If you specify the name policy-name option but leave the seq-number argument, the command displays detailed information about the specified IPsec policy group.

Related commands: ipsec policy (system view).

Examples

# Display brief information about all IPsec policies.

<Sysname> display ipsec policy brief

IPsec-Policy-Name Mode acl ike-peer name Mapped Template

------------------------------------------------------------------------

bbbbbbbbbbbbbbb-1 template aaaaaaaaaaaaaaa

man-1 manual 3400

map-1 isakmp 3000 peer

nat-1 isakmp 3500 nat

test-1 isakmp 3200 test

toccccc-1 isakmp 3003 tocccc

IPsec-Policy-Name Mode acl Local-Address Remote-Address

------------------------------------------------------------------------

man-1 manual 3400 3.3.3.1 3.3.3.2

Table 1 Command output

Field	Description
IPsec-Policy-Name	Name and sequence number of the IPsec policy separated by hyphen
Mode	Negotiation mode of the IPsec policy: · manual—Manual mode · isakmp—IKE negotiation mode · template—IPsec policy template mode
acl	Access control list (ACL) referenced by the IPsec policy
ike-peer name	IKE peer name
Mapped Template	Referenced IPsec policy template
Local-Address	IP address of the local end
Remote-Address	IP address of the remote end

# Display detailed information about all IPsec policies.

<Sysname> display ipsec policy

===========================================

IPsec Policy Group: "policy_isakmp"

Interface: Vlan-interface1

===========================================

------------------------------------

IPsec policy name: "policy_isakmp"

sequence number: 10

mode: isakmp

-------------------------------------

security data flow : 3000

selector mode: standard

ike-peer name: per

perfect forward secrecy: None

proposal name: prop1

Synchronization inbound anti-replay-interval: 1000 packets

Synchronization outbound anti-replay-interval: 10000 packets

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

policy enable: True

===========================================

IPsec Policy Group: "policy_man"

Interface: Vlan-interface2

===========================================

-----------------------------------------

IPsec policy name: "policy_man"

sequence number: 10

mode: manual

-----------------------------------------

security data flow : 3002

tunnel local address: 162.105.10.1

tunnel remote address: 162.105.10.2

proposal name: prop1

inbound AH setting:

AH spi: 12345 (0x3039)

AH string-key:

AH authentication hex key : 1234567890123456789012345678901234567890

inbound ESP setting:

ESP spi: 23456 (0x5ba0)

ESP string-key:

ESP encryption hex key: 1234567890abcdef1234567890abcdef1234567812345678

ESP authentication hex key: 1234567890abcdef1234567890abcdef

outbound AH setting:

AH spi: 54321 (0xd431)

AH string-key:

AH authentication hex key: 1122334455667788990011223344556677889900

outbound ESP setting:

ESP spi: 65432 (0xff98)

ESP string-key:

ESP encryption hex key: 11223344556677889900aabbccddeeff1234567812345678

ESP authentication hex key: 11223344556677889900aabbccddeeff

Table 2 Command output

Field	Description
security data flow	ACL referenced by the IPsec policy.
Interface	Interface to which the IPsec policy is applied.
sequence number	Sequence number of the IPsec policy.
mode	Negotiation mode of the IPsec policy: · manual—Manual mode. · isakmp—IKE negotiation mode. · template—IPsec policy template mode.
selector mode	Data flow protection mode of the IPsec policy, standard or aggregation.
ike-peer name	IKE peer referenced by the IPsec policy.
tunnel local address	Local IP address of the tunnel.
tunnel remote address	Remote IP address of the tunnel.
perfect forward secrecy	Whether PFS is enabled.
proposal name	Proposal referenced by the IPsec policy.
policy enable	Whether the IPsec policy is enabled or not.
Synchronization inbound anti-replay-interval	Interval for synchronizing anti-replay windows in inbound direction, expressed in the number of received packets.
Synchronization outbound anti-replay-interval	Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets.
inbound/outbound AH/ESP setting	AH/ESP settings in the inbound/outbound direction, including the SPI and keys.

display ipsec policy-template

Syntax

display ipsec policy-template [ brief | name template-name [ seq-number ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

brief: Displays brief information about all IPsec policy templates.

name: Displays detailed information about a specified IPsec policy template or IPsec policy template group.

template-name: Name of the IPsec policy template, a string of 1 to 15 characters.

seq-number: Sequence number of the IPsec policy template, in the range 1 to 65535.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec policy-template to display information about IPsec policy templates.

