If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.

Examples

# Display brief information about all IPsec policies.

<Sysname> display ipsec policy brief

IPsec-Policy-Name Mode acl ike-peer name Mapped Template

------------------------------------------------------------------------

bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa

man-1 manual 3400

map-1 isakmp 3000 peer

nat-1 isakmp 3500 nat

test-1 isakmp 3200 test

toccccc-1 isakmp 3003 tocccc

IPsec-Policy-Name Mode acl Local-Address Remote-Address

------------------------------------------------------------------------

man-1 manual 3400 3.3.3.1 3.3.3.2

Table 1 Command output

Field	Description
IPsec-Policy-Name	Name and sequence number of the IPsec policy separated by hyphen.
Mode	Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. · template—IPsec policy template mode.
acl	ACL referenced by the IPsec policy.
ike-peer name	IKE peer name.
Mapped Template	Referenced IPsec policy template.
Local-Address	IP address of the local end.
Remote-Address	IP address of the remote end.

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy

===========================================

IPsec Policy Group: "policy_isakmp"

Interface: Cellular-Ethernet 1/0/1

===========================================

------------------------------------

IPsec policy name: "policy_isakmp"

sequence number: 10

acl version: IPv4

mode: isakmp

-------------------------------------

security data flow : 3000

selector mode: standard

ike-peer name: per

perfect forward secrecy:

transform-set name: prop1

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

policy enable: True

Table 2 Command output

Field	Description
security data flow	ACL referenced by the IPsec policy.
Interface	Interface to which the IPsec policy is applied.
sequence number	Sequence number of the IPsec policy.
acl version	ACL version: IPv4. If no ACL is referenced, this field displays None.
mode	Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. · template—IPsec policy template mode.
selector mode	Data flow protection mode of the IPsec policy: standard, aggregation, or per-host.
ike-peer name	IKE peer referenced by the IPsec policy.
tunnel local address	Local IP address of the tunnel.
tunnel remote address	Remote IP address of the tunnel.
perfect forward secrecy	Whether PFS is enabled.
DH group	DH group used: 1, 2, 5, or 14. If no DH group is used, this field is not displayed.
transform-set name	Transform set referenced by the IPsec policy.
policy enable	Whether the IPsec policy is enabled or not.
inbound/outbound AH/ESP setting	AH/ESP settings in the inbound/outbound direction, including the SPI and keys.

Related commands

ipsec policy (system view)

Field	Description
Policy-template-Name	Name and sequence number of the IPsec policy template separated by hyphen.
acl	ACL referenced by the IPsec policy template.
Remote Address	Remote IP address.

Field	Description
security data flow	ACL referenced by the IPsec policy template.
ACL's Version	ACL version: acl4.
ike-peer name	IKE peer referenced by the IPsec policy template.
perfect forward secrecy	Whether PFS is enabled.
DH group	DH group used: 1, 2, 5, or 14. If no DH group is used, this field is not displayed.
transport-set name	IPsec transform set referenced by the IPsec policy template.
IPsec sa local duration(time based)	Time-based lifetime of the IPsec SAs at the local end.
IPsec sa local duration(traffic based)	Traffic-based lifetime of the IPsec SAs at the local end.

display ipsec sa

Use display ipsec sa to display information about IPsec SAs.

Syntax

display ipsec sa [ brief | policy policy-name [ seq-number ] | remote ip-address ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

brief: Displays brief information about all IPsec SAs.

policy: Displays detailed information about IPsec SAs created by using a specified IPsec policy.

policy-name: Name of the IPsec policy, a string 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range 1 to 65535.

remote: Displays detailed information about the IPsec SA with a specified remote address.

ip-address: Remote address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IPsec SAs.

Examples

# Display brief information about all IPsec SAs.

<Sysname> display ipsec sa brief

Src Address Dst Address SPI Protocol Algorithm

--------------------------------------------------------

10.1.1.1 10.1.1.2 300 ESP E:DES;

A:HMAC-MD5-96

10.1.1.2 10.1.1.1 400 ESP E:DES;

A:HMAC-MD5-96

Table 5 Command output

Field	Description
Src Address	Local IP address.
Dst Address	Remote IP address.
SPI	Security parameter index.
Protocol	Security protocol used by IPsec.
Algorithm	Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified.

# Display the global SA lifetime settings.

<Sysname> display ipsec sa duration

IPsec sa global duration (traffic based): 1843200 kilobytes

IPsec sa global duration (time based): 3600 seconds

# Display detailed information about all IPsec SAs.

<Sysname> display ipsec sa

===============================

Interface: Cellular-Ethernet 1/0/1

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "r2"

sequence number: 1

acl version: ACL4

mode: isakmp

-----------------------------

connection id: 3

encapsulation mode: tunnel

perfect forward secrecy:

tunnel:

local address: 2.2.2.2

remote address: 1.1.1.2

flow:

sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: IP

dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP

[inbound ESP SAs]

spi: 3564837569 (0xd47b1ac1)

transform-set: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa duration (kilobytes/sec): 4294967295/604800

sa remaining duration (kilobytes/sec): 1843200/2686

max received sequence-number: 5

anti-replay check enable: Y

anti-replay window size: 32

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 801701189 (0x2fc8fd45)

transform-set: ESP-ENCRYPT-DES ESP-AUTH-MD5

sa duration (kilobytes/sec): 4294967295/604800

sa remaining duration (kilobytes/sec): 1843200/2686

max sent sequence-number: 6

udp encapsulation used for nat traversal: N

Table 6 Command output

Field	Description
Interface	Interface referencing the IPsec policy.
path MTU	Maximum IP packet length supported by the interface.
IPsec policy name	Name of IPsec policy used.
sequence number	Sequence number of the IPsec policy.
acl version	ACL version: ACL4. If no ACL is referenced, this field displays None.
mode	IPsec negotiation mode.
connection id	IPsec tunnel identifier.
encapsulation mode	Encapsulation mode, transport or tunnel.
perfect forward secrecy	Whether the PFS feature is enabled.
DH group	DH group used: 1, 2, 5, or 14. If no DH group is used, this field is not displayed.
tunnel	IPsec tunnel.
local address	Local IP address of the IPsec tunnel.
remote address	Remote IP address of the IPsec tunnel.
flow	Data flow.
sour addr	Source IP address of the data flow.
dest addr	Destination IP address of the data flow.
port	Port number.
protocol	Protocol type.
inbound	Information of the inbound SA.
spi	Security parameter index.
transform-set	Security protocol and algorithms used by the IPsec transform set.
sa duration	Lifetime of the IPsec SA.
sa remaining key duration	Remaining lifetime of the SA.
max received sequence-number	Maximum sequence number of the received packets (relevant to the anti-replay function provided by the security protocol).
udp encapsulation used for nat traversal	Whether NAT traversal is enabled for the SA.
outbound	Information of the outbound SA.
max sent sequence-number	Maximum sequence number of the sent packets (relevant to the anti-replay function provided by the security protocol).
anti-replay check enable	Whether IPsec anti-replay checking is enabled.
anti-replay window size	Size of the anti-replay window.

