Login
- Table of Contents
-
- 09 Security Command Reference
- 00-Preface
- 01-AAA commands
- 02-802.1X commands
- 03-MAC authentication commands
- 04-Portal commands
- 05-Port security commands
- 06-Password control commands
- 07-Public key management commands
- 08-PKI commands
- 09-IPsec commands
- 10-SSH commands
- 11-SSL commands
- 12-IP source guard commands
- 13-ARP attack protection commands
- 14-MFF commands
- 15-uRPF commands
- 16-Crypto engine commands
- 17-FIPS commands
- 18-Attack detection and prevention commands
- 19-ND attack defense commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 09-IPsec commands | 396 KB |
display ipsec { ipv6-policy | policy }
display ipsec { ipv6-policy-template | policy-template }
ipsec { ipv6-policy | policy }
ipsec { ipv6-policy | policy } isakmp template
ipsec { ipv6-policy | policy } local-address
ipsec { ipv6-policy-template | policy-template } policy-template
ike invalid-spi-recovery enable
ike signature-identity from-certificate
match local address (IKE keychain view)
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to remove all specified authentication algorithms for the AH protocols.
Syntax
In non-FIPS mode:
ah authentication-algorithm { md5 | sha1 } *
undo ah authentication-algorithm
In FIPS mode:
ah authentication-algorithm sha1
undo ah authentication-algorithm
Default
AH does not use any authentication algorithm.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified AH authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first AH authentication algorithm.
Examples
# Create an IPsec transform set, and specify the AH authentication algorithm for the transform set as HMAC-SHA1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1
description
Use description to configure description for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is defined.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Predefined user roles
network-admin
Parameters
text: Specifies the description content, a case-sensitive string of 1 to 80 characters.
Usage guidelines
If the system has multiple IPsec policies, IPsec policy templates, or IPsec profiles, you can use this command to configure different descriptions for them to distinguish them.
Examples
# Configure description for IPsec policy 1 as CenterToA.
<Sysname> system-view
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] description CenterToA
display ipsec { ipv6-policy | policy }
Use display ipsec { ipv6-policy | policy } to display information about IPsec policies.
Syntax
display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-policy: Displays information about IPv6 IPsec policies.
policy: Displays information about IPv4 IPsec policies.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.
Usage guidelines
· If you do not specify any parameters, this command displays information about all IPsec policies.
· If you specify an IPsec policy name and a sequence number, this command displays information about the specified IPsec policy entry. If you specify an IPsec policy name without any sequence number, this command displays information about all IPsec policy entries with the specified name.
Examples
# Display information about all IPv4 IPsec policies.
<Sysname> display ipsec policy
-------------------------------------------
IPsec Policy: mypolicy
Interface: Vlan-interface 1
-------------------------------------------
-----------------------------
Sequence number: 10
Mode: manual
-----------------------------
Security data flow: 3101
Remote address: 192.168.0.64
Transform set: tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0x0000d431)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x00003039)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 1
Mode: manual
-----------------------------
The policy configuration is incomplete:
ACL not specified
Incomplete transform-set configuration
Description: This is my first IPv4 manual policy
Security data flow:
Remote address: 2.5.2.1
Transform set: transform
Inbound AH setting:
AH SPI: 1200 (0x000004b0)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 1400 (0x00000578)
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 1300 (0x00000514)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 1500 (0x000005dc)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: isakmp
-----------------------------
The policy configuration is incomplete:
Remote-address not set
ACL not specified
Transform-set not set
Description: This is my first IPv4 Isakmp policy
Security data flow:
Selector mode: standard
Local address:
Remote address:
Transform set:
IKE profile:
SA duration(time based):
SA duration(traffic based):
SA idle time:
-------------------------------------------
IPsec Policy: mycompletepolicy
Interface: LoopBack2
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: manual
-----------------------------
Description: This is my complete policy
Security data flow: 3100
Remote address: 2.2.2.2
Transform set: completetransform
Inbound AH setting:
AH SPI: 5000 (0x00001388)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 7000 (0x00001b58)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 6000 (0x00001770)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 8000 (0x00001f40)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: isakmp
-----------------------------
Description: This is my complete policy
Security data flow: 3200
Selector mode: standard
Local address:
Remote address: 5.3.6.9
Transform set: completetransform
IKE profile:
SA duration(time based):
SA duration(traffic based):
# Display information about all IPv6 IPsec policies.
<Sysname> display ipsec ipv6-policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: manual
-----------------------------
Description: This is my first IPv6 policy
Security data flow: 3600
Remote address: 1000::2
Transform set: mytransform
Inbound AH setting:
AH SPI: 1235 (0x000004d3)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 1236 (0x000004d4)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 1237 (0x000004d5)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 1238 (0x000004d6)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Table 1 Command output
|
Field |
Description |
|
IPsec Policy |
IPsec policy name. |
|
Interface |
Interface applied with the IPsec policy. |
|
Sequence number |
Sequence number of the IPsec policy entry. |
|
Mode |
Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. · template—IPsec policy template mode. |
|
The policy configuration is incomplete |
IPsec policy configuration incomplete. Possible causes include: · The ACL is not configured. · The IPsec transform set is not configured. · The ACL does not have any permit statements. · The IPsec transform set configuration is not complete. · The peer IP address of the IPsec tunnel is not specified. · The SPI and key of the IPsec SA do not match the IPsec policy. |
|
Description |
Description of the IPsec policy. |
|
Security data flow |
ACL referenced by the IPsec policy. |
|
Selector mode |
Data flow protection mode of the IPsec policy: · standard · aggregation · per-host |
|
Local address |
Local end IP address of the IPsec tunnel (only available for the IPsec policy using IKE negotiation). |
|
Remote address |
Remote end IP address or host name of the IPsec tunnel. |
|
Transform set |
Transform set referenced by the IPsec policy. |
|
IKE profile |
IKE peer referenced by the IPsec policy. |
|
SA duration(time based) |
Time-based IPsec SA lifetime, in seconds. |
|
SA duration(traffic based) |
Traffic-based IPsec SA lifetime, in kilobytes. |
|
SA idle time |
Idle expiration time of the IPsec SA, in seconds. |
|
AH string-key |
AH string key (****** is displayed if the key is configured). |
|
AH authentication hex key |
AH authentication hex key (****** is displayed if the key is configured). |
|
ESP string-key |
ESP string key (****** is displayed if the key is configured). |
|
ESP encryption hex key |
ESP encryption hex key (****** is displayed if the key is configured). |
|
ESP authentication hex key |
ESP authentication hex key (****** is displayed if the key is configured). |
Related commands
ipsec { ipv6-policy | policy }
display ipsec { ipv6-policy-template | policy-template }
Use display ipsec { ipv6-policy-template | policy-template } to display information about IPsec policy templates.
Syntax
display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-policy-template: Displays information about IPv6 IPsec policy templates.
policy-template: Displays information about IPv4 IPsec policy templates.
template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy template entry by its sequence number in the range of 1 to 65535.
Usage guidelines
· If you do not specify any parameters, this command displays information about all IPsec policy templates.
· If you specify an IPsec policy template name and a sequence number, this command displays information about the specified IPsec policy template entry. If you specify an IPsec policy template name without any sequence number, this command displays information about all IPsec policy template entries with the specified name.
Examples
# Display information about all IPv4 IPsec policy templates.
<Sysname> display ipsec policy-template
-----------------------------------------------
IPsec Policy Template: template
-----------------------------------------------
---------------------------------
Sequence number: 1
---------------------------------
Description: This is policy template
Security data flow :
IKE profile: None
Remote address: 162.105.10.2
Transform set: testprop
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
# Display information about all IPv6 IPsec policy templates.
<Sysname> display ipsec ipv6-policy-template
-----------------------------------------------
IPsec Policy Template: template6
-----------------------------------------------
---------------------------------
Sequence number: 1
---------------------------------
Description: This is policy template
Security data flow :
IKE profile: None
Remote address: 200::1/64
Transform set: testprop
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
Table 2 Command output
|
Field |
Description |
|
IPsec Policy Template |
IPsec policy template name. |
|
Sequence number |
Sequence number of the IPsec policy template entry. |
|
Description |
Description of the IPsec policy template. |
|
Security data flow |
ACL referenced by the IPsec policy template. |
|
IKE profile |
IKE peer referenced by the IPsec policy template. |
|
Remote address |
Remote end IP address of the IPsec tunnel. |
|
Transform set |
Transform set referenced by the IPsec policy template. |
|
IPsec SA local duration(time based) |
Time-based IPsec SA lifetime, in seconds. |
|
IPsec SA local duration(traffic based) |
Traffic-based IPsec SA lifetime, in kilobytes. |
Related commands
ipsec { ipv6-policy | policy } isakmp template
display ipsec profile
Use display ipsec profile to display information about IPsec profiles.
Syntax
display ipsec profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec profiles.
Examples
# Display information about all IPsec profiles.
<Sysname> display ipsec profile
-----------------------------------------------
IPsec profile: profile
Mode: manual
-----------------------------------------------
Description:
Transform set: prop1
Inbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Inbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex-key: ******
ESP authentication hex-key: ******
Outbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Outbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******
Table 3 Command output
|
Field |
Description |
|
IPsec profile |
IPsec profile name. |
|
Mode |
Negotiation mode used by the IPsec profile. Only the manual mode is available. |
|
Description |
Description of the IPsec profile. |
|
Transform set |
IPsec transform set referenced by the IPsec profile. |
Related commands
ipsec profile
display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about all IPsec SAs.
count: Displays the number of IPsec SAs.
interface interface-type interface-number: Specifies an interface by its type and number.
ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.
policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies an IPsec policy by its sequence number. The value range is 1 to 65535.
profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
remote ip-address: Specifies an IPsec SA by its remote end IP address.
ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec SAs.