If you do not specify any parameters, the command displays detailed information about all IPsec policy templates.

If you specify the name template-name option but leave the seq-number argument, the command displays information about the specified IPsec policy template group.

Related commands: ipsec policy-template

Examples

# Display brief information about all IPsec policy templates.

<Sysname> display ipsec policy-template brief

Policy-template-Name acl Remote-Address

------------------------------------------------------

test-tplt300 2200

Table 3 Command output

Field	Description
Policy-template-Name	Name and sequence number of the IPsec policy template separated by hyphen
acl	ACL referenced by the IPsec policy template
Remote Address	Remote IP address

# Display detailed information about all IPsec policy templates.

<Sysname> display ipsec policy-template

===============================================

IPsec Policy Template Group: "test"

===============================================

---------------------------------

Policy template name: "test"

sequence number: 1

---------------------------------

security data flow :

ike-peer name: None

perfect forward secrecy:

proposal name: testprop

Synchronization inbound anti-replay-interval: 1000 packets

Synchronization outbound anti-replay-interval: 10000 packets

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

Table 4 Command output

Field	Description
security data flow	ACL referenced by the IPsec policy template.
ike-peer name	IKE peer referenced by the IPsec policy template.
perfect forward secrecy	Whether PFS is enabled.
proposal name	IPsec proposal referenced by the IPsec policy template.
Synchronization inbound anti-replay-interval	Interval for synchronizing anti-replay windows in inbound direction, expressed in the number of received packets.
Synchronization outbound anti-replay-interval	Interval for synchronizing anti-replay sequence numbers in outbound direction, expressed in the number of sent packets.
IPsec sa local duration(time based)	Time-based lifetime of the IPsec SAs at the local end.
IPsec sa local duration(traffic based)	Traffic-based lifetime of the IPsec SAs at the local end.

display ipsec proposal

Syntax

display ipsec proposal [ proposal-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

proposal-name: Name of a proposal, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec proposal to display information about IPsec proposals.

If you do not specify any parameters, the command displays information about all IPsec proposals.

Related commands: ipsec proposal.

Examples

# Display information about all IPsec proposals.

<Sysname> display ipsec proposal

IPsec proposal name: prop2

encapsulation mode: tunnel

transform: ah-new

AH protocol: authentication sha1-hmac-96

Table 5 Command output

Field	Description
IPsec proposal name	Name of the IPsec proposal.
encapsulation mode	Encapsulation mode used by the IPsec proposal, transport or tunnel. IPsec between AC and AP supports only the tunnel mode.
transform	Security protocols used by the IPsec proposal: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	Authentication algorithm used by AH
ESP protocol	Authentication algorithm and encryption algorithm used by ESP

display ipsec sa

Syntax

display ipsec sa [ active | brief | policy policy-name [ seq-number ] | remote ip-address | standby ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

active: Displays detailed information about the active IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

brief: Displays brief information about all IPsec SAs.

policy: Displays detailed information about IPsec SAs created by using a specified IPsec policy.

policy-name: Name of the IPsec policy, a string 1 to 15 characters.

seq-number: Sequence number of the IPsec policy, in the range 1 to 65535.

remote: Displays detailed information about the IPsec SA with a specified remote address.

standby: Displays detailed information about the standby IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec sa to display information about IPsec SAs.

If you do not specify any parameters, the command displays information about all IPsec SAs.

Related commands: reset ipsec sa and ipsec sa global-duration.

Examples

# Display brief information about all IPsec SAs.

<Sysname> display ipsec sa brief

Src Address Dst Address SPI Protocol Algorithm

--------------------------------------------------------

10.1.1.1 10.1.1.2 300 ESP E:DES;

A:HMAC-MD5-96

10.1.1.2 10.1.1.1 400 ESP E:DES;

A:HMAC-MD5-96

Table 6 Command output

Field	Description
Src Address	Local IP address.
Dst Address	Remote IP address.
SPI	Security parameter index.
Protocol	Security protocol used by IPsec.
Algorithm	Authentication algorithm and encryption algorithm used by the security protocol, where E indicates the encryption algorithm and A indicates the authentication algorithm. A value of NULL means that type of algorithm is not specified.