Related commands

· reset ipsec sa

· ipsec sa global-duration

Field	Description
Connection ID	ID of the tunnel.
input/output security packets	Counts of inbound and outbound IPsec protected packets.
input/output security bytes	Counts of inbound and outbound IPsec protected bytes.
input/output dropped security packets	Counts of inbound and outbound IPsec protected packets that are discarded by the device.
dropped security packet detail	Detailed information about inbound/outbound packets that get dropped.
not enough memory	Number of packets dropped due to lack of memory.
can't find SA	Number of packets dropped due to finding no security association.
queue is full	Number of packets dropped due to full queues.
authentication has failed	Number of packets dropped due to authentication failure.
wrong length	Number of packets dropped due to wrong packet length.
replay packet	Number of packets replayed.
packet too long	Number of packets dropped due to excessive packet length.
wrong SA	Number of packets dropped due to improper SA.

Field	Description
IPsec transform-set name	Name of the IPsec transform set.
encapsulation mode	Encapsulation mode used by the IPsec transform set, transport or tunnel.
transform	Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	Authentication algorithm used by AH.
ESP protocol	Authentication algorithm and encryption algorithm used by ESP.

display ipsec tunnel

Use display ipsec tunnel to display information about IPsec tunnels.

Syntax

display ipsec tunnel [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IPsec tunnels.

Examples

# Display information about IPsec tunnels.

<Sysname> display ipsec tunnel

total tunnel : 2

------------------------------------------------

connection id: 3

perfect forward secrecy:

SA's SPI:

inbound: 187199087 (0xb286e6f) [ESP]

outbound: 3562274487 (0xd453feb7) [ESP]

tunnel:

local address: 44.44.44.44

remote address : 44.44.44.55

flow:

sour addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP

dest addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP

current Encrypt-card:

------------------------------------------------

connection id: 5

perfect forward secrecy:

SA's SPI:

inbound: 12345 (0x3039) [ESP]

outbound: 12345 (0x3039) [ESP]

tunnel:

flow:

current Encrypt-card:

# Display information about IPsec tunnels in aggregation mode.

<Sysname> display ipsec tunnel

total tunnel: 2

------------------------------------------------

connection id: 4

perfect forward secrecy:

SA's SPI:

inbound : 2454606993 (0x924e5491) [ESP]

outbound : 675720232 (0x2846ac28) [ESP]

tunnel :

local address: 44.44.44.44

remote address : 44.44.44.45

flow :

as defined in acl 3001

current Encrypt-card :

Table 9 Command output

Field	Description
connection id	Connection ID, used to uniquely identify an IPsec Tunnel.
perfect forward secrecy	Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2.
SA's SPI	SPIs of the inbound and outbound SAs.
tunnel	Local and remote addresses of the tunnel.
flow	Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol.
as defined in acl 3001	The IPsec tunnel protects all data flows defined by ACL 3001.
current Encrypt-card	Encryption card interface used by the current tunnel. If no encryption card is used, this field displays nothing.

encapsulation-mode

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Default

A security protocol encapsulates IP packets in tunnel mode.

Views

IPsec transform set view, IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

transport: Uses transport mode.

tunnel: Uses tunnel mode.

Usage guidelines

When IPsec uses IKEv1, this command can be used only in IPsec transform set view, and its related commands include only ipsec transform-set.

Examples

# When IPsec uses IKEv1, configure IPsec transform set tran1 to use the transport encapsulation mode.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport

esp authentication-algorithm

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to restore the default.

Syntax

esp authentication-algorithm { md5 | sha1 } *

undo esp authentication-algorithm

Default

ESP uses no authentication algorithm.

Views

IPsec transform set view

Default command level

2: System level

Parameters

md5: Uses the MD5 algorithm, which uses a 128-bit key.

sha1: Uses the SHA1 algorithm, which uses a 160-bit key.

Usage guidelines

Compared with SHA1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a highly secure network, use SHA1.

For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp authentication-algorithm command takes effect only if one or more encryption algorithms are specified for ESP.

Examples

# Configure IPsec transform set prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] transform esp

[Sysname-ipsec-transform-set-prop1] esp authentication-algorithm sha1

Related commands

· ipsec transform-set

· esp encryption-algorithm

esp encryption-algorithm

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to restore the default.

Syntax

esp encryption-algorithm { 3des | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des } *

undo esp encryption-algorithm

Default

ESP uses no encryption algorithm.

Views

IPsec transform set view

Default command level

2: System level

Parameters

3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key.

aes-cbc-128: Uses the Advanced Encryption Standard (AES) in CBC mode that uses a 128- bit key.

aes-cbc-192: Uses AES in CBC mode that uses a 192-bit key.

aes-cbc-256: Uses AES in CBC mode that uses a 256-bit key.

des: Uses the DES in cipher block chaining (CBC) mode, which uses a 56-bit key.

Usage guidelines

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication. For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp encryption-algorithm command takes effect only if one or more authentication algorithms are specified for ESP.

Examples

# Configure IPsec transform set prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] transform esp

[Sysname-ipsec-transform-set-prop1] esp encryption-algorithm 3des

Related commands

· display ipsec transform-set

· esp authentication-algorithm

ike-peer (IPsec policy view/IPsec policy template view)

Use ike-peer to reference an IKE peer in an IPsec policy or IPsec policy template configured through IKE negotiation.

Use undo ike peer to remove the reference.

This command applies only to IKE negotiation mode.

Syntax

ike-peer peer-name

undo ike-peer peer-name

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

peer-name: IKE peer name, a string of 1 to 32 characters.

Examples

# Configure a reference to an IKE peer in an IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1

Related commands

ipsec policy

ipsec policy (interface view)

Use ipsec policy to apply an IPsec policy group to an interface.

Use undo ipsec policy to remove the application.

Syntax

ipsec policy policy-name

undo ipsec policy [ policy-name ]

Views

Interface view

Default command level

2: System level

Parameters

policy-name: Name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters.

Usage guidelines

Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first. An IPsec policy group can be applied to more than one interface.

With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows.

For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.

