If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.

Examples

# Display brief information about all IPsec policies.

<Sysname> display ipsec policy brief

IPsec-Policy-Name Mode acl ike-peer name Mapped Template

------------------------------------------------------------------------

bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa

map-1 isakmp 3000 peer

nat-1 isakmp 3500 nat

test-1 isakmp 3200 test

toccccc-1 isakmp 3003 tocccc

IPsec-Policy-Name Mode acl Local-Address Remote-Address

------------------------------------------------------------------------

Table 1 Command output

Field	Description
IPsec-Policy-Name	Name and sequence number of the IPsec policy separated by hyphen.
Mode	Negotiation mode of the IPsec policy: · manual—Manual mode. The H3C access controllers do not support the manual mode. · isakmp—IKE negotiation mode. · template—IPsec policy template mode.
acl	ACL referenced by the IPsec policy.
ike-peer name	IKE peer name.
Mapped Template	Referenced IPsec policy template.
Local-Address	IP address of the local end.
Remote-Address	IP address of the remote end.

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy

===========================================

IPsec Policy Group: "policy_isakmp"

Interface: Vlan-interface2

===========================================

------------------------------------

IPsec policy name: "policy_isakmp"

sequence number: 10

acl version: IPv4

mode: isakmp

-------------------------------------

security data flow : 3000

selector mode: standard

ike-peer name: per

perfect forward secrecy:

transform-set name: prop1

synchronization inbound anti-replay-interval: 1000 packets

synchronization outbound anti-replay-interval: 10000 packets

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

policy enable: True

tfc enable: False

Table 2 Command output

Field	Description
security data flow	ACL referenced by the IPsec policy.
Interface	Interface to which the IPsec policy is applied.
sequence number	Sequence number of the IPsec policy.
acl version	ACL version. The H3C access controllers support only IPv4 ACL. If no ACL is referenced, this field displays None.
mode	Negotiation mode of the IPsec policy: · manual—Manual mode. The H3C access controllers do not support the manual mode. · isakmp—IKE negotiation mode. · template—IPsec policy template mode.
selector mode	Data flow protection mode of the IPsec policy: standard, aggregation, or per-host.
ike-peer name	IKE peer referenced by the IPsec policy.
perfect forward secrecy	Whether PFS is enabled.
transform-set name	Transform set referenced by the IPsec policy.
policy enable	Whether the IPsec policy is enabled or not.
tfc enable	Whether TFC padding is enabled.
synchronization inbound anti-replay-interval	Interval for synchronizing anti-replay windows in inbound direction, expressed in the number of received packets.
synchronization outbound anti-replay-interval	Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets.
inbound/outbound AH/ESP setting	AH/ESP settings in the inbound/outbound direction, including the SPI and keys.

Related commands

ipsec policy (system view)

Field	Description
Policy-Template-Name	Name and sequence number of the IPsec policy template separated by hyphen.
acl	ACL referenced by the IPsec policy template.
Remote Address	Remote IP address.

Field	Description
security data flow	ACL referenced by the IPsec policy template.
ACL's Version	ACL version. The H3C access controllers support only IPv4 ACL.
ike-peer name	IKE peer referenced by the IPsec policy template.
perfect forward secrecy	Whether PFS is enabled.
DH group	DH group used: 1, 2, 5, or 14.
transport-set name	IPsec transform set referenced by the IPsec policy template.
synchronization inbound anti-replay-interval	Interval for synchronizing anti-replay windows in inbound direction, expressed in the number of received packets.
synchronization outbound anti-replay-interval	Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets.
IPsec sa local duration(time based)	Time-based lifetime of the IPsec SAs at the local end.
IPsec sa local duration(traffic based)	Traffic-based lifetime of the IPsec SAs at the local end.

display ipsec sa

Use display ipsec sa to display information about IPsec SAs.

Syntax

display ipsec sa [ active | brief | policy policy-name [ seq-number ] | remote ip-address standby ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

active: Displays detailed information about the active IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

brief: Displays brief information about all IPsec SAs.

policy: Displays detailed information about IPsec SAs created by using a specific IPsec policy.

policy-name: Specifies the name of the IPsec policy, a string 1 to 15 characters.

seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535.

remote ip-address: Displays detailed information about the IPsec SA with a specific remote address.

standby: Displays detailed information about the standby IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IPsec SAs.

Examples

# Display brief information about all IPsec SAs.

<Sysname> display ipsec sa brief

total phase-2 IPv4 SAs: 2

Src Address Dst Address SPI Protocol Algorithm

--------------------------------------------------------

10.1.1.1 10.1.1.2 300 ESP E:DES;

A:HMAC-MD5-96

10.1.1.2 10.1.1.1 400 ESP E:DES;

A:HMAC-MD5-96

total phase-2 IPv6 SAs: 0

Src Address Dst Address SPI Protocol Algorithm

-----------------------------------------------------------------------------

Table 5 Command output

Field	Description
Src Address	Local IP address.
Dst Address	Remote IP address.
SPI	Security parameter index.
Protocol	Security protocol used by IPsec.
Algorithm	Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified.

# Display detailed information about all IPsec SAs.

<Sysname> display ipsec sa

===============================

Interface: Vlan-interface2

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "r2"

sequence number: 1

acl version: ACL4

mode: isakmp

-----------------------------

connection id: 3

encapsulation mode: tunnel

tunnel:

local address: 2.2.2.2

remote address: 1.1.1.2

flow:

sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP

dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP

[inbound ESP SAs]

spi: 3564837569 (0xd47b1ac1)

transform-set: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa duration (kilobytes/sec): 4294967295/604800

sa remaining duration (kilobytes/sec): 1843200/2686

max received sequence-number: 5

anti-replay check enable: Y

anti-replay window size: 32

udp encapsulation used for nat traversal: N

status: active

[outbound ESP SAs]

spi: 801701189 (0x2fc8fd45)

transform-set: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa duration (kilobytes/sec): 4294967295/604800

sa remaining duration (kilobytes/sec): 1843200/2686

max sent sequence-number: 6

udp encapsulation used for nat traversal: N

Table 6 Command output

Field	Description
Interface	Interface referencing the IPsec policy.
path MTU	Maximum IP packet length supported by the interface.
IPsec policy name	Name of IPsec policy used.
sequence number	Sequence number of the IPsec policy.
acl version	ACL version. The H3C access controllers support only IPv4 ACL. If no ACL is referenced, this field displays None.
mode	IPsec negotiation mode.
connection id	IPsec tunnel identifier.
encapsulation mode	Encapsulation mode, transport or tunnel.
tunnel	IPsec tunnel.
local address	Local IP address of the IPsec tunnel.
remote address	Remote IP address of the IPsec tunnel.
flow	Data flow.
sour addr	Source IP address of the data flow.
dest addr	Destination IP address of the data flow.
port	Port number.
protocol	Protocol type.
inbound	Information of the inbound SA.
spi	Security parameter index.
transform-set	Security protocol and algorithms used by the IPsec transform set.
sa duration	Lifetime of the IPsec SA.
sa remaining key duration	Remaining lifetime of the SA.
max received sequence-number	Maximum sequence number of the received packets (relevant to the anti-replay function provided by the security protocol).
udp encapsulation used for nat traversal	Whether NAT traversal is enabled for the SA.
outbound	Information of the outbound SA.
max sent sequence-number	Maximum sequence number of the sent packets (relevant to the anti-replay function provided by the security protocol).
anti-replay check enable	Whether IPsec anti-replay checking is enabled.
anti-replay window size	Size of the anti-replay window.

