Login
- Table of Contents
-
- 11-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05 Password Control Commands
- 06-Public Key Commands
- 07-IPsec Commands
- 08-SSH Commands
- 09-Blacklist Commands
- 10-TCP and ICMP Attack Protection Commands
- 11-IP Source Guard Commands
- 12-ARP Attack Protection Commands
- 13-ND Attack Defense Commands
- 14-URPF Commands
- 15-PKI Commands
- 16-SSL Commands
- 17-FIPS Commands
- 18-Attack Detection and Protection Commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 07-IPsec Commands | 323.76 KB |
Contents
ipsec invalid-spi-recovery enable
ike next-payload check disabled
ike sa keepalive-timer interval
ike sa keepalive-timer timeout
ike sa nat-keepalive-timer interval
The term "router" in this document refers to both routers and Layer 3 switches.
IPsec is available only on Ethernet interface cards.
ah authentication-algorithm
Syntax
ah authentication-algorithm { md5 | sha1 }
undo ah authentication-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
md5: Uses MD5. This keyword is not available for FIPS mode.
sha1: Uses SHA1.
Description
Use ah authentication-algorithm to specify an authentication algorithm for the authentication header (AH) protocol.
Use undo ah authentication-algorithm to restore the default.
By default, MD5 is used in non-FIPS mode, and SHA1 is used in FIPS mode.
Before specifying the authentication algorithm for AH, be sure to use the transform command to specify the security protocol as AH or both AH and ESP.
Related commands: ipsec proposal and transform.
Examples
# Configure IPsec proposal prop1 to use AH and SHA1.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform ah
[Sysname-ipsec-proposal-prop1] ah authentication-algorithm sha1
connection-name
Syntax
connection-name name
undo connection-name
View
IPsec policy view
Default level
2: System level
Parameters
name: IPsec connection name, a case-insensitive string of 1 to 32 characters.
Description
Use connection-name to configure an IPsec connection name. This name functions only as a description of the IPsec policy.
Use undo connection-name to restore the default.
By default, no IPsec connection name is configured.
|
|
NOTE: This command is available only for FIPS mode. |
Example
# Set IPsec connection name to CenterToA.
<Sysname> system-view
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] connection-name CenterToA
display ipsec policy
Syntax
display ipsec policy [ brief | name policy-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec policies.
name: Displays detailed information about a specified IPsec policy or IPsec policy group.
policy-name: Name of the IPsec policy, a string of 1 to 15 characters.
seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec policy to display information about IPsec policies.
If you do not specify any parameters, the command displays detailed information about all IPsec policies.
If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.
Related commands: ipsec policy (system view).
Examples
# Display brief information about all IPsec policies.
<Sysname> display ipsec policy brief
IPsec-Policy-Name Mode acl ike-peer name Mapped Template
------------------------------------------------------------------------
bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa
man-1 manual 3400
map-1 isakmp 3000 peer
nat-1 isakmp 3500 nat
test-1 isakmp 3200 test
toccccc-1 isakmp 3003 tocccc
IPsec-Policy-Name Mode acl Local-Address Remote-Address
------------------------------------------------------------------------
man-1 manual 3400 3.3.3.1 3.3.3.2
|
Field |
Description |
|
IPsec-Policy-Name |
Name and sequence number of the IPsec policy separated by hyphen. |
|
Mode |
Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. |
|
acl |
Access control list (ACL) referenced by the IPsec policy. |
|
ike-peer name |
IKE peer name. |
|
Local-Address |
IP address of the local end. |
|
Remote-Address |
IP address of the remote end. |
# Display detailed information about all IPsec policies.
<Sysname> display ipsec policy
===========================================
IPsec Policy Group: "policy_isakmp"
Interface: Vlan-interface1
===========================================
------------------------------------
IPsec policy name: "policy_isakmp"
sequence number: 10
mode: isakmp
-------------------------------------
security data flow : 3000
selector mode: standard
ike-peer name: per
perfect forward secrecy: None
proposal name: prop1
IPsec sa local duration(time based): 3600 seconds
IPsec sa local duration(traffic based): 1843200 kilobytes
policy enable: True
===========================================
IPsec Policy Group: "policy_man"
Interface: Vlan-interface2
===========================================
-----------------------------------------
IPsec policy name: "policy_man"
sequence number: 10
mode: manual
-----------------------------------------
security data flow : 3002
tunnel local address: 162.105.10.1
tunnel remote address: 162.105.10.2
proposal name: prop1
inbound AH setting:
AH spi: 12345 (0x3039)
AH string-key:
AH authentication hex key : *****
inbound ESP setting:
ESP spi: 23456 (0x5ba0)
ESP string-key:
ESP encryption hex key: *****
ESP authentication hex key: *****
outbound AH setting:
AH spi: 54321 (0xd431)
AH string-key:
AH authentication hex key: *****
outbound ESP setting:
ESP spi: 65432 (0xff98)
ESP string-key:
ESP encryption hex key: *****
ESP authentication hex key: *****
===========================================
IPsec Policy Group: "manual"
Interface:
Protocol: OSPFv3, RIPng, BGP
===========================================
-----------------------------
IPsec policy name: "policy001"
sequence number: 10
mode: manual
-----------------------------
security data flow :
tunnel local address:
tunnel remote address:
proposal name: prop1
inbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
inbound ESP setting:
ESP spi: 23456 (0x5ba0)
ESP string-key:
ESP encryption hex key: *****
ESP authentication hex key: *****
outbound AH setting:
AH spi:
AH string-key:
AH authentication hex key:
outbound ESP setting:
ESP spi: 23456 (0x5ba0)
ESP string-key:
ESP encryption hex key: *****
ESP authentication hex key: *****
|
Field |
Description |
|
security data flow |
ACL referenced by the IPsec policy. |
|
Interface |
Interface to which the IPsec policy is applied. |
|
Protocol |
Name of the protocol to which the IPsec policy is applied. (This field is not displayed when the IPsec policy is not applied to any routing protocol.) |
|
sequence number |
Sequence number of the IPsec policy. |
|
mode |
Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. |
|
selector mode |
Data flow protection mode of the IPsec policy. The device supports only the standard mode. |
|
ike-peer name |
IKE peer referenced by the IPsec policy. |
|
tunnel local address |
Local IP address of the tunnel. |
|
tunnel remote address |
Remote IP address of the tunnel. |
|
perfect forward secrecy |
Whether PFS is enabled. |
|
proposal name |
Proposal referenced by the IPsec policy. |
|
policy enable |
Whether the IPsec policy is enabled or not. |
|
inbound/outbound AH/ESP setting |
AH/ESP settings in the inbound/outbound direction, including the SPI and keys. |
display ipsec proposal
Syntax
display ipsec proposal [ proposal-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
proposal-name: Name of a proposal, a string of 1 to 15 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec proposal to display information about IPsec proposals.
If you do not specify any parameters, the command displays information about all IPsec proposals.
Related commands: ipsec proposal.
Examples
# Display information about all IPsec proposals.
<Sysname> display ipsec proposal
IPsec proposal name: prop2
encapsulation mode: tunnel
transform: ah-new
AH protocol: authentication sha1-hmac-96
IPsec proposal name: prop1
encapsulation mode: transport
transform: esp-new
ESP protocol: authentication md5-hmac-96, encryption des
Table 3 Output description
|
Field |
Description |
|
IPsec proposal name |
Name of the IPsec proposal. |
|
encapsulation mode |
Encapsulation mode used by the IPsec proposal, transport or tunnel. |
|
transform |
Security protocol(s) used by the IPsec proposal: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH. |
|
AH protocol |
Authentication algorithm used by AH. |
|
ESP protocol |
Authentication algorithm and encryption algorithm used by ESP. |
display ipsec sa
Syntax
display ipsec sa [ brief | policy policy-name [ seq-number ] | remote ip-address ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
brief: Displays brief information about all IPsec SAs.
policy: Displays detailed information about IPsec SAs created by using a specified IPsec policy.
policy-name: Name of the IPsec policy, a string 1 to 15 characters.
seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535.
remote: Displays detailed information about the IPsec SA with a specified remote address. This keyword is available only for FIPS mode.
ip-address: Remote address.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec sa to display information about IPsec SAs.
If you do not specify any parameters, the command displays information about all IPsec SAs.
Related commands: reset ipsec sa.