Examples
# Display brief information about IPsec SAs.
<Sysname> display ipsec sa brief
-----------------------------------------------------------------------
Interface/Global Dst Address SPI Protocol Status
-----------------------------------------------------------------------
Vlan-int1 192.168.0.64 12345 ESP Active
Vlan-int1 192.168.0.61 54321 ESP Active
Table 4 Command output
|
Field |
Description |
|
Interface/Global |
Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile). |
|
Dst Address |
Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
|
SPI |
IPsec SA SPI. |
|
Protocol |
Security protocol used by IPsec. |
|
Status |
Status of the IPsec SA, which can only be Active. |
# Display the number of IPsec SAs.
<Sysname> display ipsec sa count
Total IPsec SAs count: 4
# Display information about all IPsec SAs.
<Sysname> display ipsec sa
-------------------------------
Interface: Vlan-interface 1
-------------------------------
-----------------------------
IPsec policy: map1
Sequence number: 10
Mode: manual
-----------------------------
Tunnel id: 0
Encapsulation mode: tunnel
Path MTU: 1427
Tunnel:
local address: 192.168.0.61
remote address: 192.168.0.64
Flow:
as defined in ACL 3101
[Inbound ESP SA]
SPI: 54321 (0x0000d431)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
[Outbound ESP SA]
SPI: 12345 (0x00003039)
Transform set: ESP-ENCRYPT-AES-CBC-192 ESP-AUTH-SHA1
No duration limit for this SA
Table 5 Command output
|
Field |
Description |
|
Interface |
Interface where the IPsec SA belongs. |
|
IPsec policy |
Name of the used IPsec policy. |
|
IPsec profile |
Name of the used IPsec profile. |
|
Sequence number |
Sequence number of the IPsec policy entry. |
|
Mode |
Negotiation mode used by the IPsec policy: · manual · isakmp |
|
Tunnel id |
IPsec tunnel ID |
|
Encapsulation mode |
Encapsulation mode, transport or tunnel. |
|
Perfect Forward Secrecy |
Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) |
|
Path MTU |
Path MTU of the IPsec SA. |
|
Tunnel |
Local and remote addresses of the IPsec tunnel. |
|
local address |
Local end IP address of the IPsec tunnel. |
|
remote address |
Remote end IP address of the IPsec tunnel. |
|
Flow |
Information about the data flow protected by the IPsec tunnel. |
|
sour addr |
Source IP address of the data flow. |
|
dest addr |
Destination IP address, |
|
port |
Port number. |
|
protocol |
Protocol type. |
|
SPI |
SPI of the IPsec SA. |
|
Transform set |
Security protocol and algorithms used by the IPsec transform set. |
|
SA duration (kilobytes/sec) |
IPsec SA lifetime, in kilobytes or seconds. |
|
SA remaining duration (kilobytes/sec) |
Remaining IPsec SA lifetime, in kilobytes or seconds. |
|
Max received sequence-number |
Max sequence number in the received packets. |
|
Max sent sequence-number |
Max sequence number in the sent packets. |
|
Anti-replay check enable |
Whether any-replay checking is enabled. |
|
UDP encapsulation used for NAT traversal |
Whether NAT traversal is used by the IPsec SA. |
|
Status |
Status of the IPsec SA, which can only be Active. |
|
No duration limit for this SA |
The manual IPsec SAs do not have lifetime. |
Related commands
· ipsec sa global-duration
· reset ipsec sa
display ipsec statistics
Use display ipsec statistics to display IPsec packet statistics.
Syntax
display ipsec statistics [ tunnel-id tunnel-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Usage guidelines
If you do not specify any parameters, this command displays statistics for all IPsec packets.
Examples
# Display statistics for all IPsec packets.
<Sysname> display ipsec statistics
IPsec packet statistics:
Received/sent packets: 47/64
Received/sent bytes: 3948/5208
Dropped packets (received/sent): 0/45
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 45
MTU check failure: 0
Loopback limit exceeded: 0
# Display statistics for the packets of IPsec tunnel 1.
<Sysname> display ipsec statistics tunnel-id 1
IPsec packet statistics:
Received/sent packets: 5124/8231
Received/sent bytes: 52348/64356
Dropped packets (received/sent): 0/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Table 6 Command output
|
Field |
Description |
|
Received/sent packets |
Number of received/sent IPsec-protected packets. |
|
Received/sent bytes |
Number of bytes of received/sent IPsec-protected packets. |
|
Dropped packets (received/sent) |
Number of dropped IPsec-protected packets (received/sent). |
|
No available SA |
Number of dropped packets due to lack of available IPsec SA. |
|
Wrong SA |
Number of dropped packets due to wrong IPsec SA. |
|
Invalid length |
Number of dropped packets due to invalid packet length. |
|
Authentication failure |
Number of dropped packets due to authentication failure. |
|
Encapsulation failure |
Number of dropped packets due to encapsulation failure. |
|
Decapsulation failure |
Number of dropped packets due to decapsulation failure. |
|
Replayed packets |
Number of dropped replayed packets. |
|
ACL check failure |
Number of dropped packets due to ACL check failure. |
|
MTU check failure |
Number of dropped packets due to MTU check failure. |
|
Loopback limit exceeded |
Number of dropped packets due to loopback limit exceeded. |
Related commands
reset ipsec statistics
display ipsec transform-set
Use display ipsec transform-set to display information about IPsec transform sets.
Syntax
display ipsec transform-set [ transform-set-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.
Examples
# Display information about all IPsec transform sets.
<Sysname> display ipsec transform-set
IPsec transform set: mytransform
State: incomplete
Encapsulation mode: tunnel
Transform: ESP
IPsec transform set: completeTransform
State: complete
Encapsulation mode: transport
Transform: AH-ESP
AH protocol:
Integrity: SHA1
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128
Table 7 Command output
|
Field |
Description |
|
IPsec transform set |
Name of the IPsec transform set. |
|
State |
Whether the IPsec transform set is complete. |
|
Encapsulation mode |
Encapsulation mode used by the IPsec transform set: transport or tunnel. |
|
Transform |
Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH. |
|
AH protocol |
AH settings. |
|
ESP protocol |
ESP settings. |
|
Integrity |
Authentication algorithm used by the security protocol. |
|
Encryption |
Encryption algorithm used by the security protocol. |
Related commands
ipsec transform-set
display ipsec tunnel
Use display ipsec tunnel to display information about IPsec tunnels.
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about IPsec tunnels.
count: Displays the number of IPsec tunnels.
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID in the range of 0 to 4294967295.
Usage guidelines
IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Examples
# Display brief information about all IPsec tunnels.
<Sysname> display ipsec tunnel brief
----------------------------------------------------------------------------
Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status
----------------------------------------------------------------------------
0 192.168.0.61 192.168.0.64 54321 12345 Active
Table 8 Command output
|
Field |
Description |
|
Src Address |
Source IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
|
Dst Address |
Destination IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
|
Inbound SPI |
Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines. |
|
Outbound SPI |
Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. |
|
Status |
Status of the IPsec SA, which can only be Active. |
# Display the number of IPsec tunnels.
<Sysname> display ipsec tunnel count
Total IPsec Tunnel Count: 2
# Display information about all IPsec tunnels.
<Sysname> display ipsec tunnel
Tunnel ID: 0
Status: Active
Perfect forward secrecy:
SA's SPI:
outbound: 2000 (0x000007d0) [AH]
inbound: 1000 (0x000003e8) [AH]
outbound: 4000 (0x00000fa0) [ESP]
inbound: 3000 (0x00000bb8) [ESP]
Tunnel:
local address:
remote address:
Flow:
Tunnel ID: 1
Status: Active
Perfect forward secrecy:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL3100
# Display information about IPsec tunnel 1.
<Sysname> display ipsec tunnel tunnel-id 1
Tunnel ID: 1
Status: Active
Perfect forward secrecy:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL 3100
Table 9 Command output
|
Field |
Description |
|
Tunnel ID |
IPsec ID, used to uniquely identify an IPsec tunnel. |
|
Status |
Status of the IPsec tunnel, which can only be Active. |
|
Perfect Forward Secrecy |
Perfect forward secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1) · 1024-bit Diffie-Hellman group (dh-group2) · 1536-bit Diffie-Hellman group (dh-group5) · 2048-bit Diffie-Hellman group (dh-group14) · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24) |
|
SA's SPI |
SPIs of the inbound and outbound SAs. |
|
Tunnel |
Local and remote addresses of the IPsec tunnel. |
|
local address |
Local end IP address of the IPsec tunnel. |
|
remote address |
Remote end IP address of the IPsec tunnel. |
|
Flow |
Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol. |
|
as defined in ACL 3001 |
Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. |
encapsulation-mode
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Use undo encapsulation-mode to restore the default.
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
Default
IP packets are encapsulated in tunnel mode.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
transport: Uses the transport mode for IP packet encapsulation.
tunnel: Uses the tunnel mode for IP packet encapsulation.
Usage guidelines
IPsec supports the following encapsulation modes:
· Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.
· Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.
The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.
The IPsec transform set referenced by the IPsec profile must use the transport mode for packet encapsulation.
Examples
# Configure the IPsec transform set tran1 to use the transport mode for IP packet encapsulation.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport
Related commands
ipsec transform-set
esp authentication-algorithm
Use esp authentication-algorithm to specify an authentication algorithm for ESP.
Use undo esp authentication-algorithm to remove all authentication algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp authentication-algorithm { md5 | sha1 } *
undo esp authentication-algorithm
In FIPS mode:
esp authentication-algorithm sha1
undo esp authentication-algorithm
Default
ESP does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Uses the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Uses the HMAC-SHA1 algorithm, which uses a 160-bit key.
Usage guidelines
In non-FIPS mode, you can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.
Examples
# Configure the IPsec transform set tran1 to use HMAC-SHA1 algorithm as the ESP authentication algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1
Related commands
ipsec transform-set
esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to remove all encryption algorithms specified for ESP.
Syntax
In non-FIPS mode:
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } *
undo esp encryption-algorithm
In FIPS mode:
esp encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }*
undo esp encryption-algorithm
Default
ESP does not use any encryption algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Uses the AES algorithm in CBC mode, which uses a 128- bit key.
aes-cbc-192: Uses AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Uses AES algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Uses the DES algorithm in CBC mode, which uses a 64-bit key.
null: Uses the NULL algorithm, which means encryption is not performed.
Usage guidelines
You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.
Examples
# Configure the IPsec transform set tran1 to use aes-cbc-128 as the ESP encryption algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
Related commands
ipsec transform-set
ike-profile
Use ike-profile to specify an IKE profile for an IPsec policy or IPsec policy template.
Use undo ike-profile to remove the configuration.
Syntax
ike-profile profile-name
undo ike-profile
Default
An IPsec policy or IPsec policy template does not reference any IKE profile, and the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured, the globally configured IKE settings are used.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
The IKE profile referenced by an IPsec policy or IPsec policy template defines the parameters used for IKE negotiation.