Related commands

· reset ipsec sa

· ipsec sa global-duration

display ipsec statistics

Use display ipsec statistics to display IPsec packet statistics.

Syntax

display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

tunnel-id integer: Specifies an IPsec tunnel by its ID in the range of 1 to 2000000000.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays the statistics for all IPsec packets.

Examples

# Display statistics on all IPsec packets.

<Sysname> display ipsec statistics

the security packet statistics:

input/output security packets: 47/62

input/output security bytes: 3948/5208

input/output dropped security packets: 0/45

dropped security packet detail:

not enough memory: 0

can't find SA: 45

queue is full: 0

authentication has failed: 0

wrong length: 0

replay packet: 0

packet too long: 0

wrong SA: 0

# Display IPsec packet statistics for Tunnel 3.

<Sysname> display ipsec statistics tunnel-id 3

------------------------------------------------

Connection ID : 3

------------------------------------------------

the security packet statistics:

input/output security packets: 5124/8231

input/output security bytes: 52348/64356

input/output dropped security packets: 0/0

dropped security packet detail:

not enough memory: 0

queue is full: 0

authentication has failed: 0

wrong length: 0

replay packet: 0

packet too long: 0

wrong SA: 0

Table 7 Command output

Field	Description
Connection ID	ID of the tunnel.
input/output security packets	Counts of inbound and outbound IPsec protected packets.
input/output security bytes	Counts of inbound and outbound IPsec protected bytes.
input/output dropped security packets	Counts of inbound and outbound IPsec protected packets that are discarded by the device.
dropped security packet detail	Detailed information about inbound/outbound packets that get dropped.
not enough memory	Number of packets dropped due to lack of memory.
can't find SA	Number of packets dropped due to finding no security association.
queue is full	Number of packets dropped due to full queues.
authentication has failed	Number of packets dropped due to authentication failure.
wrong length	Number of packets dropped due to wrong packet length.
replay packet	Number of packets replayed.
packet too long	Number of packets dropped due to excessive packet length.
wrong SA	Number of packets dropped due to improper SA.

Related commands

reset ipsec statistics

display ipsec transform-set

Use display ipsec transform-set to display information about IPsec transform sets.

Syntax

display ipsec transform-set [ transform-set-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

transform-set-name: Specifies the name of an IPsec transform set, a string of 1 to 32 characters. If you do not specify an IPsec transform set, the command displays information about all IPsec transform sets.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IPsec transform sets.

Examples

# Display information about all IPsec transform sets.

<Sysname> display ipsec transform-set

IPsec transform-set name: tran1

encapsulation mode: tunnel

ESN : disable

ESN scheme: NO

transform: esp-new

ESP protocol:

Integrity: md5-hmac-96

Encryption: des

IPsec transform-set name: tran2

encapsulation mode: transport

ESN : disable

ESN scheme: NO

transform: esp-new

ESP protocol:

Integrity: md5-hmac-96

Encryption: des

Table 8 Command output

Field	Description
IPsec transform-set name	Name of the IPsec transform set.
encapsulation mode	Encapsulation mode used by the IPsec transform set, transport or tunnel.
ESN	Whether the ESN function is enabled.
ESN scheme	· NO—Supports the ESN function. · YES—Does not support the ESN function.
transform	Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	Authentication algorithm used by AH.
ESP protocol	Authentication algorithm and encryption algorithm used by ESP.

Related commands

ipsec transform-set

display ipsec tunnel

Use display ipsec tunnel to display information about IPsec tunnels.

Syntax

display ipsec tunnel [ active | standby ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

active: Displays information about the active IPsec tunnels in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

standby: Displays information about the standby IPsec tunnels in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IPsec tunnels.

Examples

# Display information about IPsec tunnels.

<Sysname> display ipsec tunnel

total tunnel : 2

------------------------------------------------

connection id: 3

SA's SPI:

inbound: 187199087 (0xb286e6f) [ESP]

outbound: 3562274487 (0xd453feb7) [ESP]

tunnel:

local address: 44.44.44.44

remote address : 44.44.44.55

flow:

sour addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP

dest addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP

# Display information about IPsec tunnels in aggregation mode.

<Sysname> display ipsec tunnel

total tunnel: 2

------------------------------------------------

connection id: 4

SA's SPI:

inbound : 2454606993 (0x924e5491) [ESP]

outbound : 675720232 (0x2846ac28) [ESP]

tunnel :

local address: 44.44.44.44

remote address : 44.44.44.45

flow :

as defined in acl 3001

Table 9 Command output

Field	Description
connection id	Connection ID, used to uniquely identify an IPsec Tunnel.
SA's SPI	SPIs of the inbound and outbound SAs.
tunnel	Local and remote addresses of the tunnel.
flow	Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol.
as defined in acl 3001	The IPsec tunnel protects all data flows defined by ACL 3001.

encapsulation-mode

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Default

A security protocol encapsulates IP packets in tunnel mode.

Views

IPsec transform set view

Default command level

2: System level

Parameters

transport: Uses transport mode.

tunnel: Uses tunnel mode.

Examples

# Configure IPsec transform set tran1 to use the transport encapsulation mode.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport

Related commands

ipsec transform-set

esp authentication-algorithm

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to restore the default.

Syntax

esp authentication-algorithm { md5 | sha1 } *

undo esp authentication-algorithm

Default

In FIPS mode, ESP uses SHA-1 for authentication.

In non-FIPS mode, ESP uses MD5 for authentication.

Views

IPsec transform set view

Default command level

2: System level

Parameters

md5: Uses the MD5 algorithm, which uses a 128-bit key.

sha1: Uses the SHA1 algorithm, which uses a 160-bit key.

Usage guidelines

Compared with SHA1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a highly secure network, use SHA1.

In FIPS mode, ESP does not support MD5 authentication.

In FIPS mode, you must specify both an encryption algorithm and an authentication algorithm.