Examples

# Apply IPsec policy group pg1 to interface Cellular-Ethernet 1/0/1.

<Sysname> system-view

[Sysname] interface Cellular-Ethernet 1/0/1

[Sysname-Cellular-Ethernet1/0/1] ipsec policy pg1

Related commands

ipsec policy (system view)

Use ipsec policy to create an IPsec policy and enter its view.

Use undo ipsec policy to delete the specified IPsec policies.

Syntax

ipsec policy policy-name seq-number [ isakmp | manual ]

undo ipsec policy policy-name [ seq-number ]

Default

No IPsec policy exists.

Views

System view

Default command level

2: System level

Parameters

policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included.

seq-number: Sequence number for the IPsec policy, in the range 1 to 65535.

isakmp: Sets up SAs through IKE negotiation.

manual: Sets up SAs manually.

Usage guidelines

When creating an IPsec policy, you must specify the generation mode.

You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.

IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.

Examples

# Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100]

# Create an IPsec policy with the name policy1 and specify the manual mode for it.

<Sysname> system-view

[Sysname] ipsec policy policy1 101 manual

[Sysname-ipsec-policy-manual-policy1-101]

Related commands

· ipsec policy (interface view)

· display ipsec policy

ipsec policy isakmp template

Use ipsec policy isakmp template to create an IPsec policy by referencing an existing IPsec policy template, so that IKE can use the IPsec policy for SA negotiation.

Use undo ipsec policy with the seq-number argument to delete an IPsec policy.

Use undo ipsec policy without the seq-number argument to delete an IPsec policy group.

Syntax

ipsec policy policy-name seq-number isakmp template template-name

undo ipsec policy policy-name [ seq-number ]

Views

System view

Default command level

2: System level

Parameters

policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No hyphen (-) can be included.

seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535.

isakmp template template-name: Name of the IPsec policy template to be referenced.

Usage guidelines

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

After you create an IPsec policy by referencing an IPsec policy template, to modify the configuration for the IPsec policy, you must enter the IPsec policy template view instead of the IPsec policy view.

You cannot change the negotiation mode of an IPsec policy. To do so, you must delete the IPsec policy and then re-create it.

Related commands

· ipsec policy (system view)

· ipsec policy-template

Examples

# Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1.

<Sysname> system-view

[Sysname] ipsec policy policy2 200 isakmp template temp1

ipsec policy-template

Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view.

Use undo ipsec policy-template to delete the specified IPsec policy templates.

Syntax

ipsec policy-template template-name seq-number

undo ipsec policy-template template-name [ seq-number ]

Default

No IPsec policy template exists.

Views

System view

Default command level

2: System level

Parameters

template-name: Name for the IPsec policy template, a case-insensitive string of 1 to 41 characters. No hyphen (-) can be included.

seq-number: Sequence number for the IPsec policy template, in the range 1 to 65535.

Usage guidelines

Using the undo command without the seq-number argument deletes an IPsec policy template group.

In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority.

Examples

# Create an IPsec policy template with the name template1 and the sequence number 100.

<Sysname> system-view

[Sysname] ipsec policy-template template1 100

[Sysname-ipsec-policy-template-template1-100]

Related commands

display ipsec policy template

ipsec sa global-duration

Use ipsec sa global-duration to configure the global SA lifetime.

Use undo ipsec sa global-duration to restore the default.

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

Default

The time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes.

Views

System view

Default command level

2: System level

Parameters

seconds: Time-based global SA lifetime in seconds, in the range 180 to 604800.

kilobytes: Traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295.

Usage guidelines

When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.

When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.

You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it has existed for the specified time period or has processed the specified volume of traffic.

The SA lifetime applies to only IKE negotiated SAs; it is not effective for manually configured SAs.

Related commands

· sa duration

· display ipsec sa duration

Examples

# Set the time-based global SA lifetime to 7200 seconds (2 hours).

<Sysname> system-view

[Sysname] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).

[Sysname] ipsec sa global-duration traffic-based 10240

ipsec transform-set

Use ipsec transform-set to create an IPsec transform set and enter IPsec transform set view.

Use undo ipsec transform-set to delete an IPsec transform set.

Syntax

ipsec transform-set transform-set-name

undo ipsec transform-set transform-set-name

Default

No IPsec transform set exists.

Views

System view

Default command level

2: System level

Parameters

transform-set-name: Name of an IPsec transform set, a case-insensitive string of 1 to 32 characters.

Examples

# Create an IPsec transform set named tran1 and enter its view.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1]

Related commands

display ipsec transform-set

local-address

Use local-address to configure the local gateway IP address.

Use undo local-address to restore the default.

Syntax

local-address ipv4-address

undo local-address

Default

The IP address of the interface to which the IPsec policy is applied is used as the local gateway IP address.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

ipv4-address: IPv4 address of the local security gateway.

Examples

# Use 1.1.1.1 as the local gateway IP address.

<Sysname> system-view

[Sysname] ipsec policy map 1 isakmp

[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1

pfs

Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy to initiate a negotiation.

Use undo pfs to remove the configuration.

Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

undo pfs

Default

The PFS feature is not used for negotiation.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

dh-group1: Uses 768-bit Diffie-Hellman group.

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

Usage guidelines

In terms of security and necessary calculation time, the following four groups are in the descending order: 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1).

This command allows IPsec to perform an additional key exchange process during the negotiation phase 2, providing an additional level of security.

The local Diffie-Hellman group must be the same as that of the peer.

This command can be used only when the SAs are to be set up through IKE negotiation.

Examples

# Enable and configure PFS for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 200 isakmp

[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group1

Related commands

· ipsec policy-template

· ipsec policy (system view)

policy enable

Use policy enable to enable the IPsec policy.

Use undo policy enable to disable the IPsec policy.

Syntax

policy enable

undo policy enable

Default

The IPsec policy is enabled.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Usage guidelines

The command is not applicable to manual IPsec policies.

If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.

Examples

# Enable the IPsec policy with the name policy1 and sequence number 100.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] policy enable

Related commands

· ipsec policy (system view)

· ipsec policy-template

remote-address

Use remote-address to configure the remote gateway IP address.

Use undo remote-address to restore the default.

Syntax

remote-address { host-name [ dynamic ] | ipv4-address }

undo remote-address { host-name [ dynamic ] | ipv4-address }

Default

No remote gateway IP address is configured.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

hostname: Host name of the remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server.

dynamic: Uses dynamic address resolution for the remote gateway host name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote gateway host name.

ipv4-address: IPv4 address of the remote security gateway.

Examples

# Use 1.1.1.1 as the remote gateway IP address.

<Sysname> system-view

[Sysname] ipsec policy map 1 isakmp

[Sysname-ipsec-policy-isakmp-map-1] remote-address 1.1.1.1

reset ipsec sa

Use reset ipsec sa to clear IPsec SAs.