Examples
# Display brief information about all IPsec SAs.
<Sysname> display ipsec sa brief
Src Address Dst Address SPI Protocol Algorithm
--------------------------------------------------------
10.1.1.1 10.1.1.2 300 ESP E:Rijndael/AES;
A:HMAC-SHA1-96
10.1.1.2 10.1.1.1 400 ESP E:Rijndael/AES;
A:HMAC-SHA1-96
Table 4 Output description
|
Field |
Description |
|
Src Address |
Local IP address. |
|
Dst Address |
Remote IP address. |
|
SPI |
Security parameter index. |
|
Protocol |
Security protocol used by IPsec. |
|
Algorithm |
Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified. |
# Display detailed information about all IPsec SAs.
<Sysname> display ipsec sa
===============================
Interface: GigabitEthernet3/0/1
path MTU: 1500
===============================
-----------------------------
IPsec policy name: "r2"
sequence number: 1
mode: isakmp
-----------------------------
connection id: 3
encapsulation mode: tunnel
perfect forward secrecy:
tunnel:
local address: 2.2.2.2
remote address: 1.1.1.2
flow:
sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP
dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP
[inbound ESP SAs]
spi: 3564837569 (0xd47b1ac1)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
max received sequence-number: 5
anti-replay check enable: Y
anti-replay window size: 32
udp encapsulation used for nat traversal: N
status: active
[outbound ESP SAs]
spi: 801701189 (0x2fc8fd45)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
max sent sequence-number: 6
udp encapsulation used for nat traversal: N
status: active
===============================
Protocol: OSPFv3
===============================
-----------------------------
IPsec policy name: "manual"
sequence number: 1
mode: manual
-----------------------------
connection id: 2
encapsulation mode: transport
perfect forward secrecy:
tunnel:
flow :
[inbound AH SAs]
spi: 1234563 (0x12d683)
proposal: AH-MD5HMAC96
[outbound AH SAs]
spi: 1234563 (0x12d683)
proposal: AH-MD5HMAC96
Table 5 Output description
|
Field |
Description |
|
Interface |
Interface referencing the IPsec policy. |
|
path MTU |
Maximum IP packet length supported by the interface. |
|
Protocol |
Name of the protocol to which the IPsec policy is applied. |
|
IPsec policy name |
Name of IPsec policy used. |
|
sequence number |
Sequence number of the IPsec policy. |
|
mode |
IPsec negotiation mode. |
|
connection id |
IPsec tunnel identifier. |
|
encapsulation mode |
Encapsulation mode, transport or tunnel. |
|
perfect forward secrecy |
Whether the perfect forward secrecy feature is enabled. |
|
tunnel |
IPsec tunnel. |
|
local address |
Local IP address of the IPsec tunnel. |
|
remote address |
Remote IP address of the IPsec tunnel. |
|
flow |
Data flow. |
|
sour addr |
Source IP address of the data flow. |
|
dest addr |
Destination IP address of the data flow. |
|
port |
Port number. |
|
protocol |
Protocol type. |
|
inbound |
Information about the inbound SA. |
|
spi |
Security parameter index. |
|
proposal |
Security protocol and algorithms used by the IPsec proposal. |
|
max received sequence-number |
Maximum sequence number of the received packets (relevant to the anti-replay function provided by the security protocol). |
|
udp encapsulation used for nat traversal |
Whether NAT traversal is enabled for the SA. |
|
outbound |
Information about the outbound SA. |
|
max sent sequence-number |
Maximum sequence number of the sent packets (relevant to the anti-replay function provided by the security protocol). |
|
anti-replay check enable |
Whether IPsec anti-replay checking is enabled. |
|
anti-replay window size |
Size of the anti-replay window. |
display ipsec session
Syntax
display ipsec session [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
integer: ID of the IPsec tunnel, in the range of 1 to 2000000000.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec session to display information about IPsec sessions.
If you do not specify any parameters, the command displays information about all IPsec sessions.
IPsec can find matched tunnels directly by session, reducing the intermediate matching procedures and improving the forwarding efficiency. A session is identified by the quintuplet of protocol, source IP address, source port, destination IP address, and destination port.
Related commands: reset ipsec session.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Display information about all IPsec sessions.
<Sysname> display ipsec session
------------------------------------------------------------
total sessions : 2
------------------------------------------------------------
tunnel-id : 3
session idle time/total duration (sec) : 36/300
session flow : (8 times matched)
Sour Addr : 15.15.15.1 Sour Port: 0 Protocol : 1
Dest Addr : 15.15.15.2 Dest Port: 0 Protocol : 1
------------------------------------------------------------
tunnel-id : 4
session idle duration/total duration (sec) : 7/300
session flow : (3 times matched)
Sour Addr : 12.12.12.1 Sour Port: 0 Protocol : 1
Dest Addr : 13.13.13.1 Dest Port: 0 Protocol : 1
# Display information about the session with an IPsec tunnel ID of 5.
<Sysname> display ipsec session tunnel-id 5
------------------------------------------------------------
total sessions : 1
------------------------------------------------------------
tunnel-id : 5
session idle time/total duration (sec) : 30/300
session flow : (4 times matched)
Sour Addr : 12.12.12.2 Sour Port: 0 Protocol : 1
Dest Addr : 13.13.13.2 Dest Port: 0 Protocol : 1
Table 6 Output description
|
Field |
Description |
|
total sessions |
Total number of IPsec sessions. |
|
tunnel-id |
IPsec tunnel ID, same as the connection-id of the IPsec SA. |
|
session idle time |
Idle duration of the IPsec session in seconds. |
|
total duration |
Lifetime of the IPsec session in seconds, defaulted to 300 seconds. |
|
session flow |
Flow information for the IPsec session. |
|
times matched |
Total number of packets matching the IPsec session. |
|
Sour Addr |
Source IP address of the IPsec session. |
|
Dest Addr |
Destination IP address of the IPsec session. |
|
Sour Port |
Source port number of the IPsec session. |
|
Dest Port |
Destination port number of the IPsec session. |
|
Protocol |
Protocol number of the IPsec protected data flow, for example, 1 for ICMP. |
display ipsec statistics
Syntax
display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range of 1 to 2000000000.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec statistics to display IPsec packet statistics.
If you do not specify any parameters, the command displays the statistics for all IPsec packets.
Related commands: reset ipsec statistics.
Examples
# Display statistics on all IPsec packets.
<Sysname> display ipsec statistics
the security packet statistics:
input/output security packets: 47/62
input/output security bytes: 3948/5208
input/output dropped security packets: 0/45
dropped security packet detail:
not enough memory: 0
can't find SA: 45
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
# Display IPsec packet statistics for Tunnel 3.
<Sysname> display ipsec statistics tunnel-id 3
------------------------------------------------
Connection ID : 3
------------------------------------------------
the security packet statistics:
input/output security packets: 5124/8231
input/output security bytes: 52348/64356
input/output dropped security packets: 0/0
dropped security packet detail:
not enough memory: 0
queue is full: 0
authentication has failed: 0
wrong length: 0
replay packet: 0
packet too long: 0
wrong SA: 0
Table 7 Output description
|
Field |
Description |
|
Connection ID |
ID of the tunnel. |
|
input/output security packets |
Counts of inbound and outbound IPsec protected packets. |
|
input/output security bytes |
Counts of inbound and outbound IPsec protected bytes. |
|
input/output dropped security packets |
Counts of inbound and outbound IPsec protected packets that are discarded by the device. |
|
dropped security packet detail |
Detailed information about inbound/outbound packets that get dropped. |
|
not enough memory |
Number of packets dropped due to lack of memory. |
|
can't find SA |
Number of packets dropped due to finding no security association. |
|
queue is full |
Number of packets dropped due to full queues. |
|
authentication has failed |
Number of packets dropped due to authentication failure. |
|
wrong length |
Number of packets dropped due to wrong packet length. |
|
replay packet |
Number of packets replayed. |
|
packet too long |
Number of packets dropped due to excessive packet length. |
|
wrong SA |
Number of packets dropped due to improper SA. |
display ipsec tunnel
Syntax
display ipsec tunnel [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ipsec tunnel to display information about IPsec tunnels.
If you do not specify any parameters, the command displays information about all IPsec tunnels.
Examples
# Display information about IPsec tunnels.
<Sysname> display ipsec tunnel
total tunnel : 2
------------------------------------------------
connection id: 3
perfect forward secrecy:
SA's SPI:
inbound: 187199087 (0xb286e6f) [ESP]
outbound: 3562274487 (0xd453feb7) [ESP]
tunnel:
local address: 44.44.44.44
remote address : 44.44.44.55
flow:
sour addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP
dest addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP
current Encrypt-card: None
------------------------------------------------
connection id: 5
perfect forward secrecy:
SA's SPI:
inbound: 12345 (0x3039) [ESP]
outbound: 12345 (0x3039) [ESP]
tunnel:
flow:
current Encrypt-card:
Table 8 Output description
|
Field |
Description |
|
connection id |
Connection ID, used to uniquely identify an IPsec tunnel. |
|
perfect forward secrecy |
Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2. |
|
SA's SPI |
SPIs of the inbound and outbound SAs. |
|
tunnel |
Local and remote addresses of the tunnel. |
|
flow |
Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. |
|
as defined in acl 3001 |
The IPsec tunnel protects all data flows defined by ACL 3001. |
encapsulation-mode
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
View
IPsec proposal view
Default level
2: System level
Parameters
transport: Uses transport mode.
tunnel: Uses tunnel mode.