Examples

# Configure IPsec transform set prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] transform esp

[Sysname-ipsec-transform-set-prop1] esp authentication-algorithm sha1

Related commands

· ipsec transform-set

· esp encryption-algorithm

esp encryption-algorithm

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to restore the default.

Syntax

esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } *

undo esp encryption-algorithm

Default

In non-FIPS mode, ESP uses AES-128 for encryption.

In non-FIPS mode, ESP uses DES for encryption.

Views

IPsec transform set view

Default command level

2: System level

Parameters

3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key.

aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128-bit key.

aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key.

aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.

des: Uses the DES in cipher block chaining (CBC) mode, which uses a 56-bit key.

Usage guidelines

In non-FIPS mode, ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication.

In FIPS mode, ESP must encrypt and authenticate packets.

In FIPS mode, ESP does not support DES or 3DES.

Examples

# Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] transform esp

[Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des

Related commands

· display ipsec transform-set

· esp authentication-algorithm

ike-peer (IPsec policy view/IPsec policy template view)

Use ike-peer to reference an IKE peer in an IPsec policy or IPsec policy template configured through IKE negotiation.

Use undo ike peer to remove the reference.

Syntax

ike-peer peer-name

undo ike-peer peer-name

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

peer-name: Specifies the IKE peer name, a string of 1 to 32 characters.

Examples

# Configure a reference to an IKE peer in an IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1

Related commands

ipsec policy

ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.

Use undo ipsec anti-replay check to disable IPsec anti-replay checking.

Syntax

ipsec anti-replay check

undo ipsec anti-replay check

Default

IPsec anti-replay checking is enabled.

Views

System view

Default command level

2: System level

Examples

# Enable IPsec anti-replay checking.

<Sysname> system-view

[Sysname] ipsec anti-replay check

ipsec anti-replay window

Use ipsec anti-replay window to set the size of the anti-replay window.

Use undo ipsec anti-replay window to restore the default.

Syntax

ipsec anti-replay window width

undo ipsec anti-replay window

Default

The size of the anti-replay window is 32.

Views

System view

Default command level

2: System level

Parameters

width: Size of the anti-replay window. It can be 32, 64, 128, 256, 512, or 1024.

Usage guidelines

Your configuration affects only IPsec SAs negotiated later.

Examples

# Set the size of the anti-replay window to 64.

<Sysname> system-view

[Sysname] ipsec anti-replay window 64

ipsec invalid-spi-recovery enable

Use ipsec invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.

Use undo ipsec invalid-spi-recovery enable to restore the default.

Syntax

ipsec invalid-spi-recovery enable

undo ipsec invalid-spi-recovery enable

Default

The invalid SPI recovery is disabled. The receiver discards IPsec packets with invalid SPIs.

Views

System view

Default command level

2: System level

Usage guidelines

Invalid SPI recovery enables an IPsec security gateway to send an INVALID SPI NOTIFY message to its peer when it receives an IPsec packet but cannot find any SA with the specified SPI. When the peer receives the message, it deletes the SAs on its side. Then, subsequent traffic triggers the two peers to establish new SAs.

Examples

# Enable invalid SPI recovery.

<Sysname> system-view

[Sysname] ipsec invalid-spi-recovery enable

ipsec policy (interface view)

Use ipsec policy to apply an IPsec policy group to an interface.

Use undo ipsec policy to remove the application.

Syntax

ipsec policy policy-name

undo ipsec policy [ policy-name ]

Views

Interface view

Default command level

2: System level

Parameters

policy-name: Specifies the name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters.

Usage guidelines

Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first. An IPsec policy group can be applied to more than one interface.

With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows.

For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.

Examples

# Apply IPsec policy group pg1 to interface VLAN-interface 3.

<Sysname> system-view

[Sysname] interface vlan-interface 3

[Sysname-Vlan-interface3] ipsec policy pg1

Related commands

ipsec policy (system view)

Use ipsec policy to create an IPsec policy and enter its view.

Use undo ipsec policy to delete the specified IPsec policies.

Syntax

ipsec policy policy-name seq-number isakmp

undo ipsec policy policy-name [ seq-number ]

Default

No IPsec policy exists.

Views

System view

Default command level

2: System level

Parameters

policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included.

seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535.

isakmp: Sets up SAs through IKE negotiation.

Usage guidelines

When creating an IPsec policy, you must specify the generation mode.

You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.

IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.

Examples

# Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100]

Related commands

· ipsec policy (interface view)

· display ipsec policy

ipsec policy isakmp template

Use ipsec policy isakmp template to create an IPsec policy by referencing an existing IPsec policy template, so that IKE can use the IPsec policy for SA negotiation.

Use undo ipsec policy with the seq-number argument to delete an IPsec policy.

Use undo ipsec policy without the seq-number argument to delete an IPsec policy group.

Syntax

ipsec policy policy-name seq-number isakmp template template-name

undo ipsec policy policy-name [ seq-number ]

Views

System view

Default command level

2: System level

Parameters

policy-name: Specifies the name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included.

seq-number: Specifies the sequence number for the IPsec policy, in the range of 1 to 65535.

isakmp template template-name: Name of the IPsec policy template to be referenced.

Usage guidelines

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

After you create an IPsec policy by referencing an IPsec policy template, to modify the configuration for the IPsec policy, you must enter the IPsec policy template view instead of the IPsec policy view.

You cannot change the negotiation mode of an IPsec policy. To do so, you must delete the IPsec policy and then re-create it.

Examples

# Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1.

<Sysname> system-view

[Sysname] ipsec policy policy2 200 isakmp template temp1

Related commands

· ipsec policy (system view)

· ipsec policy-template

ipsec policy-template

Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view.

Use undo ipsec policy-template to delete the specified IPsec policy templates.

Syntax

ipsec policy-template template-name seq-number

undo ipsec policy-template template-name [ seq-number ]

Default

No IPsec policy template exists.

Views

System view

Default command level

2: System level

Parameters

template-name: Specifies the name for the IPsec policy template, a case-insensitive string of 1 to 41 characters. No hyphen (-) can be included.

seq-number: Specifies the sequence number for the IPsec policy template, in the range of 1 to 65535.

Usage guidelines

Using the undo command without the seq-number argument deletes an IPsec policy template group.

In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority.

Examples

# Create an IPsec policy template with the name template1 and the sequence number 100.

<Sysname> system-view

[Sysname] ipsec policy-template template1 100

[Sysname-ipsec-policy-template-template1-100]

Related commands

display ipsec policy template

ipsec sa global-duration

Use ipsec sa global-duration to configure the global SA lifetime.

Use undo ipsec sa global-duration to restore the default.

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

Default

The time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes.