Syntax

reset ipsec sa [ parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote ip-address ]

Views

User view

Default command level

2: System level

Parameters

parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and SPI.

dest-address: Destination address, in dotted decimal notation.

protocol: Security protocol, which can be keyword ah or esp, case insensitive.

spi: Security parameter index, in the range 256 to 4294967295.

policy: Specifies IPsec SAs that use an IPsec policy.

policy-name: Name of the IPsec policy, a case-sensitive string of 1 to 15 alphanumeric characters.

seq-number: Sequence number of the IPsec policy, in the range 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.

remote: Specifies SAs to or from a remote address, in dotted decimal notation.

ip-address: Remote address.

Usage guidelines

Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only when IKE negotiation is triggered by interesting packets.

IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared.

If you do not specify any parameter, the command clears all IPsec SAs.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the IPsec SA with a remote IP address of 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

# Clear all IPsec SAs of IPsec policy template policy1.

<Sysname> reset ipsec sa policy policy1

# Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10.

<Sysname> reset ipsec sa policy policy1 10

# Clear the IPsec SA with a remote IP address of 10.1.1.2, security protocol of AH, and SPI of 10000.

<Sysname> reset ipsec sa parameters 10.1.1.2 ah 10000

Related commands

display ipsec sa

reset ipsec statistics

Use reset ipsec statistics to clear IPsec packet statistics.

Syntax

reset ipsec statistics

Views

User view

Default command level

1: Monitor level

Examples

# Clear IPsec packet statistics.

<Sysname> reset ipsec statistics

Related commands

display ipsec statistics

sa authentication-hex

Use sa authentication-hex to configure an authentication key for an SA.

Use undo sa authentication-hex to remove the configuration.

Syntax

sa authentication-hex { inbound | outbound } { ah | esp } [ cipher string-key | simple hex-key ]

undo sa authentication-hex { inbound | outbound } { ah | esp }

Views

IPsec policy view

Default command level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

cipher string-key: Sets a ciphertext authentication key. The string-key argument is a case-sensitive ciphertext string of 1 to 117 characters.

simple hex-key: Sets a plaintext authentication key. The hex-key argument is case insensitive and must be a 16-byte hexadecimal string for MD5 or a 20-byte hexadecimal string for SHA1.

If neither cipher nor simple is specified, you set a plaintext authentication key string.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Usage guidelines

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the authentication key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel.

Examples

# Configure the authentication key for the inbound and outbound SAs that use AH as a plaintext string of 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00, respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah simple 112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah simple aabbccddeeff001100aabbccddeeff00

Related commands

ipsec policy (system view)

sa duration

Use sa duration to set an SA lifetime for the IPsec policy.

Use undo sa duration to restore the default.

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

Default

The SA lifetime of an IPsec policy equals the current global SA lifetime.

The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

seconds: Time-based SA lifetime in seconds, in the range 180 to 604800.

kilobytes: Traffic-based SA lifetime in kilobytes, in the range 2560 to 4294967295.

Usage guidelines

When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy that it uses. If the IPsec policy is not configured with its own lifetime settings, IKE uses the global SA lifetime settings, which are configured with the ipsec sa global-duration command.

When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those proposed by the remote.

The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.

Examples

# Set the SA lifetime for IPsec policy1 to 7200 seconds (two hours).

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480

Related commands

· ipsec sa global-duration

· ipsec policy (system view)

sa encryption-hex

Use sa encryption-hex to configure an encryption key for an SA.

Use undo sa encryption-hex to remove the configuration.

Syntax

sa encryption-hex { inbound | outbound } esp [ cipher string-key | simple hex-key ]

undo sa encryption-hex { inbound | outbound } esp

Views

IPsec policy view

Default command level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

esp: Uses ESP.

cipher string-key: Sets a ciphertext encryption key. The string-key argument is case sensitive and must be a ciphertext string of 1 to 117 characters.

simple hex-key: Sets a plaintext encryption key. The hex-key argument is case insensitive, and must be an 8-byte hexadecimal string for DES-CBC, a 16-byte hexadecimal string for AES128-CBC and camellia128-CBC, a 20-byte hexadecimal string for AESCTR-128, a 24-byte hexadecimal string for 3DES-CBC, AES192-CBC, and camellia192-CBC, or a 32-byte hexadecimal string for AES256-CBC and camellia256-CBC.

If neither cipher nor simple is specified, you set a plaintext encryption key string.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Usage guidelines

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

Examples

# Configure the encryption key for the inbound and outbound SAs that use ESP as a plaintext string of 0x1234567890abcdef and 0xabcdefabcdef1234, respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp simple 1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp simple abcdefabcdef1234

Related commands

ipsec policy (system view)

sa spi

Use sa spi to configure an SPI for an SA.

Use undo sa spi to remove the configuration.

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Default

No SPI is configured for an SA.

Views

IPsec policy view

Default command level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

spi-number: Security parameters index (SPI) in the SA triplet, in the range 256 to 4294967295.

Usage guidelines

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

Examples

# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000

[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000

Related commands

ipsec policy (system view)

sa string-key

Use sa string-key to set a key string for an SA.

Use undo sa string-key to remove the configuration.

Syntax

sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string-key

undo sa string-key { inbound | outbound } { ah | esp }

Views

IPsec policy view

Default command level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

cipher: Sets a ciphertext key.

simple: Sets a plaintext key.

string-key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 1 to 373 characters. If simple is specified, it must be a string of 1 to 255 characters. If neither cipher nor simple is specified, you set a plaintext key string. For different algorithms, enter strings of any length in the specified range. Using this key string, the system automatically generates keys meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and encryption algorithm respectively.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Usage guidelines

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.

Examples

# Configure the inbound and outbound SAs that use AH to use the plaintext keys abcdef and efcdab, respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab

Related commands

ipsec policy (system view)

security acl

Use security acl to specify the ACL for the IPsec policy to reference.

Use undo security acl to remove the configuration.

Syntax

security acl acl-number [ aggregation | per-host ]

undo security acl

Default

An IPsec policy references no ACL.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999.

aggregation: Specifies the data flow protection mode as aggregation. This mode is configurable only in IPsec policies that use IKE negotiation.

per-host: Specifies the data flow protection mode as per-host. This mode is configurable only in IPsec policies that use IKE negotiation.

Usage guidelines

With an IKE-dependent IPsec policy configured, data flows can be protected in the following modes:

· Standard mode—One tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one tunnel that is established solely for it.

· Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.

· Per-host mode—One tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one tunnel established solely for it.

If you specify neither the aggregation nor the per-host mode, the standard mode is used.