Description
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Use undo encapsulation-mode to restore the default.
By default, a security protocol encapsulates IP packets in tunnel mode.
IPsec for IPv6 routing protocols supports only the transport mode.
Related commands: ipsec proposal.
Examples
# Configure IPsec proposal prop2 to encapsulate IP packets in transport mode.
<Sysname> system-view
[Sysname] ipsec proposal prop2
[Sysname-ipsec-proposal-prop2] encapsulation-mode transport
esp authentication-algorithm
Syntax
esp authentication-algorithm { md5 | sha1 }
undo esp authentication-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
md5: Uses the MD5 algorithm, which uses a 128-bit key. This keyword is not available for FIPS mode.
sha1: Uses the SHA1 algorithm, which uses a 160-bit key.
Description
Use esp authentication-algorithm to specify an authentication algorithm for ESP.
Use undo esp authentication-algorithm to configure ESP not to perform authentication on packets.
By default, the MD5 algorithm is used in non-FIPS mode and SHA-1 is used in FIPS mode.
Compared with SHA-1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a highly secure network, use SHA-1.
In non-FIPS mode, ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP authentication and encryption.
The undo esp authentication-algorithm command takes effect only if one encryption algorithm is specified for ESP.
Related commands: ipsec proposal, esp encryption-algorithm, proposal, and transform.
Examples
# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1
esp encryption-algorithm
Syntax
esp encryption-algorithm { 3des | aes [ key-length ] | des }
undo esp encryption-algorithm
View
IPsec proposal view
Default level
2: System level
Parameters
3des: Uses triple DES (3DES) in cipher block chaining (CBC) mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption. This keyword is not available for FIPS mode.
aes: Uses the Advanced Encryption Standard (AES) in CBC mode as the encryption algorithm. The AES algorithm uses a 128- bit, 192-bit, or 256-bit key for encryption.
key-length: Key length for the AES algorithm, which can be 128, 192, and 256 and defaults to 128. This argument is for AES only.
des: Uses the Data Encryption Standard (DES) in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption. This keyword is not available for FIPS mode.
Description
Use esp encryption-algorithm to specify an encryption algorithm for ESP.
Use undo esp encryption-algorithm to configure ESP not to encrypt packets.
By default, the DES algorithm is used in non-FIPS mode and AES-128 is used in FIPS mode.
3DES provides high confidentiality and security, but it is slow in encryption. For a network that requires moderate confidentiality and security, DES is sufficient.
In non-FIPS mode, ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. In FIPS mode, you must use both ESP authentication and encryption.
The undo esp encryption-algorithm command takes effect only if one authentication algorithm is specified for ESP.
Related commands: ipsec proposal, esp authentication-algorithm, proposal, and transform.
Examples
# Configure IPsec proposal prop1 to use ESP and specify AES-128 as the encryption algorithm for ESP.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform esp
[Sysname-ipsec-proposal-prop1] esp encryption-algorithm aes 128
ike-peer (IPsec policy view)
Syntax
ike-peer peer-name
undo ike-peer peer-name
View
IPsec policy view
Default level
2: System level
Parameters
peer-name: IKE peer name, a string of 1 to 32 characters.
Description
Use ike-peer to reference an IKE peer in an IPsec policy configured through IKE negotiation.
Use undo ike peer to remove the reference.
Related commands: ipsec policy.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Configure a reference to an IKE peer in an IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1
ipsec anti-replay check
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
View
System view
Default level
2: System level
Parameters
None
Description
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
By default, IPsec anti-replay checking is enabled.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
ipsec anti-replay window
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
View
System view
Default level
2: System level
Parameters
width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024.
Description
Use ipsec anti-replay window to set the size of the anti-replay window.
Use undo ipsec anti-replay window to restore the default.
By default, the size of the anti-replay window is 32.
Your configuration affects only IPsec SAs negotiated later.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the size of the anti-replay window to 64.
<Sysname> system-view
[Sysname] ipsec anti-replay window 64
ipsec decrypt check
Syntax
ipsec decrypt check
undo ipsec decrypt check
View
System view
Default level
2: System level
Parameters
None
Description
Use ipsec decrypt check to enable ACL checking of de-encapsulated IPsec packets.
Use undo ipsec decrypt check to disable ACL checking of de-encapsulated IPsec packets.
By default, ACL checking of de-encapsulated IPsec packets is enabled.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Enable ACL checking of de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt check
ipsec invalid-spi-recovery enable
Syntax
ipsec invalid-spi-recovery enable
undo ipsec invalid-spi-recovery enable
View
System view
Default level
2: System level
Parameters
None
Description
Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ipsec invalid-spi-recovery enable to restore the default.
By default, the invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.
Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two peers to establish new SAs.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ipsec invalid-spi-recovery enable
ipsec policy (interface view)
Syntax
ipsec policy policy-name
undo ipsec policy [ policy-name ]
View
Interface view
Default level
2: System level
Parameters
policy-name: Name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters.
Description
Use ipsec policy to apply an IPsec policy group to an interface.
Use undo ipsec policy to remove the application.
Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first. An IPsec policy group can be applied to more than one interface.
With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows.
For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.
Only VLAN interfaces and Layer 3 Ethernet interfaces support IPsec policy groups.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Apply IPsec policy group pg1 to interface VLAN-interface 1.
<Sysname> system-view
[Sysname] interface vlan-interface
[Sysname- Vlan-inerface1] ipsec policy pg1
ipsec policy (system view)
Syntax
ipsec policy policy-name seq-number [ isakmp | manual ]
undo ipsec policy policy-name [ seq-number ]
View
System view
Default level
2: System level
Parameters
policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included.
seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535.
isakmp: Sets up SAs through IKE negotiation. This keyword is available only for FIPS mode.
manual: Sets up SAs manually.
Description
Use ipsec policy to create an IPsec policy and enter its view.
Use undo ipsec policy to delete the specified IPsec policies.
By default, no IPsec policy exists.
When creating an IPsec policy, you must specify the generation mode.
You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.
IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.
The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.
Related commands: ipsec policy (interface view) and display ipsec policy.
Examples
# Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100]
# Create an IPsec policy with the name policy1 and specify the manual mode for it.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]
ipsec proposal
Syntax
ipsec proposal proposal-name
undo ipsec proposal proposal-name
View
System view
Default level
2: System level
Parameters
proposal-name: Name for the proposal, a case-insensitive string of 1 to 32 characters .
Description
Use ipsec proposal to create an IPsec proposal and enter its view.
Use undo ipsec proposal to delete an IPsec proposal.
By default, no IPsec proposal exists.
In non-FIPS mode, an IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default.
In FIPS mode, an IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of AES-128, and the authentication algorithm of SHA1 by default.
Related commands: display ipsec proposal.
Examples
# Create an IPsec proposal named newprop1.
<Sysname> system-view
[Sysname] ipsec proposal newprop1
ipsec sa global-duration
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
View
System view
Default level
2: System level
Parameters
seconds: Time-based global SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Traffic-based global SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Description
Use ipsec sa global-duration to configure the global SA lifetime.
Use undo ipsec sa global-duration to restore the default.
By default, the time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes.
When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.
When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.
The SA lifetime applies to only IKE negotiated SAs; it is not effective for manually configured SAs.
Related commands: sa duration and display ipsec sa duration.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the time-based global SA lifetime to 7200 seconds (2 hours).
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).
[Sysname] ipsec sa global-duration traffic-based 10240
ipsec session idle-time
Syntax
ipsec session idle-time seconds
undo ipsec session idle-time
View
System view
Default level
2: System level
Parameters
Seconds: IPsec session idle timeout in seconds, in the range of 60 to 3,600.
Description
Use ipsec session idle-time to set the idle timeout for IPsec sessions.
Use undo ipsec session idle-time to restore the default.
By default, the IPsec session idle timeout is 300 seconds.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the IPsec session idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec session idle-time 600
pfs
Syntax
pfs { dh-group2 | dh-group5 | dh-group14 }
undo pfs
View
IPsec policy view
Default level
2: System level
Parameters
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
Description
Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy to initiate a negotiation.
Use undo pfs to remove the configuration.
By default, the PFS feature is not used for negotiation.
In terms of security and necessary calculation time, the following four groups are in the descending order: 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2).
This command allows IPsec to perform an additional key exchange process during the negotiation phase 2, providing an additional level of security.
The local Diffie-Hellman group must be the same as that of the peer.
This command can be used only when the SAs are to be set up through IKE negotiation.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Enable and configure PFS for IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec policy policy1 200 isakmp
[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group2
policy enable
Syntax
policy enable
undo policy enable
View
IPsec policy view
Default level
2: System level
Parameters
None
Description
Use policy enable to enable the IPsec policy.