An IPsec policy or IPsec policy template can reference only one IKE profile and they cannot reference any IKE profile that is already referenced by another IPsec policy or IPsec policy template.
Examples
# Specify IPsec policy policy1 to reference IKE profile profile1.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 isakmp
[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1
Related commands
ike profile
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.
In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay function drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
IPsec anti-replay checking does not affect manually created IPsec SAs. According to the IPsec protocol, only IPsec SAs negotiated by IKE support anti-replay checking.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
Related commands
ipsec anti-replay window
ipsec anti-replay window
Use ipsec anti-replay window to set the anti-replay window size.
Use undo ipsec anti-replay window to restore the default.
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
Default
The anti-replay window size is 64.
Views
System view
Predefined user roles
network-admin
Parameters
width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets.
Usage guidelines
Changing the anti-replay window size affects only the IPsec SAs negotiated later.
In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Examples
# Set the size of the anti-replay window to 128.
<Sysname> system-view
[Sysname] ipsec anti-replay window 128
Related commands
ipsec anti-replay check
ipsec apply
Use ipsec apply to apply an IPsec policy to an interface.
Use undo ipsec apply to remove the application.
Syntax
ipsec apply { ipv6-policy | policy } policy-name
undo ipsec apply { ipv6-policy | policy }
Default
No IPsec policy is applied to an interface.
Views
Interface view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can apply only one IPsec policy on an interface. To apply a new IPsec policy to the interface, you must first remove the IPsec policy that is already applied to the interface.
An IKE-based IPsec policy can be applied to multiple interfaces. However, H3C recommends that you apply an IKE-based IPsec policy to only one interface. A manual IPsec policy can be applied to only one interface.
Examples
# Apply the IPsec policy policy1 to interface VLAN-interface 1.
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ipsec apply policy policy1
Related commands
· display ipsec { ipv6-policy | policy }
· ipsec { ipv6-policy | policy }
ipsec decrypt-check enable
Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets.
Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets.
Syntax
ipsec decrypt-check enable
undo ipsec decrypt-check enable
Default
ACL checking for de-encapsulated IPsec packets is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.
Examples
# Enable ACL checking for de-encapsulated IPsec packets.
<Sysname> system-view
[Sysname] ipsec decrypt-check enable
ipsec logging packet enable
Use ipsec logging packet enable to enable logging for IPsec packets.
Use undo ipsec logging packet enable to disable logging for IPsec packets.
Syntax
ipsec logging packet enable
undo ipsec logging packet enable
Default
Logging for IPsec packets is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Examples
# Enable logging for IPsec packets.
<Sysname> system-view
[Sysname] ipsec logging packet enable
ipsec df-bit
Use ipsec df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on an interface.
Use undo ipsec df-bit to restore the default.
Syntax
ipsec df-bit { clear | copy | set }
undo ipsec df-bit
Default
The DF bit is not set for outer IP headers of encapsulated IPsec packets on an interface. The global DF bit is used.
Views
Interface view
Predefined user roles
network-admin
Parameters
clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented.
copy: Copies the DF bit of the original IP headers to the outer IP headers.
set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
Usage guidelines
This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode.
This command does not change the DF bit for the original IP headers of encapsulated packets.
If multiple interfaces have referenced an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.
Examples
# Set the DF bit for outer IP headers of encapsulated IPsec packets on VLAN-interface 1.
[Sysname] interface vlan-interface 1
[Sysname-Vlan-interface1] ipsec df-bit set
Related commands
ipsec global-df-bit
ipsec global-df-bit
Use ipsec global-df-bit to set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.
Use undo ipsec global-df-bit to restore the default.
Syntax
ipsec global-df-bit { clear | copy | set }
undo ipsec global-df-bit
Default
The DF bit of original IP headers is copied to the outer IP headers for encapsulated IPsec packets.
Views
System view
Predefined user roles
network-admin
Parameters
clear: Clears the DF bit for outer IP headers. In this case, the encapsulated IPsec packets can be fragmented.
copy: Copies the DF bit of the original IP headers to the outer IP headers.
set: Sets the DF bit for outer IP headers. In this case, the encapsulated IPsec packets cannot be fragmented.
Usage guidelines
This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because outer IP headers are not added in transport mode.
This command does not change the DF bit for the original IP headers of encapsulated packets.
Examples
# Set the DF bit for outer IP headers of encapsulated IPsec packets on all interfaces.
<Sysname> system-view
[Sysname] ipsec global-df-bit set
Related commands
ipsec df-bit
ipsec { ipv6-policy | policy }
Use ipsec { ipv6-policy | policy } to create an IPsec policy entry, and enter IPsec policy view.
Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy.
Syntax
ipsec { ipv6-policy | policy } policy-name seq-number [ isakmp | manual ]
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]
Default
No IPsec policy is created.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535.
isakmp: Establishes IPsec SAs through IKE negotiation.
manual: Establishes IPsec SAs manually.
Usage guidelines
When you create an IPsec policy, you must specify the SA setup mode (isakmp or manual). When you enter the view of an existing IPsec policy, you do not need to specify the SA setup mode.
You cannot change the SA setup mode of an existing IPsec policy.
An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.
If you specify the seq-number argument, the undo command deletes the specified IPsec policy entry. If you do not specify this argument, the undo command deletes all entries of the specified IPsec policy.
An IPv4 IPsec policy and IPv6 IPsec policy can have the same name.
Examples
# Create an IPsec policy entry, and specify the IPsec policy name as policy1, the sequence number as 100, and the IPsec SA setup mode as IKE, and enter the IPsec policy view.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100]
# Create an IPsec policy entry, and specify the IPsec policy name as policy1, the sequence number as 101, and the IPsec SA setup mode as manual, and enter the IPsec policy view.
<Sysname> system-view
[Sysname] ipsec policy policy1 101 manual
[Sysname-ipsec-policy-manual-policy1-101]
Related commands
· display ipsec { ipv6-policy | policy }
· ipsec apply
ipsec { ipv6-policy | policy } isakmp template
Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy by referencing an IPsec policy template.
Use undo ipsec { ipv6-policy | policy } to delete the specified IPsec policy.
Syntax
ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name
undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]
Default
No IPsec policy is created.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. A smaller number indicates a higher priority.
isakmp template template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 63 characters. The specified IPsec policy template must exist.
Usage guidelines
If you do not specify the seq-number argument, the undo command deletes all entries of the specified IPsec policy.
An interface referencing an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. When the remote end's information (such as the IP address) is unknown, this method allows the remote end to initiate negotiations with the local end.
Examples
# Create an IPsec policy entry by referencing the IPsec policy template temp1, and specify the IPsec policy name as policy2 and the sequence number as 200.
<Sysname> system-view
[Sysname] ipsec policy policy2 200 isakmp template temp1
Related commands
· display ipsec { ipv6-policy | policy }
· ipsec { ipv6-policy-template | policy-template }
ipsec { ipv6-policy | policy } local-address
Use ipsec { ipv6-policy | policy } local-address to bind an IPsec policy to a source interface.
Use undo ipsec { ipv6-policy | policy } local-address to remove the bindings of IPsec policies and source interfaces.
Syntax
ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number
undo ipsec { ipv6-policy | policy } policy-name local-address
Default
No IPsec policy is bound to a source interface.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy: Specifies an IPv6 IPsec policy.
policy: Specifies an IPv4 IPsec policy.
policy-name: Name of an IPsec policy, a case-insensitive string of 1 to 63 characters.
local-address interface-type interface-number: Specifies the shared source interface by its type and number.
Usage guidelines
For high availability, two interfaces can operate in backup or load sharing mode. After an IPsec policy is applied to the two interfaces, they negotiate with their peers to establish IPsec SAs respectively. When one interface fails and a link failover occurs, the other interface needs to take some time to renegotiate SAs, resulting in service interruption.
To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.
After an IPsec policy is applied to a service interface and IPsec SAs have been established, if you bind the IPsec policy to a source interface, the existing IPsec SAs are deleted.
Only the IKE-based IPsec policies can be bound to a source interface.
An IPsec policy can be bound to only one source interface. To bind an IPsec policy to another source interface, you must first remove the current binding.
A source interface can be bound to multiple IPsec policies.
H3C recommends that you use a stable interface, such as a Loopback interface, as a source interface.
Examples
# Bind the IPsec policy map to source interface Loopback 11.
<Sysname> system-view
[Sysname] ipsec policy map local-address loopback 11
Related commands
ipsec { ipv6-policy | policy }
ipsec { ipv6-policy-template | policy-template } policy-template
Use ipsec { ipv6-policy-template | policy-template } to create an IPsec policy template, and enter IPsec policy template view.
Use undo ipsec { ipv6-policy-template | policy-template } to delete the specified IPsec policy template.
Syntax
ipsec { ipv6-policy-template | policy-template } template-name seq-number
undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ]
Default
No IPsec policy template is created.
Views
System view
Predefined user roles
network-admin
Parameters
ipv6-policy-template: Specifies an IPv6 IPsec policy template.
policy-template: Specifies an IPv4 IPsec policy template.
template-name: Specifies a name for the IPsec policy template, a case-insensitive string of 1 to 63 characters.
seq-number: Specifies a sequence number for the IPsec policy template, in the range of 1 to 65535. A smaller number indicates a higher priority.
Usage guidelines
The configurable parameters for an IPsec policy template are similar to the parameters that you use when you configure an IKE-based IPsec policy. However, all parameters except for the IPsec transform sets and the IKE peer are optional for an IKE-based IPsec policy.
An IPsec policy template is a set of IPsec policy template entries that have the same name but different sequence numbers.
With the seq-number argument specified, the undo command deletes an IPsec policy template entry.
An IPv4 IPsec policy template and an IPv6 IPsec policy template can have the same name.
Examples
# Create an IPsec policy template entry with the name template1 and sequence number 100, and enter the IPsec policy template view.
<Sysname> system-view
[Sysname] ipsec policy-template template1 100
[Sysname-ipsec-policy-template-template1-100]
Related commands
· display ipsec { ipv6-policy-template | policy-template }
· ipsec { ipv6-policy | policy }
· ipsec { ipv6-policy | policy } isakmp template
ipsec profile
Use ipsec profile to create an IPsec profile, and enter IPsec profile view.
Use undo ipsec profile to delete the specified IPsec profile.