To use the per-host mode, you only need to specify an ACL in per-host mode in the IPsec policy of the IPsec initiator. You do not need to specify the per-host keyword in the IPsec policy of the responder.

Use the per-host mode with caution. If the number of hosts to be protected is large, IPsec using the per-host mode will establish a large number of SAs, exhausting the system resources quickly.

When your device works with an old-version device, use the aggregation mode on both devices.

An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec policy references the one last specified.

Examples

# Configure IPsec policy policy1 to reference ACL 3001.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[Sysname-acl-adv-3001] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Configure IPsec policy policy2 to reference ACL 3002, and set the data flow protection mode to aggregation.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255

[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255

[Sysname] ipsec policy policy2 1 isakmp

[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

# Configure IPsec policy policy3 to reference ACL 3003, and set the data flow protection mode to per-host.

<Sysname> system-view

[Sysname] acl number 3003

[Sysname-acl-adv-3003] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[Sysname-acl-adv-3003] quit

[Sysname] ipsec policy policy3 10 isakmp

[Sysname-ipsec-policy-isakmp-policy3-10] security acl 3003 per-host

Related commands

ipsec policy (system view)

transform

Use transform to specify a security protocol for an IPsec transform set.

Use undo transform to restore the default.

Syntax

transform { ah | ah-esp | esp }

undo transform

Default

The ESP protocol is used.

Views

IPsec transform set view

Default command level

2: System level

Parameters

ah: Uses the AH protocol.

ah-esp: Uses ESP first and then AH.

esp: Uses the ESP protocol.

Usage guidelines

The IPsec transform sets at the two ends of an IPsec tunnel must use the same security protocol.

Examples

# Configure IPsec transform set prop1 to use AH.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] transform ah

Related commands

ipsec transform-set

transform-set

Use transform-set to specify an IPsec transform set for the IPsec policy to reference.

Use undo transform-set to remove an IPsec transform set referenced by the IPsec policy.

Syntax

transform-set transform-set-name&<1-6>

undo transform-set [ transform-set-name ]

Default

An IPsec policy references no IPsec transform set.

Views

IPsec policy view, IPsec policy template view

Default command level

2: System level

Parameters

transform-set-name&<1-6>: Name of the IPsec transform set, a string of 1 to 32 characters. &<1-6> means that you can specify up to six transform sets, which are separated by space.

Usage guidelines

The specified IPsec transform sets must already exist.

A manual IPsec policy can reference only one IPsec transform set. To replace a referenced IPsec transform set, use the undo transform-set command to remove the original transform set binding and then use the transform-set command to reconfigure one.

An IKE negotiated IPsec policy can reference up to six IPsec transform sets. The IKE negotiation process will search for and use the exactly matched transform set.

Examples

# Configure IPsec policy policy1 to reference IPsec transform set tran1.

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] transform-set tran1

Related commands

· ipsec transform-set

· ipsec policy (system view)

tunnel local

Use tunnel local to configure the local address of an IPsec tunnel.

Use undo tunnel local to remove the configuration.

Syntax

tunnel local ip-address

undo tunnel local

Default

No local address is configured for an IPsec tunnel.

Views

IPsec policy view

Default command level

2: System level

Parameters

ip-address: Local address for the IPsec tunnel.

Usage guidelines

This command applies to only manual IPsec policies.

The local address, if not configured, will be the address of the interface to which the IPsec policy is applied.

Examples

# Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.

<Sysname> system-view

[Sysname] interface loopback 0

[Sysname-LoopBack0] ip address 10.0.0.1 32

[Sysname-LoopBack0] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] tunnel local 10.0.0.1

Related commands

ipsec policy (system view)

tunnel remote

Use tunnel remote to configure the remote address of an IPsec tunnel.

Use undo tunnel remote to remove the configuration.

Syntax

tunnel remote ip-address

undo tunnel remote [ ip-address ]

Default

No remote address is configured for the IPsec tunnel.

Views

IPsec policy view

Default command level

2: System level

Parameters

ip-address: Remote address for the IPsec tunnel.

Usage guidelines

This command applies to only manual IPsec policies.

If you configure the remote address repeatedly, the last one takes effect.

An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end.

Examples

# Set the remote address of the IPsec tunnel to 10.1.1.2.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 manual

[Sysname-ipsec-policy-policy1-10] tunnel remote 10.1.1.2

Related commands

ipsec policy (system view)

IKE configuration commands

authentication-algorithm

Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.

Use undo authentication-algorithm to restore the default.

Syntax

authentication-algorithm { md5 | sha | sha256 }

undo authentication-algorithm

Default

An IKE proposal uses the SHA1 authentication algorithm.

Views

IKE proposal view

Default command level

2: System level

Parameters

md5: Uses HMAC-MD5.

sha: Uses HMAC-SHA1.

sha256: Uses HMAC-SHA256.

Examples

# Set MD5 as the authentication algorithm for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] authentication-algorithm md5

Related commands

· ike proposal

· display ike proposal

authentication-method

Use authentication-method to specify an authentication method for an IKE proposal.

Use undo authentication-method to restore the default.

Syntax

authentication-method { pre-share | rsa-signature }

undo authentication-method

Default

An IKE proposal uses the pre-shared key authentication method.

Views

IKE proposal view

Default command level

2: System level

Parameters

pre-share: Uses the pre-shared key method.

rsa-signature: Uses the RSA digital signature method.

Examples

# Specify that IKE proposal 10 uses the pre-shared key authentication method.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] authentication-method pre-share

Related commands

· ike proposal

· display ike proposal

certificate domain

Use certificate domain to configure the PKI domain of the certificate when IKE uses digital signature as the authentication mode.

Use undo certificate domain to remove the configuration.

Syntax

certificate domain domain-name

undo certificate domain

Views

IKE peer view

Default command level

2: System level

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Examples

# Configure the PKI domain as abcde for IKE negotiation.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] certificate domain abcde

Related commands

· authentication-method

· pki domain

dh

Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.

Use undo dh to restore the default.

Syntax

dh { group1 | group2 | group5 | group14 }

undo dh

Default

Group1, the 768-bit Diffie-Hellman group, is used.

Views

IKE proposal view

Default command level

2: System level

Parameters

group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1

group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.

group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1.

group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.

Examples

# Specify 768-bit Diffie-Hellman for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] dh group1

Related commands

· ike proposal

· display ike proposal

display ike dpd

Use display ike dpd to display information about Dead Peer Detection (DPD) detectors.

Syntax

display ike dpd [ dpd-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

dpd-name: DPD name, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all DPD detectors.