Use undo policy enable to disable the IPsec policy.
By default, the IPsec policy is enabled.
The command is not applicable to manual IPsec policies.
If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Enable the IPsec policy with the name policy1 and sequence number 100.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] policy enable
proposal (IPsec policy view)
Syntax
proposal proposal-name&<1-6>
undo proposal [ proposal-name ]
View
IPsec policy view
Default level
2: System level
Parameters
proposal-name&<1-6>: Name of the IPsec proposal, a string of 1 to 32 characters. &<1-6> means that you can specify the proposal-name argument for up to six times.
Description
Use proposal to specify the IPsec proposals for the IPsec policy to reference.
Use undo proposal to remove an IPsec proposal reference by the IPsec policy.
By default, an IPsec policy references no IPsec proposal.
The IPsec proposals must already exist.
A manual IPsec policy can reference only one IPsec proposal. To replace a referenced IPsec proposal, use the undo proposal command to remove the original proposal binding and then use the proposal command to reconfigure one.
An IKE negotiated IPsec policy can reference up to six IPsec proposals. The IKE negotiation process will search for and use the exactly matched proposal.
Related commands: ipsec proposal and ipsec policy (system view).
Examples
# Configure IPsec policy policy1 to reference IPsec proposal prop1.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] proposal prop1
qos pre-classify
Syntax
qos pre-classify
undo qos pre-classify
View
IPsec policy view
Default level
2: System level
Parameters
None
Description
Use qos pre-classify to enable packet information pre-extraction.
Use undo qos pre-classify to restore the default.
By default, packet information pre-extraction is disabled.
With the packet information pre-extraction feature enabled, QoS classifies a packet based on the header of the original IP packet—the header of the IP packet that has not been encapsulated by IPsec.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Enable packet information pre-extraction.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify
reset ipsec sa
Syntax
reset ipsec sa [ parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote ip-address ]
View
User view
Default level
2: System level
Parameters
parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and SPI. This keyword is available only for FIPS mode.
dest-address: Destination address, in dotted decimal notation.
protocol: Security protocol, which can be keyword ah or esp, case insensitive.
spi: Security parameter index, in the range of 256 to 4294967295.
policy: Specifies IPsec SAs that use an IPsec policy.
policy-name: Name of the IPsec policy, a case-sensitive string of 1 to 15 alphanumeric characters.
seq-number: Sequence number of the IPsec policy, in the range of 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.
remote ip-address: Specifies SAs to or from a remote address, in dotted decimal notation. This option is available only for FIPS mode.
Description
Use reset ipsec sa to clear IPsec SAs.
Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only when IKE negotiation is triggered by interesting packets.
IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared.
If you do not specify any parameter, the command clears all IPsec SAs.
Related commands: display ipsec sa.
Examples
# Clear all IPsec SAs.
<Sysname> reset ipsec sa
# Clear the IPsec SA with a remote IP address of 10.1.1.2.
<Sysname> reset ipsec sa remote 10.1.1.2
# Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10.
<Sysname> reset ipsec sa policy policy1 10
# Clear the IPsec SA with a remote IP address of 10.1.1.2, security protocol of AH, and SPI of 10000.
<Sysname> reset ipsec sa parameters 10.1.1.2 ah 10000
reset ipsec session
Syntax
reset ipsec session [ tunnel-id integer ]
View
User view
Default level
2: System level
Parameters
integer: ID of the IPsec tunnel, in the range of 1 to 2000000000.
Description
Use reset ipsec session to clear the sessions of a specified IPsec tunnel or all IPsec tunnels.
Related commands: display ipsec session.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Clear all IPsec sessions.
<Sysname> reset ipsec session
# Clear the sessions of IPsec tunnel 5.
<Sysname> reset ipsec session tunnel-id 5
reset ipsec statistics
Syntax
reset ipsec statistics
View
User view
Default level
2: System level
Parameters
None
Description
Use reset ipsec statistics to clear IPsec packet statistics.
Related commands: display ipsec statistics.
Examples
# Clear IPsec packet statistics.
<Sysname> reset ipsec statistics
reverse-route
Syntax
reverse-route [ remote-peer ip-address [ gateway | static ] | static ]
undo reverse-route
View
IPsec policy view
Default level
2: System level
Parameters
static: Enables static IPsec Reverse Route Inject (RRI). Static IPsec RRI creates static routes based on the ACL that the IPsec policy references. If this keyword is not specified, you enable dynamic IPsec RRI, which creates static routes based on IPsec SAs.
remote-peer ip-address: Specifies a next hop for the static routes. To use the static routes for route backup and load balancing, specify this option.
gateway: Creates two recursive routes: one to the remote tunnel endpoint and the other to the protected remote private network. Use the gateway keyword in an IKE-enabled IPsec policy to define an explicit default forwarding path for IPsec traffic.
Description
Use reverse-route to enable and configure the IPsec Reverse Route Inject (RRI) feature.
Use undo reverse-route to disable IPsec RRI.
By default, IPsec RRI is disabled.
IPsec RRI works in static mode or dynamic mode:
· Static IPsec RRI creates one static route for each destination address permitted by the ACL that the IPsec policy references. Static IPsec RRI creates static routes immediately after you configure IPsec RRI for an IPsec policy and apply the IPsec policy. When you disable RRI, or remove the ACL or the peer gateway IP address from the policy, IPsec RRI deletes all static routes it has created. The static mode applies to scenarios where the topologies of branch networks seldom change.
· Dynamic IPsec RRI dynamically creates static routes based on IPsec SAs. Dynamic IPsec RRI creates static routes when the IPsec SAs are established, and deletes the static routes when the IPsec SAs are deleted. The dynamic mode applies to scenarios where the topologies of branch networks change frequently.
The destination and next hop address in a static route created by IPsec RRI depend on your settings. See Table 9.
Table 9 Possible IPsec RRI configurations and the generated routing information
|
Command |
IPsec RRI mode |
Route destination |
Next hop address |
|
reverse-route static |
Static |
Destination IP address specified in a permit rule of the ACL that is referenced by the IPsec policy |
· Manual IPsec policy: Peer tunnel address set with the tunnel remote command · IPsec policy that uses IKE: The remote tunnel endpoint, which is the address configured in the remote-address command in IKE view. |
|
reverse-route remote-peer ip-address static |
Address identified by the ip-address argument |
||
|
reverse-route |
Dynamic |
Protected peer private network |
Remote tunnel endpoint |
|
reverse-route remote-peer ip-address |
Address identified by the ip-address argument, typically, the next hop address of the interface where the IPsec policy is applied |
||
|
reverse-route remote-peer ip-address gateway |
Protected peer private network |
Remote tunnel endpoint |
|
|
Remote tunnel endpoint |
The address specified by the ip-address argument (outgoing interface: the interface where the IPsec policy is applied) |
Enabling, disabling, or changing RRI settings in an IPsec policy deletes all IPsec SAs created or negotiated by the policy.
To view static routes created by RRI, use the display ip routing-table command. For information about the routing table, see Layer 3—IP Routing Configuration Guide.
If you configure an address range in IKE peer view, static IPsec RRI does not take effect.
Related commands: reverse-route preference and reverse-route tag.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network 3.0.0.0/24 as the destination and the remote gateway 1.1.1.2 as the next hop.
<Sysname> system-view
[Sysname] ike peer 1
[Sysname-ike-peer-1] remote-address 1.1.1.2
[Sysname-ike-peer-1] quit
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 2.0.0.0 0.0.0.255 destination 3.0.0.0 0.0.0.255
[Sysname-acl-adv-3000] quit
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] security acl 3000
[Sysname-ipsec-policy-isakmp-1-1] proposal tran1
[Sysname-ipsec-policy-isakmp-1-1] ike-peer 1
[Sysname-ipsec-policy-isakmp-1-1] reverse-route static
[Sysname-ipsec-policy-isakmp-1-1] quit
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ipsec policy 1
[Sysname-Vlan-interface1]quit
# Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 GE3/0/1
# Configure static IPsec RRI to create static routes based on ACL 3000. Take the peer private network as the destination and 1.1.1.3 as the next hop.
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 static
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. You can see that IPsec RRI has created the static route. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.3 GE3/0/1
# Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take the peer private network as the destination and the remote tunnel endpoint 1.1.1.2 as the next hop.
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. The expected route appears in the table after the IPsec SA negotiation succeeds. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.2 GE3/0/1
# Configure dynamic IPsec RRI to create static routes based on IPsec SAs. Take 1.1.1.3 as the next hop.
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3
[Sysname-ipsec-policy-isakmp-1-1] quit
# Display the routing table. The expected route appears in the routing table after the IPsec SA negotiation succeeds. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
3.0.0.0/24 Static 60 0 1.1.1.3 GE3/0/1
# Configure dynamic IPsec RRI to create two static routes based on an IPsec SA: one to the peer private network 3.0.0.0/24 through the remote tunnel endpoint 1.1.1.2, and the other to the remote tunnel endpoint through 1.1.1.3.
