viewed via racoonctl for IKEv1 or via tmsh for IKEv2.

View IKEv1 ISAKMP SA

IKEv1 tunnel negotiation is handed off to the racoon daemon, therefore the command to view an IKEv1 ISAKMP-SA is different to IKEv2. The command is run in bash, not tmsh:

racoonctl -ll show-sa isakmp

Example:

# racoonctl -ll show-sa isakmp
Source           Destination         Cookies                           ST S  V E Created             Phase2
127.0.0.1.500    10.2.2.2.500        9f7a366492b4f22e:b90b9aa17880beb8  9 R 10 M 2024-11-09 08:58:30      1
10.1.1.1.500     10.3.3.3.500        ef282855139dba4e:b606fea3430c5928  9 I 10 M 2024-11-09 08:50:30      1

No further details about the parameters of an IKEv1 ISAKMP-SA can be obtained from any command.

View IKEv2 ISAKMP-SA

tmsh commands will display the state of IKEv2 ISAKMP SAs. This is because IKEv2 ISAKMP negotiation is handled entirely inside TMM. The racoonctl command cannot display IKEv2 ISAKMP-SAs.

The command to view IKEv2 ISAKMP-SAs is:

tmsh show net ipsec ike-sa all-properties

When multiple tunnels are configured, use options to look for the tunnel of interest:

(tmos)# show net ipsec ike-sa ?

  peer-ip           Specifies the peer ip address of the security associations
  peer-name         Specifies the peer name of the security associations
  route-domain      Specifies route domain used for traffic. The default value is the default route domain.
  traffic-selector  Specifies the name of the traffic selector

Example:

# tmsh show net ipsec ike-sa all-properties
-------------------------
IKE::SecurityAssociations
-------------------------
(tmm: 3)
  10.2.2.2/500 -> 10.1.1.1/500
  Version: v2                                         State: ESTABLISHED
  IKE Peer: /Common/ike-10202
  Spi(local): 0xdf5601249fd324ec         Spi(Remote): 0x74c405a807c5226b
  Encryption: aes256                      Authentication: pre-shared-key
  Hash Algorithm: sha256                                 Initiator: TRUE
  Life/Active Time: 28800/14691 seconds                      NAT-T: none
  Traffic Selectors 2                                      Reqid(in/out)
     /Common/selector-10202                                  17131/17132
     /Common/second-selector                                 17129/17130
  Child SA Count: 1

Total records returned: 1

Delete ISAKMP SAs

All ISAKMP SAs can be deleted with tmsh del net ipsec ipsec-sa.

Specific ISAKMP SAs can be deleted via the command options.

# tmsh del net ipsec ike-sa ?
Properties:
  "{"               Optional delimiter
  peer-ip           Specifies the peer ip address of the security associations
  peer-name         Specifies the peer name of the security associations
  route-domain      Specifies route domain used for traffic. The default value is the default route domain.
  traffic-selector  Specifies the name of the traffic selector

For information about understanding output from the show commands and ISAKMP SAs, refer to the ISAKMP Security Association page.

Top | Flowchart | Contents