# Display detailed information about all IPsec SAs.

<Sysname> display ipsec sa

===============================

Interface: Vlan-interface1

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "p"

sequence number: 1

mode: template

-----------------------------

connection id: 14

encapsulation mode: tunnel

perfect forward secrecy:

tunnel:

local address: 133.1.3.1

remote address: 133.1.1.32

flow:

sour addr: 133.1.3.1/255.255.255.255 port: 12223 protocol: UDP

dest addr: 133.1.1.32/255.255.255.255 port: 12223 protocol: UDP

[inbound ESP SAs]

spi: 1723826666 (0x66bf81ea)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa duration (kilobytes/sec): 1843200/3600

sa remaining duration (kilobytes/sec): 1843182/3448

max received sequence-number: 70

anti-replay check enable: Y

anti-replay window size: 32

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 2479317078 (0x93c76056)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa duration (kilobytes/sec): 1843200/3600

sa remaining duration (kilobytes/sec): 1843196/3448

max received sequence-number: 71

udp encapsulation used for nat traversal: N

-----------------------------

IPsec policy name: "p"

sequence number: 1

mode: template

-----------------------------

connection id: 15

encapsulation mode: tunnel

perfect forward secrecy:

tunnel:

local address: 133.1.3.1

remote address: 133.1.1.32

flow:

sour addr: 133.1.3.1/255.255.255.255 port: 12222 protocol: UDP

dest addr: 133.1.1.32/255.255.255.255 port: 12222 protocol: UDP

[inbound ESP SAs]

spi: 3696099664 (0xdc4e0150)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa duration (kilobytes/sec): 1843200/3600

sa remaining duration (kilobytes/sec): 1843078/2581

max received sequence-number: 1893

anti-replay check enable: Y

anti-replay window size: 32

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 4091929623 (0xf3e5e417)

proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1

sa duration (kilobytes/sec): 1843200/3600

sa remaining duration (kilobytes/sec): 1843129/2581

max received sequence-number: 574

udp encapsulation used for nat traversal: N

Table 7 Command output

Field	Description
Interface	Interface referencing the IPsec policy.
path MTU	Maximum IP packet length supported by the interface.
IPsec policy name	Name of IPsec policy used.
sequence number	Sequence number of the IPsec policy.
mode	IPsec negotiation mode.
connection id	IPsec tunnel identifier.
encapsulation mode	Encapsulation mode, transport or tunnel. IPsec between AC and AP supports only the tunnel mode.
perfect forward secrecy	Whether the perfect forward secrecy feature is enabled.
tunnel	IPsec tunnel.
local address	Local IP address of the IPsec tunnel.
remote address	Remote IP address of the IPsec tunnel.
flow	Data flow.
sour addr	Source IP address of the data flow.
dest addr	Destination IP address of the data flow.
port	Port number.
protocol	Protocol type.
inbound	Information of the inbound SA.
spi	Security parameter index.
proposal	Security protocol and algorithms used by the IPsec proposal.
sa duration	Lifetime of the IPsec SA.
sa remaining key duration	Remaining lifetime of the SA.
max received sequence-number	Maximum sequence number of the received packets (relevant to the anti-replay function provided by the security protocol).
udp encapsulation used for nat traversal	Whether NAT traversal is enabled for the SA.
outbound	Information of the outbound SA.
max sent sequence-number	Maximum sequence number of the sent packets (relevant to the anti-replay function provided by the security protocol).
anti-replay check enable	Whether IPsec anti-replay checking is enabled.
anti-replay window size	Size of the anti-replay window.
status	Whether the SA is in the active or standby state. This field is displayed only when IPsec stateful failover is enabled.

display ipsec statistics

Syntax

display ipsec statistics [ tunnel-id integer ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

tunnel-id integer: Specifies an IPsec tunnel by its ID, which is in the range 1 to 2000000000.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec statistics to display IPsec packet statistics.

If you do not specify any parameters, the command displays the statistics for all IPsec packets.

Related commands: reset ipsec statistics.