Syntax
ipsec profile profile-name [ manual ]
undo ipsec profile profile-name
Default
No IPsec profile is created.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters.
manual: Specifies the IPsec SA setup mode as manual.
Usage guidelines
When you create an IPsec profile, you must specify the IPsec SA setup mode (manual). When you enter the view of an existing IPsec profile, you do not need to specify the IPsec SA setup mode.
An IPsec profile is similar to a manual IPsec policy. It is dedicatedly used for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng.
Examples
# Create an IPsec profile named profile1.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile-profile1]
Related commands
display ipsec profile
ipsec redundancy enable
Use ipsec redundancy enable to enable IPsec redundancy.
Use undo ipsec redundancy enable to disable IPsec redundancy.
Syntax
ipsec redundancy enable
undo ipsec redundancy enable
Default
IPsec redundancy is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
With IPsec redundancy enabled, the system synchronizes the following information from the master device to all subordinate devices in an IRF fabric at configurable intervals:
· Lower bound values of the IPsec anti-replay window for inbound packets.
· IPsec anti-replay sequence numbers for outbound packets.
The synchronization ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the master device in an IRF fabric fails.
To configure synchronization intervals, use the redundancy replay-interval command.
Examples
# Enable IPsec redundancy.
[Sysname] ipsec redundancy enable
Related commands
redundancy replay-interval
ipsec sa global-duration
Use ipsec sa global-duration to configure the global IPsec SA lifetime.
Use undo ipsec sa global-duration to restore the default.
Syntax
ipsec sa global-duration { time-based seconds | traffic-based kilobytes }
undo ipsec sa global-duration { time-based | traffic-based }
Default
The time-based global lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.
Views
System view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.
Usage guidelines
You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view. The device prefers the IPsec SA lifetimes configured in IPsec policy view or IPsec policy template view over the global IPsec SA lifetimes.
When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.
An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.
Examples
# Configure the global IPsec SA lifetime as 7200 seconds.
<Sysname> system-view
[Sysname] ipsec sa global-duration time-based 7200
# Configure the global IPsec SA lifetime as 10240 kilobytes.
[Sysname] ipsec sa global-duration traffic-based 10240
Related commands
· display ipsec sa
· sa duration
ipsec sa idle-time
Use ipsec sa idle-time to enable the global IPsec SA idle timeout function and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo ipsec sa idle-time to restore the default.
Syntax
ipsec sa idle-time seconds
undo ipsec sa idle-time
Default
The global IPsec SA idle timeout function is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This function applies only to IPsec SAs negotiated by IKE.
The IPsec SA idle timeout can also be configured in IPsec policy view or IPsec policy template view, which takes precedence over the global IPsec SA timeout.
Examples
# Set the IPsec SA idle timeout to 600 seconds.
<Sysname> system-view
[Sysname] ipsec sa idle-time 600
· display ipsec sa
· sa idle-time
ipsec transform-set
Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view.
Use undo ipsec transform-set to delete an IPsec transform set.
Syntax
ipsec transform-set transform-set-name
undo ipsec transform-set transform-set-name
Default
No IPsec transform set exists.
Views
System view
Predefined user roles
network-admin
Parameters
transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, and authentication algorithms.
Examples
# Create an IPsec transform set named tran1 and enter its view.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-transform-set-tran1]
display ipsec transform-set
local-address
Use local-address to configure the local IP address for the IPsec tunnel.
Use undo local-address to restore the default.
Syntax
local-address { ipv4-address | ipv6 ipv6-address }
undo local-address
Default
The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. The first IPv6 address of the interface to which the IPsec policy is applied is used as the local IPv6 address.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv4-address: Specifies the local IPv4 address for the IPsec tunnel.
ipv6 ipv6-address: Specifies the local IPv6 address for the IPsec tunnel.
Usage guidelines
The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder.
Examples
# Configure the local address 1.1.1.1 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy map 1 isakmp
[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1
remote-address
pfs
Use pfs to enable the perfect forward secrecy (PFS) feature for an IPsec transform set, used for IKE negotiation.
Use undo pfs to restore the default.
Syntax
In non-FIPS mode:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }
undo pfs
In FIPS mode:
pfs dh-group14
undo pfs
Default
The PFS feature is disabled for the IPsec transform set.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
dh-group1: Uses 768-bit Diffie-Hellman group.
dh-group2: Uses 1024-bit Diffie-Hellman group.
dh-group5: Uses 1536-bit Diffie-Hellman group.
dh-group14: Uses 2048-bit Diffie-Hellman group.
dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.
Usage guidelines
In terms of security and necessary calculation time, the following groups are in descending order: 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).
The security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder.
The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end.
Examples
# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] pfs dh-group14
protocol
Use protocol to specify a security protocol for an IPsec transform set.
Use undo protocol to restore the default.
Syntax
protocol { ah | ah-esp | esp }
undo protocol
Default
The IPsec transform set uses the ESP protocol.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
ah: Specifies the AH protocol.
ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
ah: Specifies the AH protocol.
Usage guidelines
The two tunnel ends must use the same security protocol in the IPsec transform set.
Examples
# Specify the AH protocol for the IPsec transform set.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] protocol ah
qos pre-classify
Use qos pre-classify to enable the QoS pre-classify feature.
Use undo qos pre-classify to restore the default.
Syntax
qos pre-classify
undo qos pre-classify
Default
The QoS pre-classify feature is disabled. QoS uses the new IP header of IPsec packets to perform traffic classification.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Usage guidelines
The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets.
Examples
# Enable the QoS pre-classify feature.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify
redundancy replay-interval
Use redundancy replay-interval to set the anti-replay window lower bound value synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.
Use undo redundancy replay-interval to restore the default.
Syntax
redundancy replay-interval inbound inbound-interval outbound outbound-interval
undo redundancy replay-interval
Default
The master device synchronizes the anti-replay window lower bound value every time it receives 1000 packets and synchronizes the sequence number every time it sends 100000 packets.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
inbound inbound-interval: Sets the interval at which the master device synchronizes the lower bound value of the IPsec anti-replay window to subordinate devices. This interval is expressed in the number of received packets, in the range of 0 to 1000. If you set the value to 0, the lower bound value of the anti-replay window will not be synchronized.
outbound outbound-interval: Sets the interval at which the master device synchronizes the IPsec anti-replay sequence number to subordinate devices. This interval is expressed in the number of sent packets, in the range of 1000 to 100000.
Usage guidelines
The intervals take effect only after you enable IPsec redundancy by using the ipsec redundancy enable command.
A short interval improves the anti-replay information consistency between the master device and the subordinate devices in an IRF fabric, but it sacrifices the forwarding performance of the devices.
Examples
# Set the anti-replay window lower bound value synchronization interval for inbound packets to 800. Set the sequence number synchronization interval for outbound packets to 50000.
[Sysname] ipsec policy test 1
[sysname-ipsec-policy-test-1] redundancy relay-interval inbound 800 outbound 50000
Related commands
· ipsec anti-replay check
· ipsec anti-replay window
· ipsec redundancy enable
remote-address
Use remote-address to configure the remote IP address for the IPsec tunnel.
Use undo remote-address to restore the default.
Syntax
remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
undo remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }
Default
No remote IP address is specified for the IPsec tunnel.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies a remote IPv6 address. If you do not specify this keyword, you specify an IPv4 address or host name.
hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server.
ipv4-address: Specifies a remote IPv4 address.
ipv6-address: Specifies a remote IPv6 address.
Usage guidelines
This remote IP address configuration is required on the IKE negotiation initiator and optional on the responder if the responder uses an IPsec policy template.
A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than a remote host name for the manual IPsec policy.
If you configure a remote host name, the following scenarios apply:
· If the host name is resolved by the DNS server, the local end sends a request to the DNS server to obtain the latest IP address corresponding to the host name when the domain name resolution period expires. The resolution period is defined by the DNS server and restarts after the local end obtains the latest IP address of the host.
· If the host name is resolved by the ip host command and you change the IP address of the remote host, you must reconfigure the remote host name in the IPsec policy or IPsec policy template by using the remote-address command. Otherwise, the local end cannot obtain the latest IP address of the remote host.
For example, the local end has a static domain name resolution entry, which maps the host name test to the IP address 1.1.1.1. Configure the following commands:
# Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test
# Change the IP address for the host test to 2.2.2.2.
[Sysname] ip host test 2.2.2.2
In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host.
# Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.
[Sysname] ipsec policy policy1 1 isakmp
[Sysname -ipsec-policy-isakmp-policy1-1] remote-address test
Examples
# Specify the remote IP address 10.1.1.2 for the IPsec tunnel.
<Sysname> system-view
[Sysname] ipsec policy policy1 10 manual
[Sysname-ipsec-policy-policy1-10] remote-address 10.1.1.2
· ip host (see Layer 3—IP Services Commands Reference)
· local-address
reset ipsec sa
Use reset ipsec sa to clear IPsec SAs.
Syntax
reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile policy-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]
Views
User view
Predefined user roles
network-admin
Parameters
{ ipv6-policy | policy } policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy.
· ipv6-policy: Specifies an IPv6 IPsec policy.
· policy: Specifies an IPv4 IPsec policy.
· policy-name: Specifies the name of the IPsec policy, a case-insensitive string of 1 to 63 characters.
· seq-number: Specifies the sequence number of an IPsec policy entry, in the range of 1 to 65535. If you do not specify this argument, all the entries in the IPsec policy are specified.
profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-insensitive string of 1 to 63 characters.
remote: Clears IPsec SAs for the specified remote address.
· ipv4-address: Specifies a remote IPv4 address.
· ipv6 ipv6-address: Specifies a remote IPv6 address.
spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.
· ipv4-address: Specifies a remote IPv4 address.
· ipv6 ipv6-address: Specifies a remote IPv6 address.
· ah: Specifies the AH protocol.
· esp: Specifies the ESP protocol.
· spi-num: Specifies the security parameter index in the range of 256 to 4294967295.
Usage guidelines
If you do not specify any parameters, this command clears all IPsec SAs.
If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPSec SAs using the other security protocol (AH or ESP).
An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.
After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system creates new SAs only when IKE negotiation is triggered by packets.
Examples
# Clear all IPsec SAs.
<Sysname> reset ipsec sa
# Clear the inbound and outbound IPsec SAs for the triplet of SPI 123, remote IP address 10.1.1.2, and security protocol AH.
