How Do I View and Verify IKEv1 Phase1 or IKEv2 Parent SA?
48639
Created On 04/07/19 04:52 AM - Last Modified 09/12/25 09:00 AM
Question
How do I view and verify IKEv1 Phase1 or IKEv2 Parent SA?
Environment
- NGFW
- Supported PAN-OS
Answer
Web Interface:
Navigate to Network > IPSec TunnelsThe GREEN color next to IKE Info indicates that the SA (Security Association) is up or established.
If it is RED, that indicates the SA is down or unestablished.
- Name – The name of the gateway configured under Network > IKE Gateways
- Gateway – The internally generated (number) ID to uniquely identify the IKE gateway
- Role – The local device role in the IKE Phase-1 negotiation
- Init - Initiator – The local device initiated the IKE negotiation
- Resp - Responder – The local device is the responder in the IKE negotiation, and the peer device initiated the connection
- Mode – IKEv1 has two modes of negotiation
- Main – Main mode, usually in case of static local and peer IP
- Aggr - Aggresive – Aggressive mode, usually in cases where either one of the sides of the VPN has a dynamic IP address.
- Algorithm – The Phase-1 algorithm negotiated between the peers. The algorithms for negotiation are picked from the IKE crypto profile configured under Network > IKE Crypto. The format is Authentication Method/DH Group/Encryption Algorithm/Authentication Algorithm
- Created – The date and time when the IKE SA was established between the peers
- Expires – The date and time when the SA expires. This is from the key lifetime configured under IKE Crypto
CLI:
The "show vpn ike-sa" CLI command gives the summary of the Phase-1 and associated Phase-2 SAsThe command displays the IKEv1 and IKEv2 SAs separately. This can be used to determine which tunnels are IKEv1 and which are IKEv2.
Options Available:
user@firewall> show vpn ike-sa > detail Show the details of IKE SA status > gateway Show for given IKE gateway > match if the name contains the string or not | Pipe through a command <Enter> Finish input
Sample Outputs:
user@firewall> show vpn ike-sa detail gateway GW-1
IKE Gateway GW-1, ID 113 100.0.0.1 => 200.0.0.1
Current time: Apr.06 20:39:30
IKE Phase1 SA:
Cookie: A872B7F1E93B2EF2:E16469E4A7D3EA18 Init
State: Dying
Mode: Main
Authentication: PSK
Proposal: AES128-CBC/SHA1/DH2
NAT: Not detected
Message ID: 0, phase 2: 0
Phase 2 SA created : 3
Created: Apr.06 18:18:28, 2 hours 21 minutes 2 seconds ago
Expires: Apr.07 02:18:28
user@firewall> show vpn ike-sa gateway GW-1
IKEv1 phase-1 SAs
GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2
-------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------
113 200.0.0.1 GW-1 Init Main PSK/ DH2/A128/SHA1 Apr.06 18:18:28 Apr.07 02:18:28 v1 13 1 3
Show IKEv1 IKE SA: Total 4 gateways found. 1 ike sa found.
IKEv1 phase-2 SAs
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt
------------ ---- ------ ------- ---- --------- ------- -------- ----- -- --
GW-1 780 TUN-1 113 Init ESP/ DH2/tunl/SHA1 866BC8DD C490D71C 35772C5A 9 1
Show IKEv1 phase2 SA: Total 4 gateways found. 1 ike sa found.
There is no IKEv2 SA found.
user@firewall> show vpn ike-sa IKEv1 phase-1 SAs GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 113 200.0.0.1 GW-1 Init Main PSK/ DH2/A128/SHA1 Apr.06 18:18:28 Apr.07 02:18:28 v1 13 1 2 114 200.0.0.2 GW-2 Resp Main PSK/ DH2/A128/SHA1 Apr.06 18:18:32 Apr.07 02:18:32 v1 13 1 2 117 10.129.72.42 GW-5 Resp Aggr PSK/ DH2/A128/SHA1 Apr.06 18:18:32 Apr.07 02:18:32 v1 13 1 2 118 200.0.0.6 GW-6 Init Aggr PSK/ DH2/A128/SHA1 Apr.06 18:18:28 Apr.07 02:18:28 v1 13 1 2 Show IKEv1 IKE SA: Total 4 gateways found. 4 ike sa found. IKEv1 phase-2 SAs Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt ------------ ---- ------ ------- ---- --------- ------- -------- ----- -- -- GW-1 780 TUN-1 113 Init ESP/ DH2/tunl/SHA1 ABB046B6 8C6CC39A E5367FE6 9 1 GW-2 781 TUN-2 114 Resp ESP/ DH2/tunl/SHA1 E2183BF3 B5F69A27 1C94E7B9 9 1 GW-5 784 TUN-5 117 Resp ESP/ DH2/tunl/SHA1 CD54CC98 FCB719FB 93BCB696 9 1 GW-6 785 TUN-6 118 Init ESP/ DH2/tunl/SHA1 8C8D8DF8 869F14EE 4B9D2EC2 9 1 Show IKEv1 phase2 SA: Total 4 gateways found. 4 ike sa found. IKEv2 SAs Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST ---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- -- 115 200.0.0.3 GW-3 Init 3 PSK/ DH2/A128/SHA1 Apr.06 18:18:28 Apr.07 02:18:28 0 1 Established 116 200.0.0.4 GW-4 Resp 4 PSK/ DH2/A128/SHA1 Apr.06 18:18:32 Apr.07 02:18:32 0 1 Established IKEv2 IPSec Child SAs Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST ------------ ---- ------ -- ------ ---- ------- -------- ----- -- GW-3 782 TUN-3 295 3 Init C701F21D D2623952 00000079 Mature GW-4 783 TUN-4 294 4 Resp F6B7115C C13629DC 0000022D Mature Show IKEv2 SA: Total 2 gateways found. 2 ike sa found.