[Sysname]ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route remote-peer 1.1.1.3 gateway
# Display the routing table. The expected routes appear in the routing table after the IPsec SA negotiation succeeds. (Other routes are not shown.)
[Sysname] display ip routing-table
...
Destination/Mask Proto Pre Cost NextHop Interface
1.1.1.2/32 Static 60 0 1.1.1.3 GE3/0/1
3.0.0.0/24 Static 60 0 1.1.1.2 GE3/0/1
reverse-route preference
Syntax
reverse-route preference preference-value
undo reverse-route preference
View
IPsec policy view
Default level
2: System level
Parameters
preference-value: Sets a preference value for the static routes created by IPsec RRI. The value range is 1 to 255. A smaller value represents a higher preference.
Description
Use reverse-route preference to change the preference of the static routes created by IPsec RRI.
Use undo reverse-route preference to restore the default.
The default preference for the static routes created by IPsec RRI is 60.
When you change the route preference, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new preference only to subsequent static routes. It does not delete or modify static routes it has created.
Related commands: reverse-route.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the preference to 100 for static routes populated by IPsec RRI.
<Sysname>system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route preference 100
reverse-route tag
Syntax
reverse-route tag tag-value
undo reverse-route tag
View
IPsec policy view
Default level
2: System level
Parameters
tag-value: Sets a route tag for the static routes. The value range is 1 to 4294967295.
Description
Use reverse-route tag to set a route tag for the static routes created by IPsec RRI. This tag helps in implementing flexible route control through routing policies.
Use undo reverse-route tag to restore the default.
By default, the tag value is 0 for the static routes created by IPsec RRI.
This command makes sense only when used together with the reverse-route command.
When you change the route tag, static IPsec RRI deletes all static routes it has created and creates new static routes. In contrast, dynamic IPsec RRI applies the new route tag only to subsequent static routes. It does not delete or modify static routes it has created.
For information about routing policies, see Layer 3—IP Routing Configuration Guide.
Related commands: reverse-route.
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the tag value to 50 for the static routes created by IPsec RRI.
<Sysname>system-view
[Sysname] ipsec policy 1 1 isakmp
[Sysname-ipsec-policy-isakmp-1-1] reverse-route tag 50
sa authentication-hex
Syntax
sa authentication-hex { inbound | outbound } { ah | esp } [ cipher string-key | simple hex-key ]
undo sa authentication-hex { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
cipher string-key: Sets a ciphertext authentication key. The string-key: argument is case sensitive and must be a ciphertext string of 1 to 85 characters in non-FIPS mode and 8 to 85 characters in FIPS mode.
simple hex-key: Sets a plaintext authentication key. The hex-key argument is case insensitive and must be a hexadecimal plaintext string of 16 bytes for MD5 and of 20 bytes for SHA1. The FIPS mode does not support MD5.
If neither cipher nor simple is specified, you set a plaintext authentication key string.
Description
Use sa authentication-hex to configure an authentication key for an SA.
Use undo sa authentication-hex to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the authentication key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the outbound SA must be identical.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
Related commands: ipsec policy (system view).
Examples
# Configure the authentication keys of the inbound and outbound SAs that use AH as 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah simple 112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple aabbccddeeff001100aabbccddeeff00
sa duration
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
View
IPsec policy view
Default level
2: System level
Parameters
seconds: Time-based SA lifetime in seconds, in the range of 180 to 604800.
kilobytes: Traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.
Description
Use sa duration to set an SA lifetime for the IPsec policy.
Use undo sa duration to restore the default.
By default, the SA lifetime of an IPsec policy equals the current global SA lifetime.
By default, the time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.
When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy that it uses. If the IPsec policy is not configured with its own lifetime settings, IKE uses the global SA lifetime settings, which are configured with the ipsec sa global-duration command.
When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those proposed by the remote.
The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.
Related commands: ipsec sa global-duration and ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the SA lifetime for IPsec policy1 to 7200 seconds (two hours).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
sa encryption-hex
Syntax
sa encryption-hex { inbound | outbound } esp [ cipher string-key | simple hex-key ]
undo sa encryption-hex { inbound | outbound } esp
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
esp: Uses ESP.
cipher string-key: Sets a ciphertext encryption key. The string-key argument is case sensitive and must be a ciphertext string of 1 to 117 characters in non-FIPS mode and 8 to 117 characters in FIPS mode.
simple hex-key: Sets a plaintext encryption key. The hex-key argument is case insensitive and must be a hexadecimal plaintext string of 8 bytes for DES-CBC, 16 bytes for AES128-CBC, 24 bytes for 3DES-CBC and AES192-CBC, and 32 bytes for AES256-CBC. The FIPS mode does not support DES or 3DES.
If neither cipher nor simple is specified, you set a plaintext encryption key string.
Description
Use sa encryption-hex to configure an encryption key for an SA.
Use undo sa encryption-hex to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.
The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.
With an IPsec policy for an IPv6 routing protocol, the local SPI of the inbound SA and that of the outbound SA must be identical.
At both ends of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format.
Related commands: ipsec policy (system view).
Examples
# Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234 in plain text.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp simple 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp simple abcdefabcdef1234
sa spi
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
spi-number: Security parameters index (SPI) in the SA triplet, in the range of 256 to 4294967295.
Description
Use sa spi to configure an SPI for an SA.
Use undo sa spi to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.
When you configure IPsec for an IPv6 routing protocol, follow these guidelines:
· The inbound and outbound SAs at the local end must use the same SPI.
· Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group.
Related commands: ipsec policy (system view).
Examples
# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
sa string-key
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key
undo sa string-key { inbound | outbound } { ah | esp }
View
IPsec policy view
Default level
2: System level
Parameters
inbound: Specifies the inbound SA through which IPsec processes the received packets.
outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
string-key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 1 to 373 characters. If simple is specified, it must be a plaintext string of 1 to 255 characters. If neither cipher nor simple is specified, you set a plaintext key string. For different algorithms, enter strings of any length in the specified range. Using this key string, the system automatically generates keys meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.
Description
Use sa string-key to set a key string for an SA.
Use undo sa string-key to remove the configuration.
This command applies to only manual IPsec policies.
When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.
The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.
Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.
When you configure an IPsec policy for an IPv6 protocol, follow these guidelines:
· Within a certain network scope, each router must use the same SPI and keys for its inbound and outbound SAs, and all routers must use the same SPI and keys. For OSPFv3, the scope can be directly connected neighbors or an OSPFv3 area. For RIPng, the scope can be directly connected neighbors or a RIPng process. For IPv6 BGP, the scope can be directly connected neighbors or a neighbor group.
· Enter the keys in the same format on all routers. For example, if you enter the keys in hexadecimal format on one router, do so across the defined scope.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is not available for FIPS mode. |
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
# Configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef
security acl
Syntax
security acl acl-number
undo security acl
View
IPsec policy view
Default level
2: System level
Parameters
acl-number: Number of the ACL for the IPsec policy to reference, in the range of 3000 to 3999.
Description
Use security acl to specify the ACL for the IPsec policy to reference.
Use undo security acl to remove the configuration.
By default, an IPsec policy references no ACL.
With an IKE-dependent IPsec policy configured, data flows can be protected only in standard mode. In standard mode, one tunnel protects one data flow. The data flow permitted by each ACL rule is protected by one tunnel that is established separately for it.
Both peers must be configured to work in standard mode.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Configure IPsec policy policy1 to reference ACL 3001.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Sysname-acl-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
transform
Syntax
transform { ah | ah-esp | esp }
undo transform
View
IPsec proposal view
Default level
2: System level
Parameters
ah: Uses the AH protocol.
ah-esp: Uses ESP first and then AH.
esp: Uses the ESP protocol.
Description
Use transform to specify a security protocol for an IPsec proposal.
Use undo transform to restore the default.
By default, the ESP protocol is used.
In non-FIPS mode:
· If AH is used, the default authentication algorithm is MD5.
· If ESP is used, the default encryption and authentication algorithms are DES and MD5, respectively.
· If both AH and ESP are used, AH uses the MD5 authentication algorithm by default, and ESP uses the DES encryption algorithm but no authentication algorithm by default.
In FIPS mode:
· If AH is used, the default authentication algorithm is SHA1.
· If ESP is used, the default encryption and authentication algorithms are AES-128 and SHA1, respectively.
· If both AH and ESP are used, AH uses the SHA1 authentication algorithm by default, and ESP uses the AES-128 encryption algorithm and the SHA1 authentication algorithm.