Examples

# Display information about all DPD detectors.

<Sysname> display ike dpd

---------------------------

IKE dpd: dpd1

references: 1

interval-time: 10

time_out: 5

---------------------------

Table 10 Command output

Field	Description
references	Number of IKE peers that use the DPD detector.
Interval-time	DPD query trigging interval in seconds.
time_out	DPD packet retransmission interval in seconds.

Related commands

ike dpd

display ike peer

Use display ike peer to display information about IKE peers.

Syntax

display ike peer [ peer-name ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

peer-name: Name of the IKE peer, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters, the command displays information about all IKE peers.

Examples

# Display information about all IKE peers.

<Sysname> display ike peer

---------------------------

IKE Peer: rtb4tunn

exchange mode: main on phase 1

pre-shared-key ******

peer id type: ip

peer ip address: 44.44.44.55

local ip address:

peer name:

nat traversal: disable

dpd: dpd1

---------------------------

Table 11 Command output

Field	Description
exchange mode	IKE negotiation mode in phase 1.
pre-shared-key	Pre-shared key used in phase 1, displayed as ******.
peer id type	ID type used in phase 1.
peer ip address	IP address of the remote security gateway.
local ip address	IP address of the local security gateway.
peer name	Name of the remote security gateway.
nat traversal	Whether NAT traversal is enabled.
dpd	Name of the peer DPD detector.

Related commands

ike peer

display ike proposal

Use display ike proposal to view the settings of all IKE proposals.

Syntax

display ike proposal [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

This command displays the configuration information of all IKE proposals in the descending order of proposal priorities.

Examples

# Display the settings of all IKE proposals.

<Sysname> display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

--------------------------------------------------------------------------

10 PRE_SHARED SHA DES_CBC MODP_1024 5000

11 PRE_SHARED MD5 DES_CBC MODP_768 50000

default PRE_SHARED SHA DES_CBC MODP_768 86400

Table 12 Command output

Field	Description
priority	Priority of the IKE proposal.
authentication method	Authentication method used by the IKE proposal.
authentication algorithm	Authentication algorithm used by the IKE proposal.
encryption algorithm	Encryption algorithm used by the IKE proposal.
Diffie-Hellman group	DH group used in IKE negotiation phase 1.
duration (seconds)	ISAKMP SA lifetime (in seconds) of the IKE proposal.

Related commands

· authentication-method

· ike proposal

· encryption-algorithm

· authentication-algorithm

· dh

· sa duration

display ike sa

Use display ike sa to display information about the current IKE SAs.

Syntax

display ike sa [ verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ]

Views

Any view

Default command level

1: Monitor level

Parameters

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range 1 to 2000000000.

remote: Displays detailed information about IKE SAs with a specified remote address.

ip-address: Remote address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Usage guidelines

If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs.

Examples

# Display brief information about the current IKE SAs.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

Table 13 Command output

Field	Description
total phase-1 SAs	Total number of SAs for phase 1.
connection-id	Identifier of the ISAKMP SA.
peer	Remote IP address of the SA.
flag	Status of the SA: · RD (READY)—The SA has been established. · ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. · RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later. · FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over. · TO (TIMEOUT)—The SA has received no keepalive packets after the last keepalive timeout. If no keepalive packets are received before the next keepalive timeout, the SA will be deleted.
phase	The phase the SA belongs to: · Phase 1—The phase for establishing the ISAKMP SA. · Phase 2—The phase for negotiating the security service. IPsec SAs are established in this phase.
doi	Interpretation domain the SA belongs to.

# Display detailed information about the current IKE SAs.

<Sysname> display ike sa verbose

---------------------------------------------

connection id: 2

vpn-instance: 1

transmitting entity: initiator

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY

authentication-algorithm: HASH-SHA1

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 86379

exchange-mode: MAIN

diffie-hellman group: GROUP1

nat traversal: NO

# Display detailed information about the IKE SA with the connection ID of 2.

<Sysname> display ike sa verbose connection-id 2

---------------------------------------------

connection id: 2

vpn-instance: vpn1

transmitting entity: initiator

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY

authentication-algorithm: HASH-SHA1

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82480

exchange-mode: MAIN

diffie-hellman group: GROUP1

nat traversal: NO

# Display detailed information about the IKE SA with the remote address of 4.4.4.5.

<Sysname> display ike sa verbose remote-address 4.4.4.5

---------------------------------------------

connection id: 2

vpn-instance: vpn1

transmitting entity: initiator

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED-KEY

authentication-algorithm: HASH-SHA1

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82236

exchange-mode: MAIN

diffie-hellman group: GROUP1

nat traversal: NO

Table 14 Command output

Field	Description
connection id	Identifier of the ISAKMP SA.
vpn-instance	VPN that the protected data belongs to.
transmitting entity	Entity in the IKE negotiation.
local ip	IP address of the local gateway.
local id type	Identifier type of the local gateway.
local id	Identifier of the local gateway.
remote ip	IP address of the remote gateway.
remote id type	Identifier type of the remote gateway.
remote id	Identifier of the remote security gateway.
authentication-method	Authentication method used by the IKE proposal.
authentication-algorithm	Authentication algorithm used by the IKE proposal.
encryption-algorithm	Encryption algorithm used by the IKE proposal.
life duration(sec)	Lifetime of the ISAKMP SA in seconds.
remaining key duration(sec)	Remaining lifetime of the ISAKMP SA in seconds.
exchange-mode	IKE negotiation mode in phase 1.
diffie-hellman group	DH group used for key negotiation in IKE phase 1.
nat traversal	Whether NAT traversal is enabled.

Related commands

· ike proposal

· ike peer

dpd

Use dpd to apply a DPD detector to an IKE peer.

Use undo dpd to remove the application.

Syntax

dpd dpd-name

undo dpd

Default

No DPD detector is applied to an IKE peer.

Views

IKE peer view

Default command level

2: System level

Parameters

dpd-name: DPD detector name, a string of 1 to 32 characters.

Examples

# Apply dpd1 to IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] dpd dpd1

encryption-algorithm

Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.

Use undo encryption-algorithm to restore the default.

Syntax

encryption-algorithm { aes-cbc [ key-length ] | des-cbc }

undo encryption-algorithm

Default

An IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.

Views

IKE proposal view

Default command level

2: System level

Parameters

aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses 128-bit, 192-bit, or 256-bit keys for encryption.

key-length: Key length for the AES algorithm, which can be 128, 192 or 256 bits and is defaulted to 128 bits.

des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses 56-bit keys for encryption.

Examples

# Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] encryption-algorithm des-cbc

Related commands

· ike proposal

· display ike proposal

exchange-mode

Use exchange-mode to select an IKE negotiation mode.

Use undo exchange-mode to restore the default.

