IPSec Commands

This module describes the IPSec commands.

For detailed information about the configuration tasks, and examples, see the System Security Configuration Guide for Cisco ASR 9000 Series RoutersSystem Security Configuration Guide for Cisco 8000 Series Routers.

clear crypto ipsec sa

To delete specific security associations (SAs), or all SAs in the IP Security (IPSec) security associations database (SADB), use the clear crypto ipsec sa command.

clear crypto ipsec sa {sa-id | all | counters | {sa-id | all} | interface tunnel-ipsec}

Syntax Description

sa-id

Identifier for the SA. IPSec supports from 1 to 64,500 sessions.

all

Deletes all IPSec SAs in the IPSec SADB.

counters

Clears the counters in the IPSec SADB.

interface

Clears the interfaces in the IPSec SADB.

tunnel-ipsec

The range of tunnel-ipsec is <0-4294967295>.

Command Default

No default behavior or values

Command Modes

EXEC

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

SAs are established to secure data flows in IPSec. Use the clear crypto ipsec sa command to delete active IPSec sessions or force IPSec to reestablish new SAs. Usually, the establishment of SAs is negotiated between peers through Internet Key Exchange (IKE) on behalf of IPSec.

Task ID

Task ID

Operations

crypto

execute

Examples

The following example shows how to remove the SA with ID 100 from the SADB:


RP/0/RP0RSP0/CPU0:router# clear crypto ipsec sa 100 

interface tunnel-ip (GRE)

To configure a tunnel interface for generic routing encapsulation (GRE), use the interface tunnel-ip command in global configuration mode. To delete the IP tunnel interface, use the no form of this command.

interface tunnel-ip number

no interface tunnel-ip number

Syntax Description

number

Instance number of the interface. The range is from 0 to 65535.

Command Default

None

Command Modes

Global configuration

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

interface

read, write

Examples

The following example shows how to use the interface tunnel-ip command:


RP/0/RSP0/CPU0:router# configure 
RP/0/RSP0/CPU0:router(config)# interface tunnel-ip 50000
RP/0/RSP0/CPU0:router(config-if)#

show crypto ipsec sa

To display security association (SA) information based on the rack/slot/module location, use the show crypto ipsec sa command.

show crypto ipsec sa [sa-id | peer ip-address | profile profile-name | detail | count | fvrf fvrf-name | ivrf ivrf-name | location node-id]

Syntax Description

sa-id

(Optional) Identifier for the SA. The range is from 1 to 64500.

peer ip-address

(Optional) IP address used on the remote (PC) side. Invalid IP addresses are not accepted.

profile profile-name

(Optional) Specifies the alphanumeric name for a security profile. The character range is from 1 to 64. Profile names cannot be duplicated.

detail

(Optional) Provides additional dynamic SA information.

count

(Optional) Provides SA count.

fvrf fvrf-name

(Optional) Specifies that all existing SAs for front door virtual routing and forwarding (FVRF) is the same as the fvrf-name.

ivrf ivrf-name

(Optional) Specifies that all existing SAs for inside virtual routing and forwarding (IVRF) is the same as the ivrf-name.

location node-id

(Optional) Specifies that the SAs are configured on a specified location.

Command Modes

EXEC

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

If no optional argument or keyword is used, all SAs are displayed within a flow. Within a flow, the SAs are listed by protocol (Encapsulating Security Payload [ESP] or Authentication Header [AH]) and direction (inbound or outbound).

The detail keyword provides additional information only for SAs that are configured in a software crypto engine. The SAs are configured by using tunnel-ipsec and transport.

Task ID

Task ID

Operations

crypto

read

Examples

The following sample output is from the show crypto ipsec sa command:


RP/0/RP0RSP0/CPU0:router# show crypto ipsec sa

SSA id:          510
Node id:        0/1/0
SA Type:        MANUAL
interface:      service-ipsec22
profile  :      p7
local  ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.255/512/0)
remote ident (addr/mask/prot/port) : (0.0.0.0/0.0.0.0/512/0)
local crypto endpt: 0.0.0.0, remote crypto endpt: 0.0.0.0, vrf default
 
 #pkts tx         :0                      #pkts rx         :0
 #bytes tx        :0                      #bytes rx        :0
 #pkts encrypt    :0                      #pkts decrypt    :0
 #pkts digest     :0                      #pkts verify     :0
 #pkts encrpt fail:0                      #pkts decrpt fail:0
 #pkts digest fail:0                      #pkts verify fail:0
 #pkts replay fail:0
 #pkts tx errors  :0                      #pkts rx errors  :0
 
outbound esp sas:
        spi: 0x322(802)
        transform: esp-3des-md5
        in use settings = Tunnel
        sa agreed lifetime: 3600s, 4194303kb
        sa timing: remaining key lifetime: 3142303931sec/0kb
        sa DPD: disable, mode none, timeout 0s
        sa idle timeout: disable, 0s
        sa anti-replay (HW accel): enable, window 64
inbound esp sas:
        spi: 0x322(802)
        transform: esp-3des-md5
        in use settings = Tunnel
        sa agreed lifetime: 3600s, 4194303kb
        sa timing: remaining key lifetime: 3142303931sec/0kb
        sa DPD: disable, mode none, timeout 0s
        sa idle timeout: disable, 0s
        sa anti-replay (HW accel): enable, window 64

This table describes the significant fields shown in the display.