The IPsec proposals at the two ends of an IPsec tunnel must use the same security protocol.
Related commands: ipsec proposal.
Examples
# Configure IPsec proposal prop1 to use AH.
<Sysname> system-view
[Sysname] ipsec proposal prop1
[Sysname-ipsec-proposal-prop1] transform ah
tunnel local
Syntax
tunnel local ip-address
undo tunnel local
View
IPsec policy view
Default level
2: System level
Parameters
ip-address: Specifies the local address for the IPsec tunnel.
Description
Use tunnel local to configure the local address of an IPsec tunnel.
Use undo tunnel local to remove the configuration.
By default, no local address is configured for an IPsec tunnel.
This command applies to only manual IPsec policies.
The local address, if not configured, will be the address of the interface to which the IPsec policy is applied.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.
<Sysname> system-view
[Sysname] interface loopback 0
[Sysname-LoopBack0] ip address 10.0.0.1 32
[Sysname-LoopBack0] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] tunnel local 10.0.0.1
tunnel remote
Syntax
tunnel remote ip-address
undo tunnel remote [ ip-address ]
View
IPsec policy view
Default level
2: System level
Parameters
ip-address: Specifies the remote address for the IPsec tunnel.
Description
Use tunnel remote to configure the remote address of an IPsec tunnel.
Use undo tunnel remote to remove the configuration.
By default, no remote address is configured for the IPsec tunnel.
This command applies to only manual IPsec policies.
If you configure the remote address repeatedly, the last one takes effect.
An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end.
Related commands: ipsec policy (system view).
|
|
NOTE: This command is available only for FIPS mode. |
Examples
# Set the remote address of the IPsec tunnel to 10.1.1.2.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 manual
[Sysname-ipsec-policy-policy1-10] tunnel remote 10.1.1.2
The IKE negotiation mode is available only for FIPS mode.
You cannot configure IKE negotiation on tunnel interfaces or aggregation interfaces.
authentication-algorithm
Syntax
authentication-algorithm sha
undo authentication-algorithm
View
IKE proposal view
Default level
2: System level
Parameters
sha: Uses HMAC-SHA1.
Description
Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Use undo authentication-algorithm to restore the default.
By default, an IKE proposal uses the SHA1 authentication algorithm.
Related commands: ike proposal and display ike proposal.
Examples
# Set HMAC-SHA1 as the authentication algorithm for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] authentication-algorithm sha1
authentication-method
Syntax
authentication-method { pre-share | rsa-signature }
undo authentication-method
View
IKE proposal view
Default level
2: System level
Parameters
pre-share: Uses the pre-shared key method.
rsa-signature: Uses the RSA digital signature method.
Description
Use authentication-method to specify an authentication method for an IKE proposal.
Use undo authentication-method to restore the default.
By default, an IKE proposal uses the pre-shared key authentication method.
Related commands: ike proposal and display ike proposal.
Examples
# Specify that IKE proposal 10 uses the pre-shared key authentication method.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] authentication-method pre-share
certificate domain
Syntax
certificate domain domain-name
undo certificate domain
View
IKE peer view
Default level
2: System level
Parameters
domain-name: Name of the PKI domain, a string of 1 to 15 characters.
Description
Use certificate domain to configure the PKI domain of the certificate when IKE uses digital signature as the authentication mode.
Use undo certificate domain to remove the configuration.
Related commands: authentication-method and pki domain.
Examples
# Configure the PKI domain as abcde for IKE negotiation.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] certificate domain abcde
dh
Syntax
dh { group2 | group5 | group14 }
undo dh
View
IKE proposal view
Default level
2: System level
Parameters
group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.
group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1.
group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.
Description
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Use undo dh to restore the default.
By default, group2, the 1024-bit Diffie-Hellman group, is used.
Related commands: ike proposal and display ike proposal.
Examples
# Specify 1024-bit Diffie-Hellman for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] dh group2
display ike dpd
Syntax
display ike dpd [ dpd-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
dpd-name: DPD name, a string of 1 to 15 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ike dpd to display information about Dead Peer Detection (DPD) detectors.
If you do not specify any parameters, the command displays information about all DPD detectors.
Related commands: ike dpd.
Examples
# Display information about all DPD detectors.
<Sysname> display ike dpd
---------------------------
IKE dpd: dpd1
references: 1
interval-time: 10
time_out: 5
---------------------------
Table 10 Output description
|
Field |
Description |
|
references |
Number of IKE peers that use the DPD detector. |
|
Interval-time |
DPD query trigging interval in seconds. |
|
time_out |
DPD packet retransmission interval in seconds. |
display ike peer
Syntax
display ike peer [ peer-name ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
peer-name: Name of the IKE peer, a string of 1 to 15 characters.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ike peer to display information about IKE peers.
If you do not specify any parameters, the command displays information about all IKE peers.
Related commands: ike peer.
Examples
# Display information about all IKE peers.
<Sysname> display ike peer
---------------------------
IKE Peer: rtb4tunn
exchange mode: main on phase 1
pre-shared-key ******
peer id type: ip
peer ip address: 44.44.44.55
local ip address:
peer name:
nat traversal: disable
dpd: dpd1
---------------------------
|
Field |
Description |
|
exchange mode |
IKE negotiation mode in phase 1. |
|
pre-shared-key |
Pre-shared key used in phase 1, displayed as ******. |
|
peer id type |
ID type used in phase 1. |
|
peer ip address |
IP address of the remote security gateway. |
|
local ip address |
IP address of the local security gateway. |
|
peer name |
Name of the remote security gateway. |
|
nat traversal |
Whether NAT traversal is enabled. |
|
dpd |
Name of the peer DPD detector. |
display ike proposal
Syntax
display ike proposal [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ike proposal to view the settings of all IKE proposals.
This command displays the configuration information for all IKE proposals in the descending order of proposal priorities.
Related commands: authentication-method, ike proposal, encryption-algorithm, authentication-algorithm, dh, and sa duration.
Examples
# Display the settings of all IKE proposals.
<Sysname> display ike proposal
priority authentication authentication encryption Diffie-Hellman duration
method algorithm algorithm group (seconds)
--------------------------------------------------------------------------
10 PRE_SHARED SHA AES_CBC_128 MODP_2048 5000
default PRE_SHARED SHA AES_CBC_128 MODP_1024 86400
Table 12 Output description
|
Field |
Description |
|
priority |
Priority of the IKE proposal. |
|
authentication method |
Authentication method used by the IKE proposal. |
|
authentication algorithm |
Authentication algorithm used by the IKE proposal. |
|
encryption algorithm |
Encryption algorithm used by the IKE proposal. |
|
Diffie-Hellman group |
DH group used in IKE negotiation phase 1. |
|
duration (seconds) |
ISAKMP SA lifetime of the IKE proposal in seconds. |
display ike sa
Syntax
display ike sa [ verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ]
View
Any view
Default level
1: Monitor level
Parameters
verbose: Displays detailed information.
connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
remote: Displays detailed information about IKE SAs with a specified remote address.
ip-address: Remote address.
|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.
begin: Displays the first line that matches the specified regular expression and all lines that follow.
exclude: Displays all lines that do not match the specified regular expression.
include: Displays all lines that match the specified regular expression.
regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.
Description
Use display ike sa to display information about the current IKE SAs.
If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs.
Related commands: ike proposal and ike peer.
Examples
# Display brief information about the current IKE SAs.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
Table 13 Output description
|
Field |
Description |
|
total phase-1 SAs |
Total number of SAs for phase 1. |
|
connection-id |
Identifier of the ISAKMP SA. |
|
peer |
Remote IP address of the SA. |
|
flag |
Status of the SA: · RD (READY)—The SA has been established. · ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. · RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later. · FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over. · TO (TIMEOUT)—The SA has received no keepalive packets after the last keepalive timeout. If no keepalive packets are received before the next keepalive timeout, the SA will be deleted. |
|
phase |
The phase the SA belongs to: · Phase 1—The phase for establishing the ISAKMP SA. · Phase 2—The phase for negotiating the security service. IPsec SAs are established in this phase. |