Examples

# Display statistics on all IPsec packets.

<Sysname> display ipsec statistics

the security packet statistics:

input/output security packets: 47/62

input/output security bytes: 3948/5208

input/output dropped security packets: 0/45

dropped security packet detail:

not enough memory: 0

can't find SA: 45

queue is full: 0

authentication has failed: 0

wrong length: 0

replay packet: 0

packet too long: 0

wrong SA: 0

# Display IPsec packet statistics for Tunnel 3.

<Sysname> display ipsec statistics tunnel-id 3

------------------------------------------------

Connection ID : 3

------------------------------------------------

the security packet statistics:

input/output security packets: 5124/8231

input/output security bytes: 52348/64356

input/output dropped security packets: 0/0

dropped security packet detail:

not enough memory: 0

queue is full: 0

authentication has failed: 0

wrong length: 0

replay packet: 0

packet too long: 0

wrong SA: 0

Table 8 Command output

Field	Description
Connection ID	ID of the tunnel.
input/output security packets	Counts of inbound and outbound IPsec protected packets.
input/output security bytes	Counts of inbound and outbound IPsec protected bytes.
input/output dropped security packets	Counts of inbound and outbound IPsec protected packets that are discarded by the device.
dropped security packet detail	Detailed information about inbound/outbound packets that get dropped.
not enough memory	Number of packets dropped due to lack of memory.
can't find SA	Number of packets dropped due to finding no security association.
queue is full	Number of packets dropped due to full queues.
authentication has failed	Number of packets dropped due to authentication failure.
wrong length	Number of packets dropped due to wrong packet length.
replay packet	Number of packets replayed.
packet too long	Number of packets dropped due to excessive packet length.
wrong SA	Number of packets dropped due to improper SA.

display ipsec tunnel

Syntax

display ipsec tunnel [ active | standby ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

active: Displays information about the active IPsec tunnels in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

standby: Displays information about the standby IPsec tunnels in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ipsec tunnel to display information about IPsec tunnels.

If you do not specify any parameters, the command displays information about all IPsec tunnels.

Examples

# Display information about IPsec tunnels.

<Sysname> display ipsec tunnel

total tunnel : 2

------------------------------------------------

connection id: 3

status: active

perfect forward secrecy:

SA's SPI:

inbound: 187199087 (0xb286e6f) [ESP]

outbound: 3562274487 (0xd453feb7) [ESP]

tunnel:

local address: 44.44.44.44

remote address : 44.44.44.55

flow:

sour addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP

dest addr : 44.44.44.0/255.255.255.0 port: 0 protocol : IP

current Encrypt-card: None

------------------------------------------------

connection id: 5

perfect forward secrecy:

SA's SPI:

inbound: 12345 (0x3039) [ESP]

outbound: 12345 (0x3039) [ESP]

tunnel:

flow:

current Encrypt-card:

# Display information about IPsec tunnels in aggregation mode.

<Sysname> display ipsec tunnel

total tunnel: 2

------------------------------------------------

connection id: 4

status: active

perfect forward secrecy:

SA's SPI:

inbound : 2454606993 (0x924e5491) [ESP]

outbound : 675720232 (0x2846ac28) [ESP]

tunnel :

local address: 44.44.44.44

remote address : 44.44.44.45

flow :

as defined in acl 3001

current Encrypt-card : None

Table 9 Command output

Field	Description
connection id	Connection ID, used to uniquely identify an IPsec tunnel.
status	Whether the tunnel is in the active or standby state. This field is displayed only when IPsec stateful failover is enabled.
perfect forward secrecy	Perfect forward secrecy, indicating which DH group is to be used for fast negotiation mode in IKE phase 2.
SA's SPI	SPIs of the inbound and outbound SAs.
tunnel	Local and remote addresses of the tunnel.
flow	Data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port and protocol.
as defined in acl 3001	The IPsec tunnel protects all data flows defined by ACL 3001.
current Encrypt-card	Encryption card interface used by the current tunnel.

encapsulation-mode

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

View

IPsec proposal view

Default level

2: System level

Parameters

transport: Uses transport mode.

tunnel: Uses tunnel mode.

Description

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

By default, a security protocol encapsulates IP packets in tunnel mode.

Examples

# When IPsec uses IKEv1, configure IPsec proposal prop2 to use the transport encapsulation mode.

<Sysname> system-view

[Sysname] ipsec proposal prop2

[Sysname-ipsec-proposal-prop2] encapsulation-mode transport

esp authentication-algorithm

Syntax

esp authentication-algorithm { md5 | sha1 }

undo esp authentication-algorithm

Default

ESP uses the MD5 authentication algorithm.

View

IPsec proposal view

Default level

2: System level

Parameters

md5: Uses the MD5 algorithm, which uses a 128-bit key.

sha1: Uses the SHA1 algorithm, which uses a 160-bit key.

Description

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to configure ESP to not authenticate packets.

Compared with SHA1, MD5 is faster but less secure. MD5 is sufficient for most networks. To deploy a highly secure network, use SHA1.