Table 1. show crypto ipsec sa Field Descriptions

Field

Description

SA id

Identifier for the SA.

interface

Identifier for the interface.

profile

String of alphanumeric characters that specify the name of a security profile.

local ident

IP address, mask, protocol, and port of the local peer.

remote ident

IP address, mask, protocol and port of the remote peer.

outbound esp sas

Outbound ESP SAs.

inbound esp sas

Inbound ESP SAs.

transform

The transform being used in the SA.

sa lifetime

The lifetime value used in the SA.

The following sample output is from the show crypto ipsec sa command for the profile keyword for a profile named pn1:


RP/0/RP0RSP0/CPU0:router# show crypto ipsec sa profile pn1

SA id: 2 
interface: tunnel0 
profile: pn1 
local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) 
remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) 
local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120 
outbound esp sas: 
spi: 0x8b0e950f (2332988687) 
transform: esp-3des-sha 
in use settings = Tunnel 
sa lifetime: 3600s, 4194303kb 

SA id: 2 
interface: tunnel0 
profile: pn1 
local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) 
remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) 
local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92 
inbound esp sas: 
spi: 0x2777997c (662149500) 
transform: esp-3des-sha 
in use settings = Tunnel 
sa lifetime: 3600s, 4194303kb

The following sample output is from the show crypto ipsec sa command for the peer keyword:


RP/0/RP0RSP0/CPU0:router# show crypto ipsec sa peer 172.19.72.120

SA id: 2 
interface: tunnel0 
profile: pn1 
local ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) 
remote ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) 
local crypto endpt: 172.19.70.92, remote crypto endpt: 172.19.72.120 
outbound esp sas: 
spi: 0x8b0e950f (2332988687) 
transform: esp-3des-sha 
in use settings = Tunnel 
sa lifetime: 3600s, 4194303kb 

SA id: 2 
interface: tunnel0 
profile: pn1 
local ident (addr/mask/prot/port): (172.19.72.120/255.255.255.255/0/0) 
remote ident (addr/mask/prot/port): (172.19.70.92/255.255.255.255/0/0) 
local crypto endpt: 172.19.72.120, remote crypto endpt: 172.19.70.92 
inbound esp sas: 
spi: 0x2777997c (662149500) 
transform: esp-3des-sha 
in use settings = Tunnel 
sa lifetime: 3600s, 4194303kb

show crypto ipsec summary

To display IP Security (IPSec) summary information, use the show crypto ipsec summary command.

show crypto ipsec summary

Syntax Description

This command has no keywords or arguments.

Command Default

None

Command Modes

EXEC

Command History

Release

Modification

Release 3.7.2

This command was introduced.

Usage Guidelines

No specific guidelines impact the use of this command.

Task ID

Task ID

Operations

crypto

read

Examples

The following sample output is from the show crypto ipsec summary command:


RP/0/RP0RSP0/CPU0:router# show crypto ipsec summary

# * Attached to a transform indicates a bundle
 
# Active IPSec Sessions: 1
 
SA  Interface        Local Peer/Port   Remote Peer/Port  FVRF    Profile  Transform Lifetime
------------------------------------------------------------------------------------------
502 tunnel-ipsec100 70.70.70.2/500    60.60.60.2/500    default ipsec1   esp-3des  esp 3600/100000000

This table describes the significant fields shown in the display.

Table 2. show crypto ipsec summary Field Descriptions

Field

Description

SA

Identifier for the security association.

Node

Identifier for the node.

Local Peer

IP address of the local peer.

Remote Peer

IP address of the remote peer.

FVRF

The front door virtual routing and forwarding (FVRF) of the SA. If the FVRF is global, the output shows f_vrf as an empty field

Mode

Profile mode type.

Profile

Crypto profile in use.

Transform

Transform in use.

Lifetime

Lifetime value, displayed in seconds followed by kilobytes.

show crypto ipsec transform-set

To display the configured transform sets, use the show crypto ipsec transform-set command.

show crypto ipsec transform-set [transform-set-name]

Syntax Description

transform-set-name

(Optional) IPSec transform set with the specified value for the transform-set-name argument are displayed.

Command Default

No default values. The default behavior is to print all the available transform-sets.

Command Modes

EXEC

Command History

Release

Modification

Release 7.0.12

This command was introduced.

Usage Guidelines

If no transform is specified, all transforms are displayed.

Task ID

Task ID

Operations

crypto

read

Examples

The following sample output is from the show crypto ipsec transform-set command:


RP/0/RP0RSP0/CPU0:router# show crypto ipsec transform-set

Transform set combined-des-sha: {esp-des esp-sha-hmac}
Transform set tsfm2: {esp-md5-hmac esp-3des }
        Mode: Transport
Transform set tsfm1: {esp-md5-hmac esp-3des }
        Mode: Tunnel
Transform set ts1: {esp-des  }
        Mode: Tunnel