-
System Security Command Reference Guide for Cisco NCS 6000 Routers
-
Preface
-
Authentication, Authorization, and Accounting Commands
-
IPSec Commands
-
Keychain Management Commands
-
Lawful Intercept\n\t Commands
-
Management Plane Protection Commands
-
Public Key Infrastructure Commands
-
Software Authentication Manager Commands
-
Secure Shell Commands
-
Secure Socket Layer Protocol Commands
-
Index
-
Feedback
Contents
IPSec Commands
- clear crypto ipsec sa
- description (IPSec profile)
- show crypto ipsec sa
- show crypto ipsec summary
- show crypto ipsec transform-set
clear crypto ipsec sa
To delete specific security associations (SAs), or all SAs in the IP Security (IPSec) security associations database (SADB), use the clear crypto ipsec sa command.
Syntax Description
sa-id
Identifier for the SA. IPSec supports from 1 to 64,500 sessions.
all
Deletes all IPSec SAs in the IPSec SADB.
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
SAs are established to secure data flows in IPSec. Use the clear crypto ipsec sa command to delete active IPSec sessions or force IPSec to reestablish new SAs. Usually, the establishment of SAs is negotiated between peers through Internet Key Exchange (IKE) on behalf of IPSec.
Task ID
The following example shows how to remove the SA with ID 100 from the SADB:
RP/0/RP0/CPU0:router# clear crypto ipsec sa 100description (IPSec profile)
To create a description of an IPSec profile, use the description command in profile configuration mode. To delete a profile description, use the no form of this command.
Syntax Description
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Use the description command inside the profile configuration submode to create a description for an IPSec profile.
Task ID
show crypto ipsec sa
To display security association (SA) information based on the rack/slot/module location, use the show crypto ipsec sa command.
show crypto ipsec sa [ sa-id | peer ip-address | profile profile-name | detail | fvrf fvrf-name | ivrf ivrf-name | location node-id ]
Syntax Description
sa-id
(Optional) Identifier for the SA. The range is from 1 to 64500.
peer ip-address
(Optional) IP address used on the remote (PC) side. Invalid IP addresses are not accepted.
profile profile-name
(Optional) Specifies the alphanumeric name for a security profile. The character range is from 1 to 64. Profile names cannot be duplicated.
detail
(Optional) Provides additional dynamic SA information.
fvrf fvrf-name
(Optional) Specifies that all existing SAs for front door virtual routing and forwarding (FVRF) is the same as the fvrf-name.
ivrf ivrf-name
(Optional) Specifies that all existing SAs for inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.
location node-id
(Optional) Specifies that the SAs are configured on a specified location.
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If no optional argument or keyword is used, all SAs are displayed within a flow. Within a flow, the SAs are listed by protocol (Encapsulating Security Payload [ESP] or Authentication Header [AH]) and direction (inbound or outbound).
The detail keyword provides additional information only for SAs that are configured in a software crypto engine. The SAs are configured by using tunnel-ipsec and transport.
Task ID
The following sample output is from the show crypto ipsec sa command:
RP/0/RP0/CPU0:router# show crypto ipsec sa SSA id: 510 Node id: 0/1/0 SA Type: MANUAL interface: service-ipsec22 profile : p7 local ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.255/512/0) remote ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.0/512/0) local crypto endpt: 0.0.0.0, remote crypto endpt: 0.0.0.0, vrf default #pkts tx :0 #pkts rx :0 #bytes tx :0 #bytes rx :0 #pkts encrypt :0 #pkts decrypt :0 #pkts digest :0 #pkts verify :0 #pkts encrpt fail:0 #pkts decrpt fail:0 #pkts digest fail:0 #pkts verify fail:0 #pkts replay fail:0 #pkts tx errors :0 #pkts rx errors :0 outbound esp sas: spi: 0x322(802) transform: esp-3des-md5 in use settings = Tunnel sa agreed lifetime: 3600s, 4194303kb sa timing: remaining key lifetime: 3142303931sec/0kb sa DPD: disable, mode none, timeout 0s sa idle timeout: disable, 0s sa anti-replay (HW accel): enable, window 64 inbound esp sas: spi: 0x322(802) transform: esp-3des-md5 in use settings = Tunnel sa agreed lifetime: 3600s, 4194303kb sa timing: remaining key lifetime: 3142303931sec/0kb sa DPD: disable, mode none, timeout 0s sa idle timeout: disable, 0s sa anti-replay (HW accel): enable, window 64This table describes the significant fields shown in the display.