|
doi |
Interpretation domain the SA belongs to. |
# Display detailed information about the current IKE SAs.
<Sysname> display ike sa verbose
---------------------------------------------
connection id: 2
vpn-instance: 1
transmitting entity: initiator
---------------------------------------------
local ip: 4.4.4.4
local id type: IPV4_ADDR
local id: 4.4.4.4
remote ip: 4.4.4.5
remote id type: IPV4_ADDR
remote id: 4.4.4.5
authentication-method: PRE-SHARED-KEY
authentication-algorithm: HASH-SHA1
encryption-algorithm: AES_CBC_128
life duration(sec): 86400
remaining key duration(sec): 86379
exchange-mode: MAIN
diffie-hellman group: GROUP2
nat traversal: NO
# Display detailed information about the IKE SA with the connection ID of 2.
<Sysname> display ike sa verbose connection-id 2
---------------------------------------------
connection id: 2
vpn-instance: vpn1
transmitting entity: initiator
---------------------------------------------
local ip: 4.4.4.4
local id type: IPV4_ADDR
local id: 4.4.4.4
remote ip: 4.4.4.5
remote id type: IPV4_ADDR
remote id: 4.4.4.5
authentication-method: PRE-SHARED-KEY
authentication-algorithm: HASH-SHA1
encryption-algorithm: AES_CBC_128
life duration(sec): 86400
remaining key duration(sec): 82480
exchange-mode: MAIN
diffie-hellman group: GROUP2
nat traversal: NO
# Display detailed information about the IKE SA with the remote address of 4.4.4.5.
<Sysname> display ike sa verbose remote-address 4.4.4.5
---------------------------------------------
connection id: 2
vpn-instance: vpn1
transmitting entity: initiator
---------------------------------------------
local ip: 4.4.4.4
local id type: IPV4_ADDR
local id: 4.4.4.4
remote ip: 4.4.4.5
remote id type: IPV4_ADDR
remote id: 4.4.4.5
authentication-method: PRE-SHARED-KEY
authentication-algorithm: HASH-SHA1
encryption-algorithm: AES_CBC_128
life duration(sec): 86400
remaining key duration(sec): 82236
exchange-mode: MAIN
diffie-hellman group: GROUP2
nat traversal: NO
Table 14 Output description
|
Field |
Description |
|
connection id |
Identifier of the ISAKMP SA. |
|
vpn-instance |
MPLS L3VPN that the protected data belongs to. |
|
transmitting entity |
Entity in the IKE negotiation. |
|
local ip |
IP address of the local gateway. |
|
local id type |
Identifier type of the local gateway. |
|
local id |
Identifier of the local gateway. |
|
remote ip |
IP address of the remote gateway. |
|
remote id type |
Identifier type of the remote gateway. |
|
remote id |
Identifier of the remote security gateway. |
|
authentication-method |
Authentication method used by the IKE proposal. |
|
authentication-algorithm |
Authentication algorithm used by the IKE proposal. |
|
encryption-algorithm |
Encryption algorithm used by the IKE proposal. |
|
life duration(sec) |
Lifetime of the ISAKMP SA in seconds. |
|
remaining key duration(sec) |
Remaining lifetime of the ISAKMP SA in seconds. |
|
exchange-mode |
IKE negotiation mode in phase 1. |
|
diffie-hellman group |
DH group used for key negotiation in IKE phase 1. |
|
nat traversal |
Whether NAT traversal is enabled. |
dpd
Syntax
dpd dpd-name
undo dpd
View
IKE peer view
Default level
2: System level
Parameters
dpd-name: DPD detector name, a string of 1 to 32 characters.
Description
Use dpd to apply a DPD detector to an IKE peer.
Use undo dpd to remove the application.
By default, no DPD detector is applied to an IKE peer.
Examples
# Apply dpd1 to IKE peer peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] dpd dpd1
encryption-algorithm
Syntax
encryption-algorithm aes-cbc [ key-length ]
undo encryption-algorithm
View
IKE proposal view
Default level
2: System level
Parameters
aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses 128-bit, 192-bit, or 256-bit keys for encryption.
key-length: Key length for the AES algorithm, which can be 128, 192 or 256 bits and is defaulted to 128 bits.
Description
Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.
Use undo encryption-algorithm to restore the default.
By default, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
Related commands: ike proposal and display ike proposal.
Examples
# Use 128-bit AES in CBC mode as the encryption algorithm for IKE proposal 10.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] encryption-algorithm aes-cbc 128
exchange-mode
Syntax
exchange-mode main
undo exchange-mode
View
IKE peer view
Default level
2: System level
Parameters
None
Description
Use exchange-mode main to configure the IKE negotiation mode as the main mode.
Use undo exchange-mode to restore the default.
By default, main mode is used.
Related commands: id-type.
Examples
# Specify that IKE negotiation works in main mode.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] exchange-mode main
id-type
Syntax
id-type { ip | name | user-fqdn }
undo id-type
View
IKE peer view
Default level
2: System level
Parameters
ip: Uses an IP address as the ID during IKE negotiation.
name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.
user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.
Description
Use id-type to select the type of the ID for IKE negotiation.
Use undo id-type to restore the default.
By default, the ID type is IP address.
In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation.
If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, [email protected].
Related commands: local-name, ike local-name, remote-name, remote-address, local-address, and exchange-mode.
Examples
# Use the ID type of name during IKE negotiation.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] id-type name
ike dpd
Syntax
ike dpd dpd-name
undo ike dpd dpd-name
View
System view
Default level
2: System level
Parameters
dpd-name: Name for the dead peer detection (DPD) detector, a string of 1 to 32 characters.
Description
Use ike dpd to create a DPD detector and enter IKE DPD view.
Use undo ike dpd to remove a DPD detector.
Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:
1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.
2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello.
4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.
DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic than the keepalive mechanism, which exchanges messages periodically.
Related commands: display ike dpd, interval-time, and time-out.
Examples
# Create a DPD detector named dpd2.
<Sysname> system-view
[Sysname] ike dpd dpd2
ike local-name
Syntax
ike local-name name
undo ike local-name
View
System view
Default level
2: System level
Parameters
name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.
Description
Use ike local-name to configure a name for the local security gateway.
Use undo ike local-name to restore the default.
By default, the device name is used as the name of the local security gateway.
If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device. If you configure both the ike local-name command and the local-name command, the name configured by the local-name command is used.
The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
Related commands: remote-name and id-type.
Examples
# Configure the local security gateway name as app.
<Sysname> system-view
[Sysname] ike local-name app
ike next-payload check disabled
Syntax
ike next-payload check disabled
undo ike next-payload check disabled
View
System view
Default level
2: System level
Parameters
None
Description
Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero.
Use undo ike next-payload check disabled to restore the default.
By default, the Next payload field is checked.
Examples
# Disable Next payload field checking for the last payload of an IKE message.
<Sysname> system-view
[Sysname] ike next-payload check disabled
ike peer (system view)
Syntax
ike peer peer-name
undo ike peer peer-name
View
System view
Default level
2: System level
Parameters
peer-name: IKE peer name, a string of 1 to 32 characters.
Description
Use ike peer to create an IKE peer and enter IKE peer view.
Use undo ike peer to delete an IKE peer.
Examples
# Create an IKE peer named peer1 and enter IKE peer view.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1]
ike proposal
Syntax
ike proposal proposal-number
undo ike proposal proposal-number
View
System view
Default level
2: System level
Parameters
proposal-number: IKE proposal number in the range of 1 to 65535. A lower number means a higher priority. During IKE negotiation, an IKE proposal with a higher priority is first matched.
Description
Use ike proposal to create an IKE proposal and enter IKE proposal view.
Use undo ike proposal to delete an IKE proposal.
The system provides a default IKE proposal, which has the lowest priority and uses these settings:
· Encryption algorithm AES-CBC-128
· Authentication algorithm HMAC-SHA1
· Authentication method Pre-shared key
· DH group MODP_1024
· SA lifetime 86400 seconds
Related commands: display ike proposal.
Examples
# Create IKE proposal 10 and enter IKE proposal view.
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10]
ike sa keepalive-timer interval
Syntax
ike sa keepalive-timer interval seconds
undo ike sa keepalive-timer interval
View
System view
Default level
2: System level
Parameters
seconds: Transmission interval of ISAKMP SA keepalives in seconds, in the range of 20 to 28800.
Description
Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.
Use undo ike sa keepalive-timer interval to disable the ISAKMP SA keepalive transmission function.
By default, no keepalive packet is sent.
The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end.
Related commands: ike sa keepalive-timer timeout.
Examples
# Set the keepalive interval to 200 seconds.
<Sysname> system-view
[Sysname] ike sa keepalive-timer interval 200
ike sa keepalive-timer timeout
Syntax
ike sa keepalive-timer timeout seconds
undo ike sa keepalive-timer timeout
View
System view
Default level
2: System level
Parameters
seconds: ISAKMP SA keepalive timeout in seconds, in the range of 20 to 28,800.
Description
Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout.
Use undo ike sa keepalive-timer timeout to disable the function.
By default, no keepalive packet is sent.
The keepalive timeout configured at the local end must be longer than the keepalive interval configured at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the keepalive timeout can be configured to be three times of the keepalive interval.
Related commands: ike sa keepalive-timer interval.
Examples
# Set the keepalive timeout to 20 seconds.
<Sysname> system-view
[Sysname] ike sa keepalive-timer timeout 20
ike sa nat-keepalive-timer interval
Syntax
ike sa nat-keepalive-timer interval seconds
undo ike sa nat-keepalive-timer interval
View
System view
Default level
2: System level
Parameters
seconds: NAT keepalive interval in seconds, in the range of 5 to 300.