Views

System view

Default command level

2: System level

Parameters

seconds: Specifies the time-based global SA lifetime in seconds, in the range of 180 to 604800.

kilobytes: Specifies the traffic-based global SA lifetime in kilobytes, in the range of 2560 to 4294967295.

Usage guidelines

When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.

When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.

You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it has existed for the specified time period or has processed the specified volume of traffic.

Examples

# Set the time-based global SA lifetime to 7200 seconds (2 hours).

<Sysname> system-view

[Sysname] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).

[Sysname] ipsec sa global-duration traffic-based 10240

Related commands

· sa duration

· display ipsec sa duration

ipsec transform-set

Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view.

Use undo ipsec transform-set to delete an IPsec transform set.

Syntax

ipsec transform-set transform-set-name

undo ipsec transform-set transform-set-name

Default

No IPsec transform set exists.

Views

System view

Default command level

2: System level

Parameters

transform-set-name: Specifies the name of an IPsec transform set, a case-insensitive string of 1 to 32 characters.

Examples

# Create an IPsec transform set named tran1 and enter its view.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1]

Related commands

display ipsec transform-set

ipsec synchronization enable

Use ipsec synchronization enable to enable IPsec stateful failover.

Use undo ipsec synchronization enable to disable IPsec stateful failover.

Syntax

ipsec synchronization enable

undo ipsec synchronization enable

Default

IPsec stateful failover is enabled.

Views

System view

Default command level

2: System level

Usage guidelines

You enable IPsec stateful failover typically on two redundant gateways in active/standby mode to ensure instant IPsec tunnel failover for nonstop services.

Disabling IPsec stateful failover will delete all active or standby IPsec SAs and IKE SAs.

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Enable IPsec stateful failover.

<Sysname> system-view

[Sysname] ipsec synchronization enable

policy enable

Use policy enable to enable the IPsec policy.

Use undo policy enable to disable the IPsec policy.

Syntax

policy enable

undo policy enable

Default

The IPsec policy is enabled.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Usage guidelines

If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.

Examples

# Enable the IPsec policy with the name policy1 and sequence number 100.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] policy enable

Related commands

· ipsec policy (system view)

· ipsec policy-template

reset ipsec sa

Use reset ipsec sa to clear IPsec SAs.

Syntax

reset ipsec sa [ active | parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote ip-address | standby ]

Views

User view

Default command level

2: System level

Parameters

active: Specifies all active IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and SPI.

dest-address: Specifies the destination address, in dotted decimal notation.

protocol: Specifies the security protocol, which can be keyword ah or esp, case insensitive.

spi: Specifies the security parameter index in the range of 256 to 4294967295.

policy: Specifies IPsec SAs that use an IPsec policy.

policy-name: Specifies the name of the IPsec policy, a case-sensitive string of 1 to 15 alphanumeric characters.

seq-number: Specifies the sequence number of the IPsec policy, in the range of 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.

remote ip-address: Specifies SAs to or from a remote address, in dotted decimal notation.

standby: Specifies all standby IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

Usage guidelines

After IKE negotiated SAs are cleared, the system sets up new SAs when IKE negotiation is triggered by interesting packets.

IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared.

If you do not specify any parameter, the command clears all IPsec SAs.

If you specify neither active nor standby, the command clears both active and standby IPsec SAs.

When you clear the active IPsec SAs on the active device, the active device automatically notifies the standby device to clear the standby IPsec SAs.

When you clear the standby IPsec SAs on the standby device, the standby device re-synchronizes the IPsec service data with the active device to set up new standby IPsec SAs.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the IPsec SA with a remote IP address of 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

# Clear all IPsec SAs of IPsec policy template policy1.

<Sysname> reset ipsec sa policy policy1

# Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10.

<Sysname> reset ipsec sa policy policy1 10

# Clear the IPsec SA with a remote IP address of 10.1.1.2, security protocol of AH, and SPI of 10000.

<Sysname> reset ipsec sa parameters 10.1.1.2 ah 10000

Related commands

display ipsec sa

reset ipsec statistics

Use reset ipsec statistics to clear IPsec packet statistics.

Syntax

reset ipsec statistics

Views

User view

Default command level

1: Monitor level

Examples

# Clear IPsec packet statistics.

<Sysname> reset ipsec statistics

Related commands

display ipsec statistics

sa duration

Use sa duration to set an SA lifetime for the IPsec policy.

Use undo sa duration to restore the default.

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

Default

The SA lifetime of an IPsec policy equals the current global SA lifetime.

The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

seconds: Specifies the time-based SA lifetime in seconds, in the range of 180 to 604800.

kilobytes: Specifies the traffic-based SA lifetime in kilobytes, in the range of 2560 to 4294967295.

Usage guidelines

When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy that it uses. If the IPsec policy or IPsec transform set is not configured with its own lifetime settings, IKE uses the global SA lifetime settings, which are configured with the ipsec sa global-duration command.

When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those proposed by the remote.

Examples

# Set the SA lifetime for IPsec policy1 to 7200 seconds (2 hours).

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480

Related commands

· ipsec sa global-duration

· ipsec policy (system view)

security acl

Use security acl to specify the ACL for the IPsec policy to reference.

Use undo security acl to remove the configuration.

Syntax

security acl acl-number [ aggregation | per-host ]

undo security acl

Default

An IPsec policy references no ACL.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

acl-number: Specifies the number of the ACL for the IPsec policy to reference, in the range of 3000 to 3999.

aggregation: Specifies the data flow protection mode as aggregation. This protection mode is not applicable to IPv6 data flows. This mode is configurable only in IPsec policies that use IKE negotiation.

per-host: Specifies the data flow protection mode as per-host. This protection mode is not applicable to IPv6 data flows. This mode is configurable only in IPsec policies that use IKE negotiation.

Usage guidelines

With an IKE-dependent IPsec policy configured, data flows can be protected in the following modes:

· Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one tunnel that is established solely for it.

· Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.

· Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one tunnel established solely for it.

If you specify neither the aggregation nor the per-host mode, the standard mode is used.

To use the per-host mode, you only need to specify an ACL in per-host mode in the IPsec policy of the IPsec initiator. You do not need to specify the per-host keyword in the IPsec policy of the responder.

Use the per-host mode with caution. If the number of hosts to be protected is large, IPsec using the per-host mode will establish a large number of SAs, exhausting the system resources quickly.

When your device works with an old-version device, use the aggregation mode on both devices.

An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec policy references the one last specified.

Examples

# Configure IPsec policy policy2 to reference ACL 3002, and set the data flow protection mode to aggregation.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255

[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255

[Sysname] ipsec policy policy2 1 isakmp

[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

# Configure IPsec policy policy3 to reference ACL 3003, and set the data flow protection mode to per-host.

<Sysname> system-view

[Sysname] acl number 3003

[Sysname-acl-adv-3003] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[Sysname-acl-adv-3003] quit

[Sysname] ipsec policy policy3 10 isakmp

[Sysname-ipsec-policy-isakmp-policy3-10] security acl 3003 per-host

Related commands

ipsec policy (system view)

synchronization anti-replay-interval

Use synchronization anti-replay-interval to set the inbound anti-replay window synchronization interval and the outbound anti-replay sequence number synchronization interval.