<Sysname> reset ipsec sa spi 10.1.1.2 ah 123
# Clear all IPsec SAs for the remote IP address 10.1.1.2.
<Sysname> reset ipsec sa remote 10.1.1.2
# Clear all IPsec SAs for the entry 10 of the IPsec policy policy1.
<Sysname> reset ipsec sa policy policy1 10
# Clear all IPsec SAs for the IPsec policy policy1.
<Sysname> reset ipsec sa policy policy1
Related commands
display ipsec sa
reset ipsec statistics
Use reset ipsec statistics to clear IPsec packet statistics.
Syntax
reset ipsec statistics[ tunnel-id tunnel-id ]
Views
User view
Predefined user roles
network-admin
Parameters
tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics.
Examples
# Clear IPsec packet statistics.
<Sysname> reset ipsec statistics
display ipsec statistics
sa duration
Use sa duration to set an SA lifetime for an IPsec policy or IPsec policy template.
Use undo sa duration to remove the SA lifetime.
Syntax
sa duration { time-based seconds | traffic-based kilobytes }
undo sa duration { time-based | traffic-based }
Default
The SA lifetime of an IPsec policy or an IPsec policy template is the current global SA lifetime.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.
traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.
Usage guidelines
IKE prefers the SA lifetime of the IPsec policy over the global SA lifetime. If the IPsec policy is not configured with the SA lifetime, IKE uses the global SA lifetime configured by the ipsec sa global-duration command for SA negotiation.
During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.
Examples
# Set the SA lifetime for the IPsec policy policy1 to 7200 seconds.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200
# Set the SA lifetime for the IPsec policy policy1 to 20 MB. The IPsec SA expires after transmitting 20480 kilobytes.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 isakmp
[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480
Related commands
· display ipsec sa
· ipsec sa global-duration
sa hex-key authentication
Use sa hex-key authentication to configure a hexadecimal authentication key for manual IPsec SAs.
Use undo sa hex-key authentication to remove the hexadecimal authentication key.
Syntax
sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } key-value
undo sa hex-key authentication { inbound | outbound } { ah | esp }
Default
No authentication key is configured for manual IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal authentication key for inbound SAs.
outbound: Specifies a hexadecimal authentication key for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
cipher key-value: Sets a ciphertext authentication key, a case-sensitive string of 1 to 85 characters.
simple key-value: Sets a plaintext authentication key. The key-value argument is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, and a 20-byte hexadecimal string for HMAC-SHA1.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set an authentication key for both the inbound and outbound SAs.
The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical.
If you configure a key in different formats, only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00
· display ipsec sa
· sa string-key
sa hex-key encryption
Use sa encryption-hex to configure a hexadecimal encryption key for manual IPsec SAs.
Use undo sa encryption-hex to remove the hexadecimal encryption key.
Syntax
sa hex-key encryption { inbound | outbound } esp { cipher | simple } key-value
undo sa hex-key encryption { inbound | outbound } esp
Default
No encryption key is configured for manual IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal encryption key for inbound SAs.
outbound: Specifies a hexadecimal encryption key for outbound SAs.
esp: Uses ESP.
cipher key-value: Sets a ciphertext encryption key, a case-sensitive string of 1 to 117 characters.
simple key-value: Sets a plaintext encryption key. The key-value argument is case insensitive and must be an 8-byte hexadecimal string for DES-CBC, a 24-byte hexadecimal string for 3DES-CBC, a 16-byte hexadecimal string for AES128-CBC, a 24-byte hexadecimal string for AES192-CBC, and a 32-byte hexadecimal string for AES256-CBC.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.
If you configure a key in different formats (hexadecimal or character format), only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234
· display ipsec sa
· sa string-key
sa idle-time
Use sa idle-time to set the IPsec SA idle timeout for an IPsec policy or IPsec policy template. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.
Use undo sa idle-time to restore the default.
Syntax
sa idle-time seconds
undo sa idle-time
Default
An IPsec policy or IPsec policy template uses the global IPsec SA idle timeout.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.
Usage guidelines
This function applies only to IPsec SAs negotiated by IKE and takes effect when the ipsec sa idle-time command has been configured.
The IPsec SA idle timeout configured in IPsec policy view or IPsec policy template view takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command.
Examples
# Set the IPsec SA idle timeout to 600 seconds for the IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy map 100 isakmp
[Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600
Related commands
· display ipsec sa
· ipsec sa idle-time
sa spi
Use sa spi to configure an SPI for IPsec SAs.
Use undo sa spi to remove the SPI.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
No SPI is configured for IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies an SPI for inbound SAs.
outbound: Specifies an SPI for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.
When you configure an IPsec policy or IPsec profile for an IPv6 routing protocol, follow these guidelines:
· The local inbound and outbound SAs must use the same SPI.
· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
Examples
# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000
[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000
display ipsec sa
sa string-key
Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.
Use undo sa string-key to remove the key string.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key
undo sa string-key { inbound | outbound } { ah | esp }
Default
No key string is configured for IPsec SAs.
Views
IPsec policy view, IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Sets a ciphertext key.
simple: Sets a plaintext key.
key-value: Specifies a case-sensitive key string. If cipher is specified, it must be a string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters. Using this key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.
Usage guidelines
This command applies only to manual IPsec policies and IPsec profiles.
You must set a key for both inbound and outbound SAs.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.
If you configure a key in different formats, only the most recent configuration takes effect.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
For security purposes, all keys, including keys configured in plain text, are saved in cipher text.
When you configure an IPsec policy or IPsec profile for an IPv6 protocol, follow these guidelines:
· The local inbound and outbound SAs must use the same key.
· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPF, the scope consists of OSPF neighbors or an OSPF area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
Examples
# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab
# In an IPsec policy for an IPv6 routing protocol, configure the inbound and outbound SAs that use AH to use the plaintext key abcdef.
<Sysname> system-view
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef
[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple abcdef
Related commands
· display ipsec sa
· sa hex-key
security acl
Use security acl to reference an ACL for an IPsec policy or IPsec policy template.
Use undo security acl to remove the ACL referenced by an IPsec policy or IPsec policy template.
Syntax
security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]
undo security acl
Default
An IPsec policy or IPsec policy template references no ACL.
Views
IPsec policy view, IPsec policy template view
Predefined user roles
network-admin
Parameters
ipv6: Specifies an IPv6 ACL.
acl-number: Specifies an ACL by its number in the range of 3000 to 3999.
name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.
aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.
per-host: Specifies the data protection mode as per-host.
Usage guidelines
An IKE-based IPsec policy supports the following data flow protection modes:
· Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. The standard mode is used if you do not specify the aggregation or the per-host mode.
· Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices.
· Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode consumes more system resources when multiple data flows exist between two subnets to be protected.
A manual IPsec policy supports only the standard mode.
Examples
# Reference ACL 3001 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] acl number 3001
[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
[Sysname-acl-adv-3001] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] security acl 3001
# Reference ACL 3002 for the IPsec policy policy2 and specify the data protection mode as aggregation.
<Sysname> system-view
[Sysname] acl number 3002
[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255
[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255
[Sysname] ipsec policy policy2 1 isakmp
[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation
Related commands
· display ipsec sa
· display ipsec tunnel
snmp-agent trap enable ipsec
Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.
Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Syntax
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
Default
All SNMP notifications for IPsec are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
auth-failure: Specifies SNMP notifications for authentication failures.
decrypt-failure: Specifies SNMP notifications for decryption failures.
encrypt-failure: Specifies SNMP notifications for encryption failures.
global: Specifies SNMP notifications globally.
invalid-sa-failure: Specifies SNMP notifications for invalid-SA failures.
no-sa-failure: Specifies SNMP notifications for SA-not-found failures.
policy-add: Specifies SNMP notifications for events of adding IPsec policies.
policy-attach: Specifies SNMP notifications for events of applying IPsec policies to interfaces.
policy-delete: Specifies SNMP notifications for events of deleting IPsec policies.
policy-detach: Specifies SNMP notifications for events of removing IPsec policies from interfaces.
tunnel-start: Specifies SNMP notifications for events of creating IPsec tunnels.
tunnel-stop: Specifies SNMP notifications for events of deleting IPsec tunnels.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.
To generate and output SNMP notifications for a specific IPsec failure type or event type, perform the following tasks:
1. Enable SNMP notifications for IPsec globally.
2. Enable SNMP notifications for the failure type or event type.
Examples
To enable SNMP notifications when an IPsec tunnel is created, execute the following commands:
# Enable SNMP notifications for IPsec globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ipsec global
# Enable SNMP notifications for events of creating IPsec tunnels.
[Sysname] snmp-agent trap enable ipsec tunnel-start
transform-set
Use transform-set to reference an IPsec transform set for an IPsec policy, IPsec policy template, or IPsec profile.
Use undo transform-set to remove the IPsec transform set referenced by an IPsec policy, IPsec policy template, or IPsec profile.
Syntax
transform-set transform-set-name&<1-6>
undo transform-set [ transform-set-name ]
Default
An IPsec policy, IPsec policy template, or IPsec profile references no IPsec transform set.
Views
IPsec policy view, IPsec policy template view, IPsec profile view
Predefined user roles
network-admin
Parameters
transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters.
Usage guidelines
A manual IPsec policy can reference only one IPsec transform set. If you specify an IPsec transform set for the manual IPsec policy multiple times, the most recent configuration takes effect.
An IKE-based IPsec policy can reference six IPsec transform sets at most. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.
If you do not specify the transform-set-name argument, the undo transform-set command removes all referenced IPsec transform sets.
Examples
# Reference the IPsec transform set prop1 for the IPsec policy policy1.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] quit
[Sysname] ipsec policy policy1 100 manual
[Sysname-ipsec-policy-manual-policy1-100] transform-set prop1
Related commands
· ipsec { ipv6-policy | policy }
· ipsec profile
· ipsec transform-set
The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.
The term "interface" in this chapter collectively refers to Layer 3 interfaces, including VLAN interfaces and Layer 3 Ethernet interfaces. You can set an Ethernet port as a Layer 3 interface by using the port link-mode route command (see Layer 2—LAN Switching Configuration Guide).
authentication-algorithm
Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.
Use undo authentication-algorithm to restore the default.
