SGW

Wednesday, April 30, 2014

9:08 AM

Commands
show security ipsec tunnels

Tunnel counts

show interfaces brief

Print interfaces+Ips

show run ike-interface

Print IKE interfaces

show run realm-config access

Print access

show run network-interface M00:1209

Print network interface info for the access

interface

show run ike-sainfo

Print IKE SA config

show security ike local-address-pool

brief

Print IPSEC tunnel

show security ike local-address-pool

access-pool-1

Print IPSEC pool information (remote IP <>

internal 7.x IP)

show security ike sad ike-interface

66.94.29.39 peer 66.166.60.3:4500

Print IKE & IPSEC security association data

show security ipsec sad M00:1209

detail spi 3326292221

Print IPSEC tunnel information, based off SPI's

from previous command

show logfile

Print logfiles list

show logfile log.iked

Print current IKE logfile, which is capturing

debug so you'll see tunnel setup, exchanges,
keep alives, etc.

realm information

counts

SGWCHI06# show security ipsec ?

sad
spd
statistics
status
tunnels

security-association database entries

security-policy database entries
interface and SA entry statistics
display interface IPSEC status
display current number of tunnels

SGWCHI06# show security ipsec tunnels

13:58:04-105 Capacity=200000
IPsec Tunnel Statistics
-- Period -- -------- Lifetime -------Active
High
Total
Total PerMax
High
IPsec Tunnels
163
164
2
29301
50
179
SGWCHI06# show interfaces brief
Slot Port Vlan Interface
Num Num
ID Name
---- ---- ---- ---------- lo0
0
- lo
- eth0
- eth1
- eth2
- sp0
- sp1
- sp2
0
0 1209 M00
0
1
0 M01

IP
Address
------------------127.0.0.1/8
v6::1
5.194.192.52/25
169.254.1.2/30
169.254.2.2/30
66.94.29.39/28
10.17.2.111/24
10.161.183.84/28
66.94.29.41/28
10.17.2.113/24

Gateway
Address
---------------66.94.29.33
10.17.2.1

SGW Page 1

Admin
State
----up
up

Oper
State
----up
up
up
up
up
up
up
up
up
up

0
1

1
0

0 M01
674 M10

10.17.2.113/24
10.161.183.86/28

10.17.2.1
10.161.183.81

up
up

up
up

SGWCHI06# show run ike-interface

ike-interface
address
66.94.29.39
realm-id
access
ike-mode
responder
local-address-pool-id-list
access-pool-1
dpd-params-name
dpd-1
v2-ike-life-secs
259200
v2-ipsec-life-secs
43200
v2-rekey
enabled
multiple-authentication
disabled
shared-password
eap-protocol
addr-assignment
local
sd-authentication-method
certificate
certificate-profile-id-list
SGWCHI05-06.t-mobile.com 66.94.29.39
threshold-crossing-alert-group-name
cert-status-check
disabled
cert-status-profile-list
access-control-name
accounting-param-name
authorization
disabled
last-modified-by
nchan@5.248.129.18
last-modified-date
2010-07-28 04:55:47
ike-interface
address
10.17.2.111
realm-id
access-eit
ike-mode
responder
local-address-pool-id-list
eit-pool-1
dpd-params-name
dpd-1
v2-ike-life-secs
259200
v2-ipsec-life-secs
43200
v2-rekey
enabled
multiple-authentication
disabled
shared-password
eap-protocol
addr-assignment
local
sd-authentication-method
certificate
certificate-profile-id-list
SGWCHI05-06-EIT.t-mobile.com 10.17.2.111
threshold-crossing-alert-group-name
cert-status-check
disabled
cert-status-profile-list
access-control-name
accounting-param-name
authorization
disabled
last-modified-by
admin@5.248.29.52
last-modified-date
2010-07-22 06:23:56
task done
SGWCHI06# show run realm-config access
realm-config
identifier
access
description
addr-prefix
0.0.0.0
network-interfaces
M00:1209
mm-in-realm
disabled
mm-in-network
enabled
mm-same-ip
enabled
mm-in-system
enabled
bw-cac-non-mm
disabled
msm-release
disabled
generate-UDP-checksum
disabled
max-bandwidth
0
fallback-bandwidth
0
max-priority-bandwidth
0
max-latency
0
max-jitter
0