For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp authentication-algorithm command takes effect only if an encryption algorithm is specified for ESP.

Related commands: display ipsec proposal, esp encryption-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify SHA1 as the authentication algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform esp

[Sysname-ipsec-proposal-prop1] esp authentication-algorithm sha1

esp encryption-algorithm

Syntax

esp encryption-algorithm { 3des | aes [ key-length ] | des }

undo esp encryption-algorithm

View

IPsec proposal view

Default level

2: System level

Parameters

3des: Uses the triple Data Encryption Standard (3DES) in CBC mode, which uses a 168-bit key.

aes: Uses the Advanced Encryption Standard (AES) in CBC mode, which uses a 128-bit, 192-bit, or 256-bit key.

key-length: Specifies the key length (in bits) of the AES algorithm. This argument is valid when AES is used, and can be 128, 192, or 256. The default value is 128.

des: Uses the DES in cipher block chaining (CBC) mode, which uses a 56-bit key.

Description

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to configure ESP to not encrypt packets.

By default, ESP uses the DES encryption algorithm.

Compared with 3DES, DES is faster but less secure. DES is sufficient for most networks. To deploy a highly secure network, use 3DES.

ESP supports three IP packet protection schemes: encryption only, authentication only, or both encryption and authentication.

For ESP, you must specify an encryption algorithm, an authentication algorithm, or both. The undo esp encryption-algorithm command takes effect only if an authentication algorithm is specified for ESP.

Related commands: display ipsec proposal, esp authentication-algorithm, proposal, and transform.

Examples

# Configure IPsec proposal prop1 to use ESP and specify 3DES as the encryption algorithm for ESP.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform esp

[Sysname-ipsec-proposal-prop1] esp encryption-algorithm 3des

ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)

Syntax

ike-peer peer-name

undo ike-peer peer-name

View

IPsec policy view, IPsec policy template view, IPsec profile view

Default level

2: System level

Parameters

peer-name: IKE peer name, a string of 1 to 32 characters.

Description

Use ike-peer to reference an IKE peer in an IPsec policy, IPsec policy template, or IPsec profile configured through IKE negotiation.

Use undo ike peer to remove the reference.

Related commands: ipsec policy, and ipsec profile.

Examples

# Configure a reference to an IKE peer in an IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ike-peer peer1

# Configure a reference to an IKE peer in an IPsec profile.

<Sysname> system-view

[Sysname] ipsec profile profile1

[Sysname-ipsec-profile- profile1] ike-peer peer1

ipsec policy (interface view)

Syntax

ipsec policy policy-name

undo ipsec policy [ policy-name ]

View

Interface view

Default level

2: System level

Parameters

policy-name: Name of the existing IPsec policy group to be applied to the interface, a string of 1 to 15 characters.

Description

Use ipsec policy to apply an IPsec policy group to an interface.

Use undo ipsec policy to remove the application.

Only one IPsec policy group can be applied to an interface. To apply another IPsec policy group to the interface, remove the original application first. An IPsec policy group can be applied to more than one interface.

With an IPsec policy group applied to an interface, the system uses each IPsec policy in the group to protect certain data flows.

For each packet to be sent out an IPsec protected interface, the system checks the IPsec policies of the IPsec policy group in the ascending order of sequence numbers. If it finds an IPsec policy whose ACL matches the packet, it uses the IPsec policy to protect the packet. If it finds no ACL of the IPsec policies matches the packet, it does not provide IPsec protection for the packet and sends the packet out directly.

Related commands: ipsec policy (system view).

Examples

# Apply IPsec policy group pg1 to interface Serial 2/2.

<Sysname> system-view

[Sysname] interface serial 2/2

[Sysname-Serial2/2] ipsec policy pg1

ipsec policy (system view)

Syntax

ipsec policy policy-name seq-number [ isakmp | manual ]

undo ipsec policy policy-name [ seq-number ]

View

System view

Default level

2: System level

Parameters

policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included.

seq-number: Sequence number for the IPsec policy, in the range 1 to 65535.

isakmp: Sets up SAs through IKE negotiation.

manual: Sets up SAs manually.

Description

Use ipsec policy to create an IPsec policy and enter its view.

Use undo ipsec policy to delete the specified IPsec policies.

By default, No IPsec policy exists.

When creating an IPsec policy, you must specify the generation mode.

You cannot change the generation mode of an