Syntax
In non-FIPS mode:
authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 }
undo authentication-algorithm
In FIPS mode:
authentication-algorithm { sha | sha256 | sha384 | sha512 }
undo authentication-algorithm
Default
In non-FIPS mode, the IKE proposal uses the HMAC-SHA1 authentication algorithm. In FIPS mode, the IKE proposal uses the HMAC-SHA256 authentication algorithm.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
md5: Specifies HMAC-MD5 as the authentication algorithm.
sha: Specifies HMAC-SHA1 as the authentication algorithm.
sha256: Specifies HMAC-SHA256 as the authentication algorithm.
sha384: Specifies HMAC-SHA384 as the authentication algorithm.
sha512: Specifies HMAC-SHA512 as the authentication algorithm.
Examples
# Specify HMAC-SHA1 as the authentication algorithm for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] authentication-algorithm sha
Related commands
display ike proposal
authentication-method
Use authentication-method to specify an authentication method to be used in an IKE proposal.
Use undo authentication-method to restore the default.
Syntax
authentication-method { dsa-signature | pre-share | rsa-signature }
undo authentication-method
Default
The IKE proposal uses the pre-shared key as the authentication method.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
dsa-signature: Specifies the DSA signatures as the authentication method.
pre-share: Specifies the pre-shared key as the authentication method.
rsa-signature: Specifies the RSA signatures as the authentication method.
Usage guidelines
Pre-shared key authentication does not require certificates as signature authentication, and it is usually used in a simple network. Signature authentication provides higher security, and it is usually deployed in a large-scale network, such as a network with many branches.
Authentication methods configured on both IKE ends must match.
If you specify RSA or DSA signatures, you must configure the IKE peer to obtain certificates from a CA.
If you specify pre-shared keys, you must configure these pre-shared keys on both IKE ends.
Examples
# Specify pre-shared key authentication to be used in IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] authentication-method pre-share
Related commands
· display ike proposal
· ike keychain
· pre-shared-key
certificate domain
Use certificate domain to specify a PKI domain for IKE signatures.
Use undo certificate domain to remove the specified PKI domain configuration.
Syntax
certificate domain domain-name
undo certificate domain domain-name
Default
No PKI domain is specified for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters. If you do not specify this argument, all PKI domains configured on the device are used for enrollment, authentication, certificate issuing, validation, and signature.
Usage guidelines
You can specify up to 6 PKI domains for an IKE profile.
IKE can use the PKI domain to automatically obtain the CA certificate, and then request a local certificate. If the CA certificate exists, the IKE requests a local certificate.
· On the initiator: If the IKE profile has a PKI domain and the automatic request of certificate is configured for the PKI domain, the initiator automatically obtains the CA certificate. If the IKE profile has no PKI domain, you must manually obtain the CA certificate.
· On the responder: During the IKE negotiation phase 1:
¡ If main mode is used, the responder does not automatically obtain the CA certificate. You must manually request the CA certificate.
¡ If aggressive mode is used, the responder does not automatically obtain the CA certificate unless a matching IKE profile is found, an IKE domain is specified in the profile, and the automatic request of certificate is configured for the PKI domain.
Examples
# Specify the PKI domain abc for IKE profile 1.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] certificate domain abc
Related commands
· authentication-method
· pki domain
dh
Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.
Use undo dh to restore the default.
Syntax
In non-FIPS mode:
dh { group1 | group14 | group2 | group24 | group5 }
undo dh
In FIPS mode:
dh group14
undo dh
Default
In non-FIPS mode, group1, the 768-bit Diffie-Hellman group, is used.
In FIPS mode, group14, the 2048-bit Diffie-Hellman group, is used.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
group1: Uses the 768-bit Diffie-Hellman group.
group14: Uses the 2048-bit Diffie-Hellman group.
group2: Uses the 1024-bit Diffie-Hellman group.
group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.
group5: Uses the 1536-bit Diffie-Hellman group.
Usage guidelines
A DH group that uses more bits provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network.
Examples
# Specify the 2048-bit Diffie-Hellman group group1 to be used in key negotiation phase 1 for an IKE proposal.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] dh group14
Related commands
display ike proposal
display ike proposal
Use display ike proposal to display configuration information about all IKE proposals.
Syntax
display ike proposal
Views
Any view
Predefined user roles
network-admin
network-operator
Usage guidelines
This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, this command displays the default IKE proposal.
Examples
# Display the configuration information about all IKE proposals.
<Sysname> display ike proposal
Priority Authentication Authentication Encryption Diffie-Hellman Duration
method algorithm algorithm group (seconds)
----------------------------------------------------------------------------
1 RSA-SIG SHA1 DES-CBC Group 1 5000
11 PRE-SHARED-KEY SHA1 DES-CBC Group 1 50000
default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400
Table 10 Command output
|
Field |
Description |
|
Priority |
Priority of the IKE proposal |
|
Authentication method |
Authentication method used by the IKE proposal. |
|
Authentication algorithm |
Authentication algorithm used in the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. |
|
Encryption algorithm |
Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. |
|
Diffie-Hellman group |
DH group used in IKE negotiation phase 1. |
|
Duration (seconds) |
IKE SA lifetime (in seconds) of the IKE proposal |
Related commands
ike proposal
display ike sa
Use display ike sa to display information about the current IKE SAs.
Syntax
display ike sa [ verbose [ connection-id connection-id | remote-address [ ipv6 ] remote-address [ vpn-instance vpn-name ] ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
verbose: Displays detailed information.
connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.
remote-address: Displays detailed information about IKE SAs with the specified remote address.
ipv6: Specifies an IPv6 address.
remote-address: Remote IP address.
vpn-instance vpn-name: Displays detailed information about IKE SAs in an MPLS L3VPN. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To display information about IKE SAs on the public network, do not specify this parameter.
Usage guidelines
If you do not specify any parameters, this command displays a summary about all IKE SAs.
Examples
# Display information about the current IKE SAs.
<Sysname> display ike sa
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD IPSEC
Flags:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING
Table 11 Command output
|
Field |
Description |
|
Connection-ID |
Identifier of the IKE SA. |
|
Remote |
Remote IP address of the SA. |
|
Flags |
Status of the SA: · RD (READY)—The SA has been established. · ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. · RL (REPLACED)—The SA has been replaced by a new one and will be deleted later. · FD (FADING)—The SA is in use, but it is about to expire and will be deleted soon. · Unknown—The SA status is unknown. |
|
DOI |
Interpretation domain to which the SA belongs. |
# Display detailed information about the current IKE SAs.
<Sysname> display ike sa verbose
---------------------------------------------
Connection ID: 2
Outside VPN: 1
Inside VPN: 1
Profile: prof1
Transmitting entity: Initiator
---------------------------------------------
Local IP: 4.4.4.4
Local ID type: IPV4_ADDR
Local ID: 4.4.4.4
Remote IP: 4.4.4.5
Remote ID type: IPV4_ADDR
Remote ID: 4.4.4.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: AES-CBC-128
Life duration(sec): 86400
Remaining key duration(sec): 86379
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
# Display detailed information about the IKE SA with the remote address of 4.4.4.5.
<Sysname> display ike sa verbose remote-address 4.4.4.5
---------------------------------------------
Connection ID: 2
Outside VPN: 1
Inside VPN: 1
Profile: prof1
Transmitting entity: Initiator
---------------------------------------------
Local IP: 4.4.4.4
Local ID type: IPV4_ADDR
Local ID: 4.4.4.4
Remote IP: 4.4.4.5
Remote ID type: IPV4_ADDR
Remote ID: 4.4.4.5
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: AES-CBC-128
Life duration(sec): 86400
Remaining key duration(sec): 86379
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Not detected
Table 12 Command output
|
Field |
Description |
|
Connection ID |
Identifier of the IKE SA. |
|
Outside VPN |
VPN instance name of the MPLS L3VPN to which the receiving interface belongs. |
|
Inside VPN |
VPN instance name of the MPLS L3VPN to which the protected data belongs. |
|
Profile |
Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing. |
|
Transmitting entity |
Role of the IKE negotiation entity: Initiator or Responder. |
|
Local IP |
IP address of the local gateway. |
|
Local ID type |
Identifier type of the local gateway. |
|
Local ID |
Identifier of the local gateway. |
|
Remote IP |
IP address of the remote gateway. |
|
Remote ID type |
Identifier type of the remote gateway. |
|
Remote ID |
Identifier of the remote security gateway. |
|
Authentication-method |
Authentication method used by the IKE proposal. |
|
Authentication-algorithm |
Authentication algorithm used by the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. |
|
Encryption-algorithm |
Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. |
|
Life duration(sec) |
Lifetime of the IKE SA in seconds. |
|
Remaining key duration(sec) |
Remaining lifetime of the IKE SA in seconds. |
|
Exchange-mode |
IKE negotiation mode in phase 1: main mode or aggressive mode. |
|
Diffie-Hellman group |
DH group used for key negotiation in IKE phase 1. |
|
NAT traversal |
Whether NAT traversal is detected. |
dpd
Use dpd to enable the device to send DPD messages.
Use undo dpd to disable the IKE DPD function.
Syntax
dpd interval interval-seconds [ retry seconds ] { on-demand | periodic }
undo dpd interval
Default
IKE DPD is disabled.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300.
· If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
· If the periodic keyword is specified, this parameter specifies a DPD triggering interval.
retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds.
on-demand: Sends DPD messages on demand.
periodic: Sends DPD messages at regular intervals.
Usage guidelines
DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Examples
# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] dpd interval 10 retry 5 on-demand
Related commands
ike dpd
encryption-algorithm
Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.
Use undo encryption-algorithm to restore the default.
Syntax
In non-FIPS mode:
encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc }
undo encryption-algorithm
In FIPS mode:
encryption-algorithm { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 }
undo encryption-algorithm
Default
In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.
In FIPS mode, an IKE proposal uses the 128-bit AES encryption algorithm in CBC mode.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses a 168-bit key for encryption.
aes-cbc-128: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 128-bit key for encryption.
aes-cbc-192: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 192-bit key for encryption.
aes-cbc-256: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses a 256-bit key for encryption.
des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses a 56-bit key for encryption.
Usage guidelines
Different algorithms provide different levels of protection. Generally, an algorithm with a longer key is stronger. A stronger algorithm provides more resistance to decryption but uses more resources. The algorithm strength from low to high is des-cbc, 3des-cbc, aes-cbc-128, aes-cbc-192, and aes-cbc-256.
Examples
# Use the 128-bit AES in CBC mode as the encryption algorithm for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] encryption-algorithm aes-cbc-128
Related commands
display ike proposal
exchange-mode
Use exchange-mode to select an IKE negotiation mode for phase 1.