SGW Page 2

max-jitter
max-packet-loss
observ-window-size
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit
access-control-trust-level
invalid-signal-threshold
maximum-signal-threshold
untrusted-signal-threshold
nat-trust-threshold
deny-period
ext-policy-svr
symmetric-latching
pai-strip
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching
restriction-mask
accounting-enable
user-cac-mode
user-cac-bandwidth
user-cac-sessions
icmp-detect-multiplier
icmp-advertisement-interval
icmp-target-ip
monthly-minutes
net-management-control
delay-media-update
refer-call-transfer
codec-policy
codec-manip-in-realm
constraint-name
call-recording-server-id
stun-enable
stun-server-ip
stun-server-port
stun-changed-ip
stun-changed-port
match-media-profiles
qos-constraint
last-modified-by
last-modified-date

0
0
0

0
none
0
0
0
0
30
disabled
disabled

none
32
enabled
none
0
0
0
0
0
disabled
disabled
disabled
disabled
disabled
0.0.0.0
3478
0.0.0.0
3479
afoster33@5.217.137.55
2012-07-31 08:28:41

SGWCHI06# show run network-interface M00:1209

network-interface
name
M00
sub-port-id
1209
description
hostname
ip-address
66.94.29.39
pri-utility-addr
66.94.29.40
sec-utility-addr
66.94.29.41
netmask
255.255.255.240
gateway
66.94.29.33
sec-gateway
gw-heartbeat
state
enabled
heartbeat
30
retry-count
3
retry-timeout
1

SGW Page 3

retry-timeout
health-score
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by
last-modified-date
task done

1
30
66.94.9.80
t-mobile.com
11
66.94.29.39
66.94.29.39
admin@5.248.29.52
2009-11-13 15:38:09

SGWCHI06# show run ike-sainfo

ike-sainfo
name
security-protocol
auth-algo
encryption-algo
ipsec-mode
tunnel-local-addr
tunnel-remote-addr
last-modified-by
last-modified-date
ike-sainfo
name
security-protocol
auth-algo
encryption-algo
ipsec-mode
tunnel-local-addr
tunnel-remote-addr
last-modified-by
last-modified-date

access-sainfo
esp-auth
sha1
aes
tunnel
66.94.29.39
*
admin@5.249.29.46
2009-11-11 17:26:45
eit-sainfo
esp-auth
sha1
aes
tunnel
10.17.2.111
*
admin@5.249.29.46
2009-11-11 17:27:28

SGWCHI06# show security ike local-address-pool brief

IKE local address pools
address pool 1
Name: access-pool-1 poolSize: 1022 total used count: 175
address pool 2
Name: eit-pool-1 poolSize: 1022 total used count: 0
SGWCHI06# show security ike local-address-pool access-pool-1
Name: access-pool-1
poolSize: 1022
Local-IP
remote-IP
used-count
state
7.128.0.108
76.164.159.113
12
allocated
7.128.0.110

66.166.60.3

11

allocated

7.128.0.111

74.116.24.9

10

allocated

7.128.0.120

76.164.159.113

12

allocated

7.128.0.122

73.176.4.32

11

allocated

7.128.0.125

24.248.245.202

10

allocated

7.128.0.131

65.121.58.198

13

allocated

7.128.0.144

12.227.10.171

11

allocated

7.128.0.159

99.157.132.206

11

allocated

SGWCHI06# show security ike sad ike-interface 66.94.29.39 peer 66.166.60.3:4500

IKE SA:
IKE Version

: 2

SGW Page 4

IKE Version
Tunnel State
Last Response [Seconds]
AAA Identity
NAT

:
:
:
:
:

2
Up
79

IP Addresses [IP:Port]
Peer
Server Instance

: 66.166.60.3:4500
: 66.94.29.39:500

Cookies
Initiator
Responder

: 0xbd7647558b4ba5c6
: 0xc55006dea39b664c

Algorithms
DH Group
Hash
MAC
Cipher

:
:
:
:

SA Times [Seconds]
Creation
Expiry
Remaining

: 2213760
: 259200
: 86318

Yes

2
HMAC-SHA1
SHA1-96
AES_CBC

IPSec SA:
IP Addresses [IP:Port]
Destination
Source

: 7.128.0.110:0
: 10.160.0.0:0

SPI
Outbound
Inbound
Algorithms
Mode
Protocol
Authentication
Encryption

: 3326292221
: 3350292097
:
:
:
:

TUNNEL
ESP
SHA1
AES

Traffic Selectors [Start IP - End IP]

Destination
: 7.128.0.110 - 7.128.0.110
Source
: 10.160.0.0 - 10.191.255.255
SGWCHI06# show security ipsec sad M00:1209 detail spi 3326292221
WARNING: This action might affect system performance and take a long time to
finish.
Are you sure [y/n]?: y
IPSEC security-association-database for interface 'M00:1209':
Displaying SA's that match the following criteria spi
: 3326292221
direction
: both
ipsec-proto
: any
src-addr-prefix
: any
src-port
: any
dst-addr-prefix
: any
dst-port
: any
trans-proto
: ALL
Outbound, SPI: 3326292221
source-address
destination-address
source-port
destination-port
trans-proto
vlan-id
sad-index
encr-algo
auth-algo
tunnel-source

:
:
:
:
:
:
:
:
:
:

7.128.0.110
0
0
ALL
1209
29344
aes-128-cbc
hmac-sha1
66.94.29.39

SGW Page 5

tunnel-source
: 66.94.29.39
tunnel-destination
: 66.166.60.3
mtu
: 1428
flags 0x
66800
C
byte count limit hard ms: 0xFFFFFFFF, hard ls: 0xFFFFFFFF
soft ms: 0xFFFFFFFF, soft ls: 0xFFFFFFFF
time limit hard: 0x5361AC98, soft: 0x5361AC7A
seq ms: 0x
0, seq ls: 0x
3409
SGWCHI06# show security ipsec sad M00:1209 detail spi 3350292097
WARNING: This action might affect system performance and take a long time to
finish.
Are you sure [y/n]?: y
IPSEC security-association-database for interface 'M00:1209':
Displaying SA's that match the following criteria spi
: 3350292097
direction
: both
ipsec-proto
: any
src-addr-prefix
: any
src-port
: any
dst-addr-prefix
: any
dst-port
: any
trans-proto
: ALL
Inbound, SPI: 3350292097
destination-address
: 66.94.29.39
vlan-id
: 1209
ipsec-protocol
: Unknown
sad-index
: 29304
encr-algo
: aes-128-cbc
auth-algo
: hmac-sha1
match fields:
src-ip
: 7.128.0.110
dst-ip
:
src-port
: 0
dst-port
: 0
vlan-id
: 1209
trans-proto
: ALL
mask fields:
src-ip
: 255.255.255.255
dst-ip
:
src-port
: 0
dst-port
: 0
vlan-id
: 4095
protocol
: 0
flags 4066800, ls:
C
byte count limit hard ms: 0xFFFFFFFF, hard ls: 0xFFFFFFFF
soft ms: 0xFFFFFFFF, soft ls: 0xFFFFFFFF
hard limit hard: 0x5361AC98, soft: 0x5361AC7A
seq ms: 0x
0, seq ls: 0x
28E6

SGW Page 6