Description
Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval.
Use undo ike sa nat-keepalive-timer interval to disable the function.
By default, the NAT keepalive interval is 20 seconds.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ike sa nat-keepalive-timer interval 5
interval-time
Syntax
interval-time interval-time
undo interval-time
View
IKE DPD view
Default level
2: System level
Parameters
interval-time: Sets DPD interval in seconds, in the range of 1 to 300. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.
Description
Use interval-time to set the DPD query triggering interval for a DPD detector.
Use undo interval-time to restore the default.
The default DPD interval is 10 seconds.
Examples
# Set the DPD interval to 1 second for dpd2.
<Sysname> system-view
[Sysname] ike dpd dpd2
[Sysname-ike-dpd-dpd2] interval-time 1
local
Syntax
local { multi-subnet | single-subnet }
undo local
View
IKE peer view
Default level
2: System level
Parameters
multi-subnet: Sets the subnet type to multiple.
single-subnet: Sets the subnet type to single.
Description
Use local to set the subnet type of the local security gateway for IKE negotiation.
Use undo local to restore the default.
By default, the subnet is a single one.
Use this command to enable interoperability with a NetScreen device.
Examples
# Set the subnet type of the local security gateway to multiple.
<Sysname> system-view
[Sysname] ike peer xhy
[Sysname-ike-peer-xhy] local multi-subnet
local-address
Syntax
local-address ip-address
undo local-address
View
IKE peer view
Default level
2: System level
Parameters
ip-address: Specifies the IP address of the local security gateway to be used in IKE negotiation.
Description
Use local-address to configure the IP address of the local security gateway in IKE negotiation.
Use undo local-address to remove the configuration.
By default, the primary address of the interface referencing the IPsec policy is used as the local security gateway IP address for IKE negotiation. Use this command if you want to specify a different address for the local security gateway.
Examples
# Set the IP address of the local security gateway to 1.1.1.1.
<Sysname> system-view
[Sysname] ike peer xhy
[Sysname-ike-peer-xhy] local-address 1.1.1.1
local-name
Syntax
local-name name
undo local-name
View
IKE peer view
Default level
2: System level
Parameters
name: Name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters.
Description
Use local-name to configure a name for the local security gateway to be used in IKE negation.
Use undo local-name to restore the default.
By default, the device name is used as the name of the local security gateway view.
If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device. If you configure both the ike local-name command and the local-name command, the name configured by the local-name command is used.
The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
Relate commands: remote-name, id-type.
Examples
# Set the name of the local security gateway to localgw in IKE peer view of peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] local-name localgw
nat traversal
Syntax
nat traversal
undo nat traversal
View
IKE peer view
Default level
2: System level
Parameters
None
Description
Use nat traversal to enable the NAT traversal function of IKE/IPsec.
Use undo nat traversal to disable the NAT traversal function of IKE/IPsec.
By default, the NAT traversal function is disabled.
Examples
# Enable the NAT traversal function for IKE peer peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] nat traversal
peer
Syntax
peer { multi-subnet | single-subnet }
undo peer
View
IKE peer view
Default level
2: System level
Parameters
multi-subnet: Sets the subnet type to multiple.
single-subnet: Sets the subnet type to single.
Description
Use peer to set the subnet type of the peer security gateway for IKE negotiation.
Use undo peer to restore the default.
By default, the subnet is a single one.
Use this command to enable interoperability with a NetScreen device.
Examples
# Set the subnet type of the peer security gateway to multiple.
<Sysname> system-view
[Sysname] ike peer xhy
[Sysname-ike-peer-xhy] peer multi-subnet
pre-shared-key
Syntax
pre-shared-key [ cipher | simple ] key
undo pre-shared-key
View
IKE peer view
Default level
2: System level
Parameters
cipher: Sets a ciphertext pre-shared key.
simple: Sets a plaintext pre-shared key.
key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 8 to 184 characters. If simple is specified, it must be a plaintext string of 8 to 128 characters. A plaintext pre-shared key must contain four types of characters: uppercase letters (A to Z), lowercase letters (a to z), digits (0 to 9), and special characters, including space, tilde (~), apostrophe (`), exclamation mark (!), at sign (@), pound sign (#), dollar sign ($), percent sign (%), caret sign (^), ampersand (&), asterisk (*), parentheses (( )), underline (_), plus sign (+), minus sign (-), equals sign (=), braces ({ }), vertical bar (|), brackets ([ ]), forward and backward slashes (/ \), colon (:), semicolon (;), single and double quotation marks (' "), angle brackets (< >), period (.), and comma (,).
If neither cipher nor simple is specified, you set a plaintext key string.
Description
Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation.
Use undo pre-shared-key to remove the configuration.
Related commands: authentication-method.
Examples
# Set the pre-shared key used in IKE negotiation to Ab12<><>.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] pre-shared-key Ab12<><>
proposal (IKE peer view)
Syntax
proposal proposal-number&<1-6>
undo proposal [ proposal-number ]
View
IKE peer view
Default level
2: System level
Parameters
proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority.
Description
Use proposal to specify the IKE proposals for the IKE peer to reference.
Use undo proposal to remove one or all IKE proposals referenced by the IKE peer.
By default, an IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.
In the IKE negotiation phase 1, the local peer uses the IKE proposals specified for it, if any.
An IKE peer can reference up to six IKE proposals.
The responder uses the IKE proposals configured in system view for negotiation.
Related commands: ike proposal and ike peer (system view).
Examples
# Configure IKE peer peer1 to reference IKE proposal 10.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] proposal 10
remote-address
Syntax
remote-address { hostname | low-ip-address [ high-ip-address ] }
undo remote-address
View
IKE peer view
Default level
2: System level
Parameters
hostname: Host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server.
low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses.
high-ip-address: Highest address in the address range if you want to specify a range of addresses.
Description
Use remote-address to configure the IP address of the IPsec remote security gateway.
Use undo remote-address to remove the configuration.
The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with the local-address command or, if the local-address command is not configured, the primary IP address of the interface to which the policy is applied.
The local peer can be the initiator of IKE negotiation if the remote address is a host IP address or a host name. The local end can only be the responder of IKE negotiation if the remote address is an address range that the local peer can respond to.
Related commands: id-type ip and local-address.
Examples
# Configure the IP address of the remote security gateway as 10.0.0.1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] remote-address 10.0.0.1
# Configure the host name of the remote gateway as test.com, and specify the local peer to dynamically update the remote IP address.
<Sysname> system-view
[Sysname] ike peer peer2
[Sysname-ike-peer-peer2] remote-address test.com
remote-name
Syntax
remote-name name
undo remote-name
View
IKE peer view
Default level
2: System level
Parameters
name: Name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters.
Description
Use remote-name to configure the name of the remote gateway.
Use undo remote-name to remove the configuration.
If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.
Related commands: id-type, local-name, and ike local-name.
Examples
# Configure the remote security gateway name as apple for IKE peer peer1.
<Sysname> system-view
[Sysname] ike peer peer1
[Sysname-ike-peer-peer1] remote-name apple
reset ike sa
Syntax
reset ike sa [ connection-id ]
View
User view
Default level
2: System level
Parameters
connection-id: Connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.
Description
Use reset ike sa to clear IKE SAs.
If you do not specify any parameter, the command clears all IKE SAs.
When you clear a local IPsec SA, its IKE SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA. If the IKE SA has been cleared, the local end cannot notify the remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.
Related commands: display ike sa.
Examples
# Clear the IKE SA that uses connection ID 2.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT
<Sysname> reset ike sa 2
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
sa duration
Syntax
sa duration seconds
undo sa duration
View
IKE proposal view
Default level
2: System level
Parameters
Seconds: Specifies the ISAKMP SA lifetime in seconds, in the range of 60 to 604800.
Description
Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.
Use undo sa duration to restore the default.
By default, the ISAKMP SA lifetime is 86400 seconds.
Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up, and the old one will be cleared automatically when it expires.
Related commands: ike proposal and display ike proposal.
Examples
# Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes).
<Sysname> system-view
[Sysname] ike proposal 10
[Sysname-ike-proposal-10] sa duration 600
time-out
Syntax
time-out time-out
undo time-out
View
IKE DPD view
Default level
2: System level
Parameters
time-out: DPD packet retransmission interval in seconds, in the range of 1 to 60.
Description
Use time-out to set the DPD packet retransmission interval for a DPD detector.
Use undo time-out to restore the default.
The default DPD packet retransmission interval is 5 seconds.
Examples
# Set the DPD packet retransmission interval to 1 second for dpd2.
<Sysname> system-view
[Sysname] ike dpd dpd2
[Sysname-ike-dpd-dpd2] time-out 1