Use undo exchange-mode to restore the default.
Syntax
In non-FIPS mode:
exchange-mode { aggressive | main }
undo exchange-mode
In FIPS mode:
exchange-mode main
undo exchange-mode
Default
Main mode is used for phase 1.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
aggressive: Specifies the aggressive mode.
main: Specifies the main mode.
Usage guidelines
When a user at the local end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, H3C recommends specifying the aggressive mode at the local end.
Examples
# Specify that IKE negotiation operates in main mode.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] exchange-mode main
Related commands
display ike proposal
ike dpd
Use ike dpd to enable sending DPD messages.
Use undo ike dpd to disable the DPD feature.
Syntax
ike dpd interval interval-seconds [ retry seconds ] { on-demand | periodic }
undo ike dpd interval
Default
IKE DPD is disabled.
Views
System view
Predefined user roles
network-admin
Parameters
interval interval-seconds: Specifies a period of time in seconds. The value range is from 1 to 300.
· If the on-demand keyword is specified, this parameter specifies the number of seconds during which no IPsec packet is received before DPD is triggered if the local end has IPsec traffic to send.
· If the periodic keyword is specified, this parameter specifies a DPD triggering interval.
retry seconds: Specifies the number of seconds between DPD retries if the DPD message fails. The value for the second argument is from 1 to 60 seconds, and it defaults to 5 seconds.
on-demand: Sends DPD messages on demand.
periodic: Sends DPD messages at regular intervals.
Usage guidelines
DPD is triggered periodically or on-demand. The on-demand mode is recommended when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.
When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.
It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.
Examples
# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.
<Sysname> system-view
[Sysname] ike dpd interval 10 retry 5 on-demand
Related commands
dpd
ike identity
Use ike identity to specify the global identity used by the local end during IKE negotiations.
Use undo ike identity to remove the configuration and restore the default.
Syntax
ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
undo ike identity
Default
By default, the IP address of the interface where the IPsec policy or IPsec policy template applies is used for the IKE identity.
Views
System view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity.
dn: Uses the DN in the digital signature as the identity.
fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
user-fqdn user-fqdn-name: Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.
Usage guidelines
The global identity can be used by the device for all IKE SA negotiations. The local identity (set by the local-identity command) can be used only by the device that uses the IKE profile.
In pre-shared key authentication, you cannot set the DN as the identity.
When you specify the global identity for signature authentication, follow these restrictions and guidelines:
· You can set any type of identity information.
· The ike signature-identity from-certificate command sets the local device to always use the identity information obtained from the local certificate.
· If the ike signature-identity from-certificate command is not set, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
Examples
# Set the IP address 2.2.2.2 as the identity.
<sysname> system-view
[sysname] ike identity address 2.2.2.2
Related commands
· local-identity
· ike signature-identity from-certificate
ike invalid-spi-recovery enable
Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.
Use undo ike invalid-spi-recovery enable to restore the default.
Syntax
ike invalid-spi-recovery enable
undo ike invalid-spi-recovery enable
Default
SPI recovery is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ike invalid-spi-recovery enable
ike keepalive interval
Use ike keepalive interval to enable sending IKE keepalives and set the sending interval.
Use undo ike keepalive interval to restore the default.
Syntax
ike keepalive interval seconds
undo ike keepalive interval
Default
No IKE keepalives are sent.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800.
Usage guidelines
To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function, unless IKE DPD is not supported on the peer.
The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval.
Examples
# Set the keepalive interval to 200 seconds
<Sysname> system-view
[Sysname] ike keepalive interval 200
Related commands
ike keepalive timeout
ike keepalive timeout
Use ike keepalive timeout to set the IKE keepalive timeout time.
Use undo ike keepalive timeout to restore the default.
Syntax
ike keepalive timeout seconds
undo ike keepalive timeout
Default
The negotiated aging time for the IKE SA applies.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalives. The value is in the range of 20 to 28800.
Usage guidelines
If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.
The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout timer to three times as long as the keepalive interval.
Examples
# Set the keepalive timeout time to 20 seconds.
<Sysname> system-view
[Sysname] ike keepalive timeout 20
Related commands
ike keepalive interval
ike keychain
Use ike keychain to create an IKE keychain and enter IKE keychain view.
Use undo ike keychain to delete an IKE keychain.
Syntax
ike keychain keychain-name [ vpn-instance vpn-name ]
undo ike keychain keychain-name [ vpn-instance vpn-name ]
Default
No IKE keychain is configured.
Views
System view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IKE keychain belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.
Usage guidelines
To use pre-shared key authentication, you must create and specify an IKE keychain for the IKE profile.
Examples
# Create IKE keychain key1 and enter its view.
<Sysname> system-view
[Sysname] ike keychain key1
[Sysname-ike-keychain-key1]
Related commands
· authentication-method
· pre-shared-key
ike limit
Use ike limit to set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.
Use undo ike limit to restore the default.
Syntax
ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }
undo ike limit { max-negotiating-sa | max-sa }
Default
There is no limit to the maximum number of IKE SAs.
Views
System view
Predefined user roles
network-admin
Parameters
max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs and IPsec SAs, in the range of 1 to 99999.
max-sa sa-limit: Specifies the maximum number of established IKE SAs, in the range of 1 to 99999.
Usage guidelines
The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.
The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.
Examples
# Set the maximum number of half-open IKE SAs and IPsec SAs to 200.
<Sysname> system-view
[Sysname] ike limit max-negotiating-sa 200
# Set the maximum number of established IKE SAs to 5000.
<Sysname> system-view
[Sysname] ike limit max-sa 5000
ike nat-keepalive
Use ike nat-keepalive to set the NAT keepalive interval.
Use undo ike nat-keepalive to restore the default.
Syntax
ike nat-keepalive seconds
undo ike nat-keepalive
Default
The NAT keepalive interval is 20 seconds.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.
Usage guidelines
This command takes effect only for a device behind a NAT server. When the device resides behind a NAT server, the IKE gateway behind the NAT server needs to send NAT keepalive packets to its peer IKE gateway to keep the NAT session alive.
Examples
# Set the NAT keepalive interval to 5 seconds.
<Sysname> system-view
[Sysname] ike nat-keepalive 5
ike profile
Use ike profile to create an IKE profile and enter IKE profile view.
Use undo ike profile to delete an IKE profile.
Syntax
ike profile profile-name
undo ike profile profile-name
Default
No IKE profile is configured.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters.
Examples
# Create IKE profile 1 and enter its view.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1]
ike proposal
Use ike proposal to create an IKE proposal and enter IKE proposal view.
Use undo ike proposal to delete an IKE proposal.
Syntax
ike proposal proposal-number
undo ike proposal proposal-number
Default
The system has an IKE proposal that is used as the default IKE proposal. This proposal has the lowest priority and uses the following settings:
· Encryption algorithm—DES-CBC in non-FIPS mode and AES-CBC-128 in FIPS mode.
· Authentication method—HMAC-SHA1.
· Authentication algorithm—Pre-shared key authentication.
· DH group—Group1 in non-FIPS mode and group14 in FIPS mode.
· IKE SA lifetime—86400 seconds.
You cannot change the settings of the default IKE proposal.
Views
System view
Predefined user roles
network-admin
Parameters
proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.
Usage guidelines
During IKE negotiation:
· The initiator sends its IKE proposals to the peer.
¡ If the initiator is using an IPsec policy with an IKE profile, the initiator sends all IKE proposals referenced by the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.
¡ If the initiator is using an IPsec policy with no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.
· The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are mismatched, the two peers use their default IKE proposals to establish the IKE SA.
Examples
# Create IKE proposal 1 and enter its view.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1]
Related commands
display ike proposal
ike signature-identity from-certificate
Use ike signature-identity from-certificate to configure the local device to always obtain the identity information from the local certificate for signature authentication.
Use undo ike signature-identity from-certificate to restore the default.
Syntax
ike signature-identity from-certificate
undo ike signature-identity from-certificate
Default
The local end uses the identity information specified by local-identity or ike identity for signature authentication.
Views
System view
Predefined user roles
network-admin
Usage guidelines
If the aggressive IKE SA negotiation mode and signature authentication are used, configure this command on the local device when the device interconnects with a peer device that runs a Comware V5-based release. The V5-based release supports only DN for signature authentication.
If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.
Examples
# Configure the local device to always obtain the identity information from the local certificate for signature authentication.
<Sysname> system-view
[sysname] ike signature-identity from-certificate
Related commands
· local-identity
· ike identity
inside-vpn
Use inside-vpn to specify an inside VPN instance for an IKE profile.
Use undo inside-vpn to remove the inside VPN instance configuration.
Syntax
inside-vpn vpn-instance vpn-name
undo inside-vpn
Default
No inside VPN instance is specified for an IKE profile. The device forwards protected data to the VPN instance where the interface that receives the data resides.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
vpn-instance vpn-name: Specifies the MPLS L3VPN to which the device forwards protected data. The vpn-name argument is a case-sensitive string of 1 to 31 characters.
Examples
# Set the inside VPN instance to vpn1 for IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] inside-vpn vpn-instance vpn1
keychain
Use keychain to specify an IKE keychain for pre-shared key authentication.
Use undo keychain to remove the IKE keychain reference.
Syntax
keychain keychain-name
undo keychain keychain-name
Default
No IKE keychain is specified for an IKE profile.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IKE profile can reference up to six IKE keychains. An IKE keychain specified earlier has a higher priority.
Examples
# Specify IKE profile 1 for IKE keychain abc.
<Sysname> system-view
[Sysname] ike profile 1
[Sysname-ike-profile-1] keychain abc
Related commands
ike keychain
local-identity
Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.
Use undo local-identity to delete the local ID.
Syntax
local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }
undo local-identity
Default
No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view by using the ike identity command. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec policy or IPsec policy template is applied as the local ID.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.
dn: Uses the DN in the local certificate as the local ID.
fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.
user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.
Usage guidelines
An IKE profile can have only one local ID.
For digital signature authentication, the device can use any type of ID. If the local ID is an IP address that is different from the IP address in the local certificate, the device uses its FQDN (the device name configured by using the sysname command) instead.
For pre-shared key authentication, the device can use any type of ID other than the DN.
An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.
Examples
# Set the local ID to IP address 2.2.2.2.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] local-identity address 2.2.2.2
Related commands
· match remote
· ike identity
match local address (IKE keychain view)
Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.