Table 1 show crypto ipsec sa Field Descriptions Field
Description
SA id
Identifier for the SA.
interface
Identifier for the interface.
profile
String of alphanumeric characters that specify the name of a security profile.
local ident
IP address, mask, protocol, and port of the local peer.
remote ident
IP address, mask, protocol and port of the remote peer.
outbound esp sas
Outbound ESP SAs.
inbound esp sas
Inbound ESP SAs.
transform
The transform being used in the SA.
sa lifetime
The lifetime value used in the SA.
The following sample output is from the show crypto ipsec sa command for the profile keyword for a profile named pn1:
RP/0/RP0/CPU0:router# show crypto ipsec sa profile pn1 SA id: 2 interface: tunnel0 profile: pn1 local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120 outbound esp sas: spi: 0x8b0e950f (2332988687) transform: esp-3des-sha in use settings = Tunnel sa lifetime: 3600s, 4194303kb SA id: 2 interface: tunnel0 profile: pn1 local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92 inbound esp sas: spi: 0x2777997c (662149500) transform: esp-3des-sha in use settings = Tunnel sa lifetime: 3600s, 4194303kbThe following sample output is from the show crypto ipsec sa command for the peer keyword:
RP/0/RP0/CPU0:router# show crypto ipsec sa peer 172.19.72.120 SA id: 2 interface: tunnel0 profile: pn1 local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120 outbound esp sas: spi: 0x8b0e950f (2332988687) transform: esp-3des-sha in use settings = Tunnel sa lifetime: 3600s, 4194303kb SA id: 2 interface: tunnel0 profile: pn1 local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92 inbound esp sas: spi: 0x2777997c (662149500) transform: esp-3des-sha in use settings = Tunnel sa lifetime: 3600s, 4194303kbshow crypto ipsec summary
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
Task ID
The following sample output is from the show crypto ipsec summary command:
RP/0/RP0/CPU0:router# show crypto ipsec summary # * Attached to a transform indicates a bundle # Active IPSec Sessions: 1 SA Interface Local Peer/Port Remote Peer/Port FVRF Profile Transform Lifetime ------------------------------------------------------------------------------------------ 502 -ipsec100 70.70.70.2/500 60.60.60.2/500 default ipsec1 esp-3des esp 3600/100000000This table describes the significant fields shown in the display.
Table 2 show crypto ipsec summary Field Descriptions Field
Description
SA
Identifier for the security association.
Node
Identifier for the node.
Local Peer
IP address of the local peer.
Remote Peer
IP address of the remote peer.
FVRF
The front door virtual routing and forwarding (FVRF) of the SA. If the FVRF is global, the output shows f_vrf as an empty field
Mode
Profile mode type.
Profile
Crypto profile in use.
Transform
Transform in use.
Lifetime
Lifetime value, displayed in seconds followed by kilobytes.
show crypto ipsec transform-set
Syntax Description
transform-set-name
(Optional) IPSec transform set with the specified value for the transform-set-name argument are displayed.
Command Default
No default values. The default behavior is to print all the available transform-sets.
Command History
Usage Guidelines
To use this command, you must be in a user group associated with a task group that includes appropriate task IDs. If the user group assignment is preventing you from using a command, contact your AAA administrator for assistance.
If no transform is specified, all transforms are displayed.
Task ID
The following sample output is from the show crypto ipsec transform-set command:
RP/0/RP0/CPU0:router# show crypto ipsec transform-set Transform set combined-des-sha: {esp-des esp-sha-hmac} Transform set tsfm2: {esp-md5-hmac esp-3des } Mode: Transport Transform set tsfm1: {esp-md5-hmac esp-3des } Mode: Tunnel Transform set ts1: {esp-des } Mode: Tunnel