Use undo synchronization anti-replay-interval to restore the defaults.

Syntax

synchronization anti-replay-interval inbound inbound-number outbound outbound-number

undo synchronization anti-replay-interval

Default

The inbound anti-replay window synchronization interval is 1000, and the outbound anti-replay sequence number synchronization interval is 100000.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

inbound-number: Interval at which the device, when functioning as the active device, synchronizes the inbound anti-replay window to the standby device. It is expressed in the number of received packets and in the range of 0 to 1000. If you set the argument to 0, inbound anti-replay window synchronization is disabled.

outbound-number: Interval at which the device, when functioning as the active device, synchronizes the outbound anti-replay sequence number to the standby device. It is expressed in the number of sent packets and in the range of 1000 to 100000.

Usage guidelines

In an IPsec stateful failover scenario, the active device regularly synchronizes anti-replay information to the standby device. When the active device fails, the standby device continues to provide the anti-replay service based on the synchronized anti-replay information.

A short interval improves the anti-replay information consistency between the active device and the standby device, but also increases the anti-replay information synchronization frequency and the impact on the performance of the devices.

Support for this command depends on the device model. For more information, see About the H3C Access Controllers Command References.

Examples

# Set the inbound anti-replay window synchronization interval to 800 and the outbound anti-replay sequence number synchronization interval to 50000.

<Sysname> system-view

[Sysname] ipsec policy test 10 isakmp

[Sysname-ipsec-policy-isakmp-test-10] synchronization anti-replay-interval inbound 800 outbound 50000

Related commands

· display ipsec policy

· display ipsec policy-template

transform

Use transform to specify a security protocol for an IPsec transform set.

Use undo transform to restore the default.

Syntax

transform { ah | ah-esp | esp }

undo transform

Default

The ESP protocol is used.

Views

IPsec transform set view

Default command level

2: System level

Parameters

ah: Uses the AH protocol.

ah-esp: Uses ESP first and then AH.

esp: Uses the ESP protocol.

Usage guidelines

The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol.

Examples

# Configure IPsec transform set prop1 to use AH.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] transform ah

Related commands

ipsec transform-set

transform-set

Use transform-set to specify an IPsec transform set for the IPsec policy to reference.

Use undo transform-set to remove an IPsec transform set referenced by the IPsec policy.

Syntax

transform-set transform-set-name&<1-6>

undo transform-set [ transform-set-name ]

Default

An IPsec policy references no IPsec transform set.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

transform-set-name&<1-6>: Specifies the name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space.

Usage guidelines

The specified IPsec transform sets must already exist.

An IKE negotiated IPsec policy can reference up to six IPsec transform sets. The IKE negotiation process will search for and use the exactly matched transform set.

Examples

# Configure IPsec policy policy1 to reference IPsec transform set tran1.

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] quit

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] transform-set tran1

Related commands

· ipsec transform-set

· ipsec policy (system view)

IKE configuration commands

authentication-algorithm

Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.

Use undo authentication-algorithm to restore the default.

Syntax

authentication-algorithm { md5 | sha | sha256 }

undo authentication-algorithm

Default

An IKE proposal uses the SHA1 authentication algorithm in non-FIPS mode and the SHA256 authentication algorithm in FIPS mode.

Views

IKE proposal view

Default command level

2: System level

Parameters

md5: Uses HMAC-MD5.

sha: Uses HMAC-SHA1.

sha256: Uses HMAC-SHA256.

Usage guidelines

In FIPS mode, MD5 is not supported.

Examples

# Set MD5 as the authentication algorithm for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] authentication-algorithm md5

Related commands

· ike proposal

· display ike proposal

authentication-method

Use authentication-method to specify an authentication method for an IKE proposal.

Use undo authentication-method to restore the default.

Syntax

authentication-method { pre-share | rsa-signature }

undo authentication-method

Default

An IKE proposal uses the pre-shared key authentication method.

Views

IKE proposal view

Default command level

2: System level

Parameters

pre-share: Uses the pre-shared key method.

rsa-signature: Uses the RSA digital signature method.

Examples

# Specify that IKE proposal 10 uses the pre-shared key authentication method.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] authentication-method pre-share

Related commands

· ike proposal

· display ike proposal

certificate domain

Use certificate domain to configure the PKI domain of the certificate when IKE uses digital signature as the authentication mode.

Use undo certificate domain to remove the configuration.

Syntax

certificate domain domain-name

undo certificate domain

Views

IKE peer view

Default command level

2: System level

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Examples

# Configure the PKI domain as abcde for IKE negotiation.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] certificate domain abcde

Related commands

· authentication-method

· pki domain

dh

Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.

Use undo dh to restore the default.

Syntax

In non-FIPS mode:

dh { group1 | group2 | group5 | group14 }

undo dh

In FIPS mode:

dh group14

undo dh

Default

In non-FIPS node, group1, the 768-bit Diffie-Hellman group, is used. In FIPS node, group14, the 2048-bit Diffie-Hellman group, is used.

Views

IKE proposal view

Default command level

2: System level

Parameters

group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1

group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.

group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1.

group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.

Examples

# Specify 768-bit Diffie-Hellman for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] dh group1

Related commands

· ike proposal

· display ike proposal

display ike dpd

Use display ike dpd to display information about Dead Peer Detection (DPD) detectors.

Syntax

display ike dpd [ dpd-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

dpd-name: Specifies the DPD name, a string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all DPD detectors.

Examples

# Display information about all DPD detectors.

<Sysname> display ike dpd

---------------------------

IKE dpd: dpd1

references: 1

interval-time: 10

time_out: 5

---------------------------

Table 10 Command output

Field	Description
references	Number of IKE peers that use the DPD detector.
Interval-time	DPD query trigging interval in seconds.
time_out	DPD packet retransmission interval in seconds.

Related commands

ike dpd

display ike peer

Use display ike peer to display information about IKE peers.

Syntax

display ike peer [ peer-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

peer-name: Specifies the name of the IKE peer, a string of 1 to 32 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IKE peers.