Syntax

exchange-mode { aggressive | main }

undo exchange-mode

Default

Main mode is used.

Views

IKE peer view

Default command level

2: System level

Parameters

aggressive: Aggressive mode.

main: Main mode.

Usage guidelines

When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, H3C recommends setting the IKE negotiation mode to aggressive at the local end.

Examples

# Specify that IKE negotiation operates in main mode.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] exchange-mode main

Related commands

id-type

Use id-type to select the type of the ID for IKE negotiation.

Use undo id-type to restore the default.

Syntax

id-type { ip | name | user-fqdn }

undo id-type

Default

The ID type is IP address.

Views

IKE peer view

Default command level

2: System level

Parameters

ip: Uses an IP address as the ID during IKE negotiation.

name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.

user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.

Usage guidelines

In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. In aggressive mode, either type can be used.

If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, [email protected].

Examples

# Use the ID type of name during IKE negotiation.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] id-type name

Related commands

· local-name

· ike local-name

· remote-name

· remote-address

· local-address

· exchange-mode

ike dpd

Use ike dpd to create a DPD detector and enter IKE DPD view.

Use undo ike dpd to remove a DPD detector.

Syntax

ike dpd dpd-name

undo ike dpd dpd-name

Views

System view

Default command level

2: System level

Parameters

dpd-name: Name for the DPD detector, a string of 1 to 32 characters.

Usage guidelines

DPD irregularly detects dead IKE peers. It works as follows:

1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello.

4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic than the keepalive mechanism, which exchanges messages periodically.

Examples

# Create a DPD detector named dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

Related commands

· display ike dpd

· interval-time

· time-out

ike local-name

Use ike local-name to configure a name for the local security gateway.

Use undo ike local-name to restore the default.

Syntax

ike local-name name

undo ike local-name

Default

The device name is used as the name of the local security gateway.

Views

System view

Default command level

2: System level

Parameters

name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.

Usage guidelines

If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device. If you configure both the ike local-name command and the local-name command, the name configured by the local-name command is used.

The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

Examples

# Configure the local security gateway name as app.

<Sysname> system-view

[Sysname] ike local-name app

Related commands

· remote-name

· id-type

ike next-payload check disabled

Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero.

Use undo ike next-payload check disabled to restore the default.

Syntax

ike next-payload check disabled

undo ike next-payload check disabled

Default

The Next payload field is checked.

Views

System view

Default command level

2: System level

Examples

# Disable Next payload field checking for the last payload of an IKE message.

<Sysname> system-view

[Sysname] ike next-payload check disabled

ike peer (system view)

Use ike peer to create an IKE peer and enter IKE peer view.

Use undo ike peer to delete an IKE peer.

Syntax

ike peer peer-name

undo ike peer peer-name

Views

System view

Default command level

2: System level

Parameters

peer-name: IKE peer name, a string of 1 to 32 characters.

Examples

# Create an IKE peer named peer1 and enter IKE peer view.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1]

ike proposal

Use ike proposal to create an IKE proposal and enter IKE proposal view.

Use undo ike proposal to delete an IKE proposal.

Syntax

ike proposal proposal-number

undo ike proposal proposal-number

Views

System view

Default command level

2: System level

Parameters

proposal-number: IKE proposal number, in the range 1 to 65535. The lower the number, the higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is matched before a low priority IKE proposal.

Usage guidelines

The system provides a default IKE proposal, which has the lowest priority and uses these settings:

· Encryption algorithm DES-CBC

· Authentication algorithm HMAC-SHA1

· Authentication method Pre-shared key

· DH group MODP_768

· SA lifetime 86400 seconds

Examples

# Create IKE proposal 10 and enter IKE proposal view.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10]

Related commands

display ike proposal

ike sa keepalive-timer interval

Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.

Use undo ike sa keepalive-timer interval to disable the ISAKMP SA keepalive transmission function.

Syntax

ike sa keepalive-timer interval seconds

undo ike sa keepalive-timer interval

Default

No keepalive packet is sent.

Views

System view

Default command level

2: System level

Parameters

seconds: Transmission interval of ISAKMP SA keepalives in seconds, in the range 20 to 28,800.

Usage guidelines

The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end.

Examples

# Set the keepalive interval to 200 seconds.

<Sysname> system-view

[Sysname] ike sa keepalive-timer interval 200

Related commands

ike sa keepalive-timer timeout

Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout.

Use undo ike sa keepalive-timer timeout to disable the function.

Syntax

ike sa keepalive-timer timeout seconds

undo ike sa keepalive-timer timeout

Default

No keepalive packet is sent.

Views

System view

Default command level

2: System level

Parameters

seconds: ISAKMP SA keepalive timeout in seconds, in the range 20 to 28,800.

Usage guidelines

The keepalive timeout configured at the local end must be longer than the keepalive interval configured at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the keepalive timeout can be configured to be three times of the keepalive interval.

Examples

# Set the keepalive timeout to 20 seconds.

<Sysname> system-view

[Sysname] ike sa keepalive-timer timeout 20

Related commands

ike sa keepalive-timer interval

ike sa nat-keepalive-timer interval

Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval.

Use undo ike sa nat-keepalive-timer interval to disable the function.

Syntax

ike sa nat-keepalive-timer interval seconds

undo ike sa nat-keepalive-timer interval

Default

The NAT keepalive interval is 20 seconds.

Views

System view

Default command level

2: System level

Parameters

seconds: NAT keepalive interval in seconds, in the range 5 to 300.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ike sa nat-keepalive-timer interval 5

interval-time

Use interval-time to set the DPD query triggering interval for a DPD detector.

Use undo interval-time to restore the default.

Syntax

interval-time interval-time

undo interval-time

Default

The default DPD interval is 10 seconds.

Views

IKE DPD view

Default command level

2: System level

Parameters

interval-time: Sets DPD interval in seconds, in the range of 1 to 300 seconds. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

Examples

# Set the DPD interval to 1 second for dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

[Sysname-ike-dpd-dpd2] interval-time 1

local

Use local to set the subnet type of the local security gateway for IKE negotiation.

Use undo local to restore the default.

Syntax

local { multi-subnet | single-subnet }

undo local

Default

The subnet is a single one.

Views

IKE peer view

Default command level

2: System level

Parameters

multi-subnet: Sets the subnet type to multiple.

single-subnet: Sets the subnet type to single.

Usage guidelines

Use this command to enable interoperability with a NetScreen device.

Examples

# Set the subnet type of the local security gateway to multiple.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] local multi-subnet

local-address

Use local-address to configure the IP address of the local security gateway in IKE negotiation.

Use undo local-address to remove the configuration.