Explanation of Key Columns for IKEv1 Phase-1 SAs:
- GwID – The internally generated (number) ID to uniquely identify the IKE gateway.
- Peer-Address – The VPN peer device IP address
- Gateway Name – The name of the gateway configured under Network > IKE Gateways
- Role – The local device role in the IKE Phase-1 negotiation
- Init - Initiator – The local device initiated the IKE negotiation
- Resp - Responder – The local device is the responder in the IKE negotiation, and the peer device initiated the connection
- Mode – IKEv1 has two modes of negotiation
- Main – Main mode, usually in case of static local and peer IP
- Aggr - Aggresive – Aggressive mode, usually in cases where either one of the sides of the VPN has a dynamic IP address.
- Algorithm – The Phase-1 algorithm negotiated between the peers. The algorithms for negotiation are picked from the IKE crypto profile configured under Network > IKE Crypto. The format is Authentication Method/ DH Group/Encryption Algorithm/Authentication Algorithm
Example:
PSK/ DH2/A128/SHA1:
PSK – Stands for Pre-shared key. This is the authentication method (it can be pre-shared key or certificate).
DH2 –The DH (Deffie-Hellman) group negotiated
A128 – aes-128-cbc encryption algorithm negotiated
SHA1 – Authentication algorithm negotiated
Established – The date and time when the IKE SA was established between the peers
Expiration – The date and time when the SA expires. This is from key lifetime configured under IKE Crypto
Explanation of Key Columns for IKEv1 Phase-2 SAs:
This displays the Phase-2 SAs associated with the Phase-1 SAs- Gateway Name – The name of the gateway configured under Network > IKE Gateways
- TnID - Tunnel ID – The internally generated (number) ID to uniquely identify the tunnel
- Tunnel – The name of the tunnel configured under Network > IPSec Tunnels
- GwID – The internally generated (number) ID to uniquely identify the IKE gateway.
- Role – The local device role in the IKE Phase-2 negotiation
- Init - Initiator – The local device initiated the IKE negotiation
- Resp - Responder – The local device is the responder in the IKE negotiation, peer device initiated the connection
- Algorithm – The Phase-2 algorithm negotiated between the peers. The algorithms for negotiation are picked from the IPSec crypto profile configured under Network > IPSec Crypto. The format is IPSec Protocol/DH Group/Mode/Authentication Algorithm
Example:
ESP/ DH2/tunl/SHA1:
ESP – Encapsulating Security Payload. This the IPSec Protocol. (It can be ESP or AH)
tunl – This is always tunnl, representing Tunnel mode.
SHA1 – Authentication algorithm negotiated
SPI (in) – The Security Parameter Index (SPI) to indicate receive SPI number. This is equal to the peer's SPI (out)
SPI (out) – The Security Parameter Index (SPI) to indicate transmit SPI number. This is equal to the peer's SPI (in)
Explanation of Key Columns for IKEv2 SAs:
- Gateway ID – The internally generated (number) ID to uniquely identify the IKE gateway
- Peer-Address – The VPN peer device IP address
- Gateway Name – The name of the gateway configured under Network > IKE Gateways
- Role – The local device role in the IKE SA negotiation
- Init - Initiator – The local device initiated the IKE negotiation
- Resp - Responder – The local device is the responder in the IKE negotiation, peer device initiated the connection
- Algorithm – The Phase-1 algorithm negotiated between the peers
- SN – Serial number of the IkEv2 SA used in association with the child SA. The algorithms for negotiation are picked from the IKE crypto profile configured under Network > IKE Crypto. The format is Authentication Method/DH Group/Encryption Algorithm/Authentication Algorithm
Example:
PSK/ DH2/A128/SHA1 :
PSK – Stands for Pre-shared key. This is the Authentication method (it can be pre-shared key or certificate).
DH2 – The DH (Deffie-Hellman) group negotiated
A128 – aes-128-cbc encryption algorithm negotiated
SHA1 – Authentication algorithm negotiated
Established – The date and time when the IKE SA was established between the peers.
Expiration – The date and time when the SA expires. This is from key lifetime configured under IKE Crypto
Explanation of Key Columns for IKEv2 IPSec Child SAs:
Gateway Name – The name of the gateway configured under Network > IKE GatewaysTnID - Tunnel ID – The internally generated (number) ID to uniquely identify the tunnel
Tunnel – The name of the tunnel configured under Network > IPSec Tunnels
Parent – The parent IKEv2 SA, the SN field of IKEv2 SA.
Role – The local device role in the IKE child SA negotiation
Init - Initiator – The local device initiated the IKE negotiation
Resp - Responder – The local device is the responder in the IKE negotiation, peer device initiated the connection
Algorithm – The Phase-2 algorithm negotiated between the peers
SPI (in) – The Security Parameter Index (SPI) to indicate receive SPI number. This is equal to the peer's SPI (out)
SPI (out) – The Security Parameter Index (SPI) to indicate transmit SPI number. This is equal to the peer's SPI (in)