Examples

# Display information about all IKE peers.

<Sysname> display ike peer

---------------------------

IKE Peer: rtb4tunn

exchange mode: main on phase 1

pre-shared-key ******

peer id type: ip

peer ip address: 44.44.44.55

local ip address:

peer name:

nat traversal: disable

dpd: dpd1

---------------------------

Table 11 Command output

Field	Description
exchange mode	IKE negotiation mode in phase 1.
pre-shared-key	Pre-shared key used in phase 1, displayed as ******.
peer id type	ID type used in phase 1.
peer ip address	IP address of the remote security gateway.
local ip address	IP address of the local security gateway.
peer name	Name of the remote security gateway.
nat traversal	Whether NAT traversal is enabled.
dpd	Name of the peer DPD detector.

Related commands

ike peer

display ike proposal

Use display ike proposal to view the settings of all IKE proposals.

Syntax

display ike proposal [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command displays the configuration information of all IKE proposals in the descending order of proposal priorities.

Examples

# Display the settings of all IKE proposals.

<Sysname> display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

--------------------------------------------------------------------------

10 PRE_SHARED SHA DES_CBC MODP_1024 5000

11 PRE_SHARED MD5 DES_CBC MODP_768 50000

default PRE_SHARED SHA DES_CBC MODP_768 86400

Table 12 Command output

Field	Description
priority	Priority of the IKE proposal.
authentication method	Authentication method used by the IKE proposal.
authentication algorithm	Authentication algorithm used by the IKE proposal.
encryption algorithm	Encryption algorithm used by the IKE proposal.
Diffie-Hellman group	DH group used in IKE negotiation phase 1.
duration (seconds)	ISAKMP SA lifetime (in seconds) of the IKE proposal.

Related commands

· authentication-method

· ike proposal

· encryption-algorithm

· authentication-algorithm

· dh

· sa duration

display ike sa

Use display ike sa to display information about the current IKE SAs.

Syntax

display ike sa [ active | standby | verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

active: Displays the summary of active IKE SAs and IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

standby: Displays the summary of standby IKE SAs and IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.

remote ip-address: Displays detailed information about IKE SAs with a specific remote address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs.

Examples

# Display brief information about the current IKE SAs.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

Table 13 Command output

Field	Description
total phase-1 SAs	Total number of SAs for phase 1.
connection-id	Identifier of the ISAKMP SA.
peer	Remote IP address of the SA.
flag	Status of the SA: · RD (READY)—The SA has been established. · ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. · RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later. · FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over. · TO (TIMEOUT)—The SA has received no keepalive packets after the last keepalive timeout. If no keepalive packets are received before the next keepalive timeout, the SA will be deleted.
phase	The phase the SA belongs to: · Phase 1—The phase for establishing the ISAKMP SA. · Phase 2—The phase for negotiating the security service. IPsec SAs are established in this phase.
doi	Interpretation domain the SA belongs to.

# Display detailed information about the current IKE SAs.

<Sysname> display ike sa verbose

---------------------------------------------

connection id: 2

transmitting entity: initiator

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY

authentication-algorithm: HASH-SHA1

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 86379

exchange-mode: MAIN

# Display detailed information about the IKE SA with the connection ID of 2.

<Sysname> display ike sa verbose connection-id 2

---------------------------------------------

connection id: 2

transmitting entity: initiator

status: active

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY

authentication-algorithm: HASH-SHA1

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82480

exchange-mode: MAIN

# Display detailed information about the IKE SA with the remote address of 4.4.4.5.

<Sysname> display ike sa verbose remote-address 4.4.4.5

---------------------------------------------

connection id: 2

transmitting entity: initiator

status: active

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY

authentication-algorithm: HASH-SHA1

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82236

exchange-mode: MAIN

nat traversal: NO

Table 14 Command output

Field	Description
connection id	Identifier of the ISAKMP SA.
transmitting entity	Entity in the IKE negotiation.
local ip	IP address of the local gateway.
local id type	Identifier type of the local gateway.
local id	Identifier of the local gateway.
remote ip	IP address of the remote gateway.
remote id type	Identifier type of the remote gateway.
remote id	Identifier of the remote security gateway.
authentication-method	Authentication method used by the IKE proposal.
authentication-algorithm	Authentication algorithm used by the IKE proposal.
encryption-algorithm	Encryption algorithm used by the IKE proposal.
life duration(sec)	Lifetime of the ISAKMP SA in seconds.
remaining key duration(sec)	Remaining lifetime of the ISAKMP SA in seconds.
exchange-mode	IKE negotiation mode in phase 1.
nat traversal	Whether NAT traversal is enabled or not.

Related commands

· ike proposal

· ike peer

dpd

Use dpd to apply a DPD detector to an IKE peer.

Use undo dpd to remove the application.

Syntax

dpd dpd-name

undo dpd

Default

No DPD detector is applied to an IKE peer.

Views

IKE peer view

Default command level

2: System level

Parameters

dpd-name: Specifies the DPD detector name, a string of 1 to 32 characters.

Examples

# Apply dpd1 to IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] dpd dpd1

encryption-algorithm

Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.

Use undo encryption-algorithm to restore the default.

Syntax

encryption-algorithm { 3des-cbc | aes-cbc [ key-length ] | des-cbc }

undo encryption-algorithm

Default

In FIPS mode, an IKE proposal uses 128-bit AES-CBC for encryption.

In non-FIPS mode, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.

Views

IKE proposal view

Default command level

2: System level

Parameters

3des-cbc: Uses the 3DES algorithm in CBC mode as the encryption algorithm. The 3DES algorithm uses 168-bit keys for encryption. In FIPS mode, 3DES-CBC is not supported.

aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses 128-bit, 192-bit, or 256-bit keys for encryption.

key-length: Key length for the AES algorithm, which can be 128, 192 or 256 bits and is defaulted to 128 bits.

des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses 56-bit keys for encryption. In FIPS mode, DES-CBC is not supported.

Examples

# Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] encryption-algorithm des-cbc

Related commands

· ike proposal

· display ike proposal

exchange-mode

Use exchange-mode to select an IKE negotiation mode.

Use undo exchange-mode to restore the default.

Syntax

exchange-mode { aggressive | main }

undo exchange-mode

Default

Main mode is used.

Views

IKE peer view

Default command level

2: System level

Parameters

aggressive: Specifies the aggressive mode.

main: Specifies the main mode.

Usage guidelines

When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, H3C recommends setting the IKE negotiation mode to aggressive at the local end.

In FIPS mode, the aggressive mode is not supported.

Examples

# Specify that IKE negotiation operates in main mode.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] exchange-mode main

Related commands

id-type

Use id-type to select the type of the ID for IKE negotiation.

Use undo id-type to restore the default.

Syntax

id-type { ip | name | user-fqdn }

undo id-type

Default

The ID type is IP address.

Views

IKE peer view

Default command level

2: System level

Parameters

ip: Uses an IP address as the ID during IKE negotiation.

name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.

user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.

Usage guidelines

In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. In aggressive mode, either type can be used.

If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, [email protected].