Use undo match local address to restore the default.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] }
undo match local address
Default
An IKE keychain can be applied to any local interface or IP address.
Views
IKE keychain view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
Use this command to specify which address or interface can use the IKE keychain for IKE negotiation.
Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
You can specify up to six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you configured IKE keychain A before configuring IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE profile A and the peer ID 2.2.2.0/24 for IKE profile B. For peer 2.2.2.2, IKE keychain A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE keychain B to address 2.2.2.2.
Examples
# Create IKE keychain key1.
<Sysname> system-view
[Sysname] ike keychain key1
# Specify that IKE keychain key1 be applied only to the interface with the IP address 2.2.2.2 in VPN vpn1.
[sysname-ike-keychain-key1] match local address 2.2.2.2 vpn-instance vpn1
match local address (IKE profile view)
Use match local address to specify a local interface or IP address to which an IKE profile can be applied.
Use undo match local address to restore the default.
Syntax
match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address } [ vpn-instance vpn-name ] }
undo match local address
Default
An IKE profile can be applied to any local interface or IP address.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.
ipv4-address: Specifies the IPv4 address of a local interface.
ipv6 ipv6-address: Specifies the IPv6 address of a local interface.
vpn-instance vpn-name: Specifies the MPLS L3VPN to which the IPv4 or IPv6 address belongs. The vpn-name argument is a case-sensitive string of 1 to 31 characters. To specify an IP address on the public network, do not specify this option.
Usage guidelines
Use this command to specify which address or interface can use the IKE profile for IKE negotiation.
Specify the local address configured in IPsec policy or IPsec policy template view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that references the IPsec policy.
An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B. For peer 2.2.2.2, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B for the peer, you can use this command to restrict the application scope of IKE profile B to address 2.2.2.2.
Examples
# Create IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Specify that IKE profile prof1 be applied only to the interface with the IP address 2.2.2.2 in VPN vpn1.
[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1
match remote
Use match remote to configure a peer ID for IKE profile matching.
Use undo match remote to delete a peer ID.
Syntax
match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }
Default
No peer ID is configured for IKE profile matching.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters.
identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.
· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching. The mask-length argument is in the range of 0 to 32.
· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
· address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The prefix-length argument is in the range of 0 to 128.
· address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.
· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.
· user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as [email protected].
vpn-instance vpn-name: Specifies the MPLS L3VPN instance to which the specified address or addresses belong. The vpn-name argument is a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option.
Usage guidelines
When an end needs to select an IKE profile, it compares the peer's ID received with the peer IDs of its local IKE profiles. If a match is found, it uses the IKE profile with the matching peer ID for IKE negotiation.
Each IKE profile must have at least one peer ID configured.
To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.
For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.
Examples
# Create IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
# Configure a peer ID with the identity type of FQDN and the value of www.test.com.
[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com
# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.
[Sysname-ike-profile-prof1] match remote identity address 10.1.1.1
Related commands
local-identity
pre-shared-key
Use pre-shared-key to configure a pre-shared key.
Use undo pre-shared-key to remove a pre-shared key.
Syntax
In non-FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher cipher-key | simple simple-key }
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name }
In FIPS mode:
pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key [ cipher cipher-key ]
undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name }
Default
No pre-shared key is configured.
Views
IKE keychain view
Predefined user roles
network-admin
Parameters
address: Specifies a peer by its address.
ipv4-address: Specifies the IPv4 address of the peer.
mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255.
mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32.
ipv6: Specifies an IPv6 peer.
ipv6-address: Specifies the IPv6 address of the peer.
prefix-length: Specifies the prefix length in the range of 0 to 128. The default prefix length is 128.
hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.
key: Specifies a pre-shared key.
simple: Specifies a pre-shared key in plain text.
simple-key: Specifies a plaintext key. It is a case-sensitive string of 1 to 128 characters.
cipher: Specifies a pre-shared key in cipher text.
cipher-key: Specifies a ciphertext key. In non-FIPS mode, it is a case-sensitive string of 1 to 201 characters. In FIPS mode, it is a case-sensitive string of 15 to 201 characters.
Usage guidelines
The address option or the hostname option specifies the peer with which the device can use the pre-shared key to perform IKE negotiation.
Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.
In FIPS mode, if you do not specify the cipher cipher-key option, you specify a plaintext pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters.
For security purposes, all pre-shared keys, including those configured in plain text, are saved in cipher text to the configuration file.
Examples
# Create IKE keychain key1 and enter IKE keychain view.
<Sysname> system-view
[Sysname] ike keychain key1
# Set the pre-shared key to be used for IKE negotiation with peer 1.1.1.2 to 123456TESTplat&!.
[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&!
Related commands
· authentication-method
· keychain
priority (IKE keychain view)
Use priority to specify a priority for an IKE keychain.
Use undo priority to restore the default.
Syntax
priority number
undo priority
Default
The priority of an IKE keychain is 100.
Views
IKE keychain view
Predefined user roles
network-admin
Parameters
priority number: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority.
Usage guidelines
To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.
Examples
# Set the priority to 10 for IKE keychain key1.
<Sysname> system-view
[Sysname] ike keychain key1
[Sysname-ike-keychain-key1] priority 10
priority (IKE profile view)
Use priority to specify a priority for an IKE profile.
Use undo priority to restore the default.
Syntax
priority number
undo priority
Default
The priority of an IKE profile is 100.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
priority number: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority.
Usage guidelines
To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number. An IKE profile with the match local address command configured has a higher priority than an IKE profile that does not have the match local address command configured.
Examples
# Set the priority to 10 for IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] priority 10
proposal
Use proposal to specify the IKE proposals for an IKE profile to reference.
Use undo proposal to remove the IKE proposal references.
Syntax
proposal proposal-number&<1-6>
undo proposal
Default
An IKE profile references no IKE proposals and uses the IKE proposals configured in system view for IKE negotiation.
Views
IKE profile view
Predefined user roles
network-admin
Parameters
proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.
Usage guidelines
When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.
Examples
# Specify IKE proposal 10 for IKE profile prof1.
<Sysname> system-view
[Sysname] ike profile prof1
[Sysname-ike-profile-prof1] proposal 10
Related commands
ike proposal
reset ike sa
Use reset ike sa to delete IKE SAs.
Syntax
reset ike sa [ connection-id connection-id ]
Views
User view
Predefined user roles
network-admin
Parameters
connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.
Usage guidelines
When you delete an IKE SA, the device automatically sends a notification to the peer.
Examples
# Display the current IKE SAs.
<Sysname> display ike sa
Total IKE SAs: 2
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD|ST IPSEC
2 202.38.0.3 RD|ST IPSEC
Flags:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
# Delete the IKE SA with the connection ID 2.
<Sysname> reset ike sa 2
# Display the current IKE SAs.
<Sysname> display ike sa
Total IKE SAs: 1
Connection-ID Remote Flag DOI
----------------------------------------------------------
1 202.38.0.2 RD|ST IPSEC
Flags:
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT
reset ike statistics
Use reset ike statistics command to clear IKE MIB statistics.
Syntax
reset ike statistics
Views
User view
Predefined user roles
network-admin
Examples
# Clears IKE MIB statistics.
<Sysname> reset ike statistics
Related commands
snmp-agent trap enable ike
sa duration
Use sa duration to set the IKE SA lifetime for an IKE proposal.
Use undo sa duration to restore the default.
Syntax
undo sa duration
Default
The IKE SA lifetime is 86400 seconds.
Views
IKE proposal view
Predefined user roles
network-admin
Parameters
seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800.
Usage guidelines
If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.
Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires.
Examples
# Set the IKE SA lifetime to 600 seconds for IKE proposal 1.
<Sysname> system-view
[Sysname] ike proposal 1
[Sysname-ike-proposal-1] sa duration 600
Related commands
display ike proposal
snmp-agent trap enable ike
Use snmp-agent trap enable ike command to enable SNMP notifications for IKE.
Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE.
Syntax
snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
undo snmp-agent trap enable ike [ attr-not-support | auth-failure | cert-type-unsupport | cert-unavailable | decrypt-failure | encrypt-failure | global | invalid-cert-auth | invalid-cookie | invalid-id | invalid-proposal | invalid-protocol | invalid-sign | no-sa-failure | proposal-add | proposal–delete | tunnel-start | tunnel-stop | unsupport-exch-type ] *
Default
All SNMP notifications for IKE are enabled.
Views
System view
Predefined user roles
network-admin
Parameters
attr-not-support: Specifies SNMP notifications for attribute-unsupported failures.
auth-failure: Specifies SNMP notifications for authentication failures.
cert-type-unsupport: Specifies SNMP notifications for certificate-type-unsupported failures.
cert-unavailable: Specifies SNMP notifications for certificate-unavailable failures.
decrypt-failure: Specifies SNMP notifications for decryption failures.
encrypt-failure: Specifies SNMP notifications for encryption failures.
global: Specifies SNMP notifications globally.
invalid-cert-auth: Specifies SNMP notifications for invalid-certificate-authentication failures.
invalid-cookie: Specifies SNMP notifications for invalid-cookie failures.
invalid-id: Specifies SNMP notifications for invalid-ID failures.
invalid-proposal: Specifies SNMP notifications for invalid-IKE-proposal failures.
invalid-protocol: Specifies SNMP notifications for invalid-protocol failures.
invalid-sign: Specifies SNMP notifications for invalid-signature failures.
no-sa-failure: Specifies SNMP notifications for SA-not-found failures.
proposal-add: Specifies SNMP notifications for events of adding IKE proposals.
proposal-delete: Specifies SNMP notifications for events of deleting IKE proposals.
tunnel-start: Specifies SNMP notifications for events of creating IKE tunnels.
tunnel-stop: Specifies SNMP notifications for events of deleting IKE tunnels.
unsupport-exch-type: Specifies SNMP notifications for negotiation-type-unsupported failures.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE.
To generate and output SNMP notifications for a specific IKE failure type or event type, perform the following tasks:
1. Enable SNMP notifications for IKE globally.
2. Enable SNMP notifications for the failure type or event type.
Examples
To enable SNMP notifications when an IKE tunnel is created, execute the following commands:
# Enable SNMP notifications for IKE globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ike global
# Enable SNMP notifications for events of creating IKE tunnels.
[Sysname] snmp-agent trap enable ike tunnel-start