Syntax

local-address ip-address

undo local-address

Default

The primary address of the interface referencing the IPsec policy is used as the local security gateway IP address for IKE negotiation. Use this command if you want to specify a different address for the local security gateway.

Views

IKE peer view

Default command level

2: System level

Parameters

ip-address: IP address of the local security gateway to be used in IKE negotiation.

Examples

# Set the IP address of the local security gateway to 1.1.1.1.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] local-address 1.1.1.1

local-name

Use local-name to configure a name for the local security gateway to be used in IKE negation.

Use undo local-name to restore the default.

Syntax

local-name name

undo local-name

Default

The device name is used as the name of the local security gateway view.

Views

IKE peer view

Default command level

2: System level

Parameters

name: Name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters.

Usage guidelines

Examples

# Set the name of the local security gateway to localgw in IKE peer view of peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] local-name localgw

Related commands

· remote-name

· id-type

nat traversal

Use nat traversal to enable the NAT traversal function of IKE/IPsec.

Use undo nat traversal to disable the NAT traversal function of IKE/IPsec.

Syntax

nat traversal

undo nat traversal

Default

The NAT traversal function is disabled.

Views

IKE peer view

Default command level

2: System level

Examples

# Enable the NAT traversal function for IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] nat traversal

peer

Use peer to set the subnet type of the peer security gateway for IKE negotiation.

Use undo peer to restore the default.

Syntax

peer { multi-subnet | single-subnet }

undo peer

Default

The subnet is a single one.

Views

IKE peer view

Default command level

2: System level

Parameters

multi-subnet: Sets the subnet type to multiple.

single-subnet: Sets the subnet type to single.

Usage guidelines

Use this command to enable interoperability with a NetScreen device.

Examples

# Set the subnet type of the peer security gateway to multiple.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] peer multi-subnet

pre-shared-key

Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation.

Use undo pre-shared-key to remove the configuration.

Syntax

pre-shared-key [ cipher | simple ] key

undo pre-shared-key

Views

IKE peer view

Default command level

2: System level

Parameters

cipher: Sets a ciphertext pre-shared key.

simple: Sets a plaintext pre-shared key.

key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 1 to 201 characters. If simple is specified, it must be a string of 1 to 128 characters. If neither cipher nor simple is specified, you set a plaintext key string.

For secrecy, all keys, including keys configured in plain text, are saved in cipher text.

Examples

# Set the pre-shared key used in IKE negotiation to plaintext string abcde.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] pre-shared-key simple abcde

Related commands

authentication-method

proposal (IKE peer view)

Use proposal to specify the IKE proposals for the IKE peer to reference.

Use undo proposal to remove one or all IKE proposals referenced by the IKE peer.

Syntax

proposal proposal-number&<1-6>

undo proposal [ proposal-number ]

Default

An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.

Views

IKE peer view

Default command level

2: System level

Parameters

proposal-number&<1-6>: Sequence number of the IKE proposal for the IKE peer to reference, in the range 1 to 65535. &<1-6> means that you can specify the proposal-number argument for up to six times. An IKE proposal with a smaller sequence number has a higher priority.

Usage guidelines

In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any.

An IKE peer can reference up to six IKE proposals.

The responder uses the IKE proposals configured in system view for negotiation.

Examples

# Configure IKE peer peer1 to reference IKE proposal 10.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] proposal 10

Related commands

· ike proposal

· ike peer (system view)

remote-address

Use remote-address to configure the IP address of the IPsec remote security gateway.

Use undo remote-address to remove the configuration.

Syntax

remote-address { hostname [ dynamic ] | low-ip-address [ high-ip-address ] }

undo remote-address

Views

IKE peer view

Default command level

2: System level

Parameters

hostname: Host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server.

dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.

low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses.

high-ip-address: Highest address in the address range if you want to specify a range of addresses.

Usage guidelines

The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with the local-address command or, if the local-address command is not configured, the primary IP address of the interface to which the policy is applied.

The local end can be the initiator of IKE negotiation if the remote address is a host IP address or a host name. The local end can only be the responder of IKE negotiation if the remote address is an address range that the local end can respond to.

If the IP address of the remote address changes frequently, configure the host name of the remote gateway with the dynamic keyword so that the local end can use the up-to-date remote IP address to initiate IKE negotiation.

Related commands

· id-type ip

· local-address

Examples

# Configure the IP address of the remote security gateway as 10.0.0.1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] remote-address 10.0.0.1

# Configure the host name of the remote gateway as test.com, and specify the local end to dynamically update the remote IP address.

<Sysname> system-view

[Sysname] ike peer peer2

[Sysname-ike-peer-peer2] remote-address test.com dynamic

remote-name

Use remote-name to configure the name of the remote gateway.

Use undo remote-name to remove the configuration.

Syntax

remote-name name

undo remote-name

Views

IKE peer view

Default command level

2: System level

Parameters

name: Name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters.

Usage guidelines

If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

Related commands

· id-type

· local-name

· ike local-name

Examples

# Configure the remote security gateway name as apple for IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] remote-name apple

reset ike sa

Use reset ike sa to clear IKE SAs.

Syntax

reset ike sa [ connection-id ]

Views

User view

Default command level

2: System level

Parameters

connection-id: Connection ID of the IKE SA to be cleared, in the range 1 to 2000000000.

Usage guidelines

If you do not specify any parameter, the command clears all ISAKMP SAs.

When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.

Examples

# Clear the IKE SA that uses connection ID 2.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT

<Sysname> reset ike sa 2

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

Related commands

display ike sa

sa duration

Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The ISAKMP SA lifetime is 86400 seconds.

Views

IKE proposal view

Default command level

2: System level

Parameters

Seconds: Specifies the ISAKMP SA lifetime in seconds, in the range 60 to 604800.

Usage guidelines

Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up, and the old one will be cleared automatically when it expires.

Examples

# Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes).

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] sa duration 600

Related commands

· ike proposal

· display ike proposal

time-out

Use time-out to set the DPD packet retransmission interval for a DPD detector.

Use undo time-out to restore the default.

Syntax

time-out time-out

undo time-out

Views

IKE DPD view

Default command level

2: System level

Parameters

time-out: DPD packet retransmission interval in seconds, in the range 1 to 60.

Usage guidelines

The default DPD packet retransmission interval is 5 seconds.

Examples

# Set the DPD packet retransmission interval to 1 second for dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

[Sysname-ike-dpd-dpd2] time-out 1

07-Security Command Reference

IPsec configuration commands

display ipsec policy

esp authentication-algorithm

ike-peer (IPsec policy view/IPsec policy template view)

ipsec transform-set

remote-address

ike proposal

peer

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us