Examples

# Use the ID type of name during IKE negotiation.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] id-type name

Related commands

· local-name

· ike local-name

· remote-name

· remote-address

· local-address

· exchange-mode

ike dpd

Use ike dpd to create a DPD detector and enter IKE DPD view.

Use undo ike dpd to remove a DPD detector.

Syntax

ike dpd dpd-name

undo ike dpd dpd-name

Views

System view

Default command level

2: System level

Parameters

dpd-name: Specifies the name for the DPD detector, a string of 1 to 32 characters.

Usage guidelines

DPD irregularly detects dead IKE peers. It works as follows:

1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello.

4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic than the keepalive mechanism, which exchanges messages periodically.

Examples

# Create a DPD detector named dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

Related commands

· display ike dpd

· interval-time

· time-out

ike local-name

Use ike local-name to configure a name for the local security gateway.

Use undo ike local-name to restore the default.

Syntax

ike local-name name

undo ike local-name

Default

The device name is used as the name of the local security gateway.

Views

System view

Default command level

2: System level

Parameters

name: Specifies the name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device. If you configure both the ike local-name command and the local-name command, the name configured by the local-name command is used.

The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

Examples

# Configure the local security gateway name as app.

<Sysname> system-view

[Sysname] ike local-name app

Related commands

· remote-name

· id-type

ike next-payload check disabled

Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero.

Use undo ike next-payload check disabled to restore the default.

Syntax

ike next-payload check disabled

undo ike next-payload check disabled

Default

The Next payload field is checked.

Views

System view

Default command level

2: System level

Examples

# Disable Next payload field checking for the last payload of an IKE message.

<Sysname> system-view

[Sysname] ike next-payload check disabled

ike peer (system view)

Use ike peer to create an IKE peer and enter IKE peer view.

Use undo ike peer to delete an IKE peer.

Syntax

ike peer peer-name

undo ike peer peer-name

Views

System view

Default command level

2: System level

Parameters

peer-name: Specifies the IKE peer name, a string of 1 to 32 characters.

Examples

# Create an IKE peer named peer1 and enter IKE peer view.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1]

ike proposal

Use ike proposal to create an IKE proposal and enter IKE proposal view.

Use undo ike proposal to delete an IKE proposal.

Syntax

ike proposal proposal-number

undo ike proposal proposal-number

Views

System view

Default command level

2: System level

Parameters

proposal-number: Specifies the IKE proposal number in the range of 1 to 65535. A lower number represents a higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is matched before a low priority IKE proposal.

Usage guidelines

The system provides a default IKE proposal, which has the lowest priority and uses the settings as shown in Table 15:

Table 15 Default values in non-FIPS mode and FIPS mode

Default parameter	Default value in non-FIPS mode	Default value in FIPS mode
Encryption algorithm	DES-CBC	AES_CBC_128
Authentication algorithm	HMAC-SHA1	SHA
Authentication method	Pre-shared key	Pre-shared key
DH group	MODP_768	MODP_1024
SA lifetime	86400 seconds	86400 seconds

Examples

# Create IKE proposal 10 and enter IKE proposal view.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10]

Related commands

display ike proposal

ike sa keepalive-timer interval

Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.

Use undo ike sa keepalive-timer interval to disable the ISAKMP SA keepalive transmission function.

Syntax

ike sa keepalive-timer interval seconds

undo ike sa keepalive-timer interval

Default

No keepalive packet is sent.

Views

System view

Default command level

2: System level

Parameters

seconds: Specifies the transmission interval of ISAKMP SA keepalives in seconds, in the range of 20 to 28800.

Usage guidelines

The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end.

Examples

# Set the keepalive interval to 200 seconds.

<Sysname> system-view

[Sysname] ike sa keepalive-timer interval 200

Related commands

ike sa keepalive-timer timeout

Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout.

Use undo ike sa keepalive-timer timeout to disable the function.

Syntax

ike sa keepalive-timer timeout seconds

undo ike sa keepalive-timer timeout

Default

No keepalive packet is sent.

Views

System view

Default command level

2: System level

Parameters

seconds: Specifies the ISAKMP SA keepalive timeout in seconds, in the range of 20 to 28800.

Usage guidelines

The keepalive timeout configured at the local end must be longer than the keepalive interval configured at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the keepalive timeout can be configured to be three times of the keepalive interval.

Examples

# Set the keepalive timeout to 20 seconds.

<Sysname> system-view

[Sysname] ike sa keepalive-timer timeout 20

Related commands

ike sa keepalive-timer interval

ike sa nat-keepalive-timer interval

Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval.

Use undo ike sa nat-keepalive-timer interval to disable the function.

Syntax

ike sa nat-keepalive-timer interval seconds

undo ike sa nat-keepalive-timer interval

Default

The NAT keepalive interval is 20 seconds.

Views

System view

Default command level

2: System level

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ike sa nat-keepalive-timer interval 5

interval-time

Use interval-time to set the DPD query triggering interval for a DPD detector.

Use undo interval-time to restore the default.

Syntax

interval-time interval-time

undo interval-time

Default

The default DPD interval is 10 seconds.

Views

IKE DPD view

Default command level

2: System level

Parameters

interval-time: Sets DPD interval in the range of 1 to 300 seconds. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

Examples

# Set the DPD interval to 1 second for dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

[Sysname-ike-dpd-dpd2] interval-time 1

local

Use local to set the subnet type of the local security gateway for IKE negotiation.

Use undo local to restore the default.

Syntax

local { multi-subnet | single-subnet }

undo local

Default

The subnet is a single one.

Views

IKE peer view

Default command level

2: System level

Parameters

multi-subnet: Sets the subnet type to multiple.

single-subnet: Sets the subnet type to single.

Usage guidelines

Use this command to enable interoperability with a NetScreen device.

Examples

# Set the subnet type of the local security gateway to multiple.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] local multi-subnet

local-address

Use local-address to configure the IP address of the local security gateway in IKE negotiation.

Use undo local-address to remove the configuration.

Syntax

local-address ip-address

undo local-address

Default

The primary address of the interface referencing the IPsec policy is used as the local security gateway IP address for IKE negotiation. Use this command if you want to specify a different address for the local security gateway.

Views

IKE peer view

Default command level

2: System level

Parameters

ip-address: Specifies the IP address of the local security gateway to be used in IKE negotiation.

Examples

# Set the IP address of the local security gateway to 1.1.1.1.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] local-address 1.1.1.1

local-name

Use local-name to configure a name for the local security gateway to be used in IKE negation.

Use undo local-name to restore the default.

Syntax

local-name name

undo local-name

Default

The device name is used as the name of the local security gateway view.

Views

IKE peer view

Default command level

2: System level

Parameters

name: Specifies the name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Examples

# Set the name of the local security gateway to localgw in IKE peer view of peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] local-name localgw

Related commands

· remote-name

· id-type

nat traversal

Use nat traversal to enable the NAT traversal function of IKE/IPsec.

Use undo nat traversal to disable the NAT traversal function of IKE/IPsec.

Syntax

nat traversal

undo nat traversal

Default

The NAT traversal function is disabled.

Views

IKE peer view

Default command level

2: System level

Examples

# Enable the NAT traversal function for IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] nat traversal

peer

Use peer to set the subnet type of the peer security gateway for IKE negotiation.

Use undo peer to restore the default.

Syntax

peer { multi-subnet | single-subnet }

undo peer

Default

The subnet is a single one.

Views

IKE peer view

Default command level

2: System level

Parameters

multi-subnet: Sets the subnet type to multiple.

single-subnet: Sets the subnet type to single.

Usage guidelines

Use this command to enable interoperability with a NetScreen device.

Examples

# Set the subnet type of the peer security gateway to multiple.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] peer multi-subnet

pre-shared-key

Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation.

Use undo pre-shared-key to remove the configuration.

Syntax

pre-shared-key [ [ cipher | simple ] key ]

undo pre-shared-key

Views

IKE peer view

Default command level

2: System level

Parameters

cipher: Sets a ciphertext pre-shared key.

simple: Sets a plaintext pre-shared key.

key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 1 to 201 characters. If simple is specified, it must be a string of 1 to 128 characters. If neither cipher nor simple is specified, you configure a plaintext pre-shared key.

Usage guidelines

If you do not specify any of the parameters, you configure a plaintext pre-shared key in interactive mode. The interactive mode requires you to enter the same plaintext string twice to set the pre-shared key.

In FIPS mode, the simple keyword is not supported. You can configure a ciphertext pre-shared key by using the cipher key option or a plaintext pre-shared key in interactive mode. The key must contain at least eight characters comprising digits, uppercase and lowercase letters, and special characters.

In non-FIPS mode, the interactive mode is not supported. You can configure a ciphertext pre-shared key by using the cipher key option or a plaintext pre-shared key by using the simple key option. You can also directly specify a plaintext pre-shared key without the simple and cipher keywords.

For security purposes, all keys, including keys configured in plain text, are saved in cipher text.

Examples

# Set the pre-shared key used in IKE negotiation to plaintext string abcde.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] pre-shared-key simple abcde

# Set the pre-shared key used in IKE negotiation to 123Abc!@# in interactive mode.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] pre-shared-key

Enter pre-share-key: *********

Re-enter pre-share-key: *********

Related commands

authentication-method

proposal

Use proposal to specify the IKE proposals for the IKE peer to reference.

Use undo proposal to remove one or all IKE proposals referenced by the IKE peer.

Syntax

proposal proposal-number&<1-6>

undo proposal [ proposal-number ]

Default

An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.

Views

IKE peer view

Default command level

2: System level

Parameters

proposal-number&<1-6>: Specifies the sequence number of the IKE proposal for the IKE peer to reference, in the range of 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority.

Usage guidelines

In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any.

An IKE peer can reference up to six IKE proposals.

The responder uses the IKE proposals configured in system view for negotiation.

Examples

# Configure IKE peer peer1 to reference IKE proposal 10.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] proposal 10

Related commands

· ike proposal

· ike peer (system view)

remote-address

Use remote-address to configure the IP address of the IPsec remote security gateway.

Use undo remote-address to remove the configuration.

Syntax

remote-address { hostname [ dynamic ] | low-ip-address [ high-ip-address ] }

undo remote-address

Views

IKE peer view

Default command level

2: System level

Parameters

hostname: Specifies the host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server.

dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.

low-ip-address: Specifies the IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses.

high-ip-address: Specifies the highest address in the address range if you want to specify a range of addresses.

Usage guidelines

The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with the local-address command or, if the local-address command is not configured, the primary IP address of the interface to which the policy is applied.

The local end can be the initiator of IKE negotiation if the remote address is a host IP address or a host name. The local end can only be the responder of IKE negotiation if the remote address is an address range that the local end can respond to.

If the IP address of the remote address changes frequently, configure the host name of the remote gateway with the dynamic keyword so that the local end can use the up-to-date remote IP address to initiate IKE negotiation.

Examples

# Configure the IP address of the remote security gateway as 10.0.0.1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] remote-address 10.0.0.1

# Configure the host name of the remote gateway as test.com, and specify the local end to dynamically update the remote IP address.

<Sysname> system-view

[Sysname] ike peer peer2

[Sysname-ike-peer-peer2] remote-address test.com dynamic

Related commands

· id-type ip

· local-address

remote-name

Use remote-name to configure the name of the remote gateway.

Use undo remote-name to remove the configuration.

Syntax

remote-name name

undo remote-name

Views

IKE peer view

Default command level

2: System level

Parameters

name: Specifies the name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters.

Usage guidelines

If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

Examples

# Configure the remote security gateway name as apple for IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] remote-name apple

Related commands

· id-type

· local-name

· ike local-name

reset ike sa

Use reset ike sa to clear IKE SAs.

Syntax

reset ike sa [ connection-id | active | standby ]

Views

User view

Default command level

2: System level

Parameters

connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.

active: Clears all active IKE SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

standby: Clears all standby IKE SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For more information, see About the H3C Access Controllers Command References.

Usage guidelines

If you do not specify any parameter, the command clears all ISAKMP SAs.

When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.

Examples

# Clear the IKE SA that uses connection ID 2.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT

<Sysname> reset ike sa 2

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

Related commands

display ike sa

sa duration

Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The ISAKMP SA lifetime is 86400 seconds.

Views

IKE proposal view

Default command level

2: System level

Parameters

seconds: Specifies the ISAKMP SA lifetime in seconds, in the range of 60 to 604800.

Usage guidelines

Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up, and the old one will be cleared automatically when it expires.

Examples

# Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes).

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] sa duration 600

Related commands

· ike proposal

· display ike proposal

time-out

Use time-out to set the DPD packet retransmission interval for a DPD detector.

Use undo time-out to restore the default.

Syntax

time-out time-out

undo time-out

Views

IKE DPD view

Default command level

2: System level

Parameters

time-out: Specifies the DPD packet retransmission interval in seconds, in the range of 1 to 60.

Usage guidelines

The default DPD packet retransmission interval is 5 seconds.

Examples

# Set the DPD packet retransmission interval to 1 second for dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

[Sysname-ike-dpd-dpd2] time-out 1

07-Security Command Reference

IPsec configuration commands

display ipsec policy

esp authentication-algorithm

ike-peer (IPsec policy view/IPsec policy template view)

reset ipsec sa

dh

ike proposal

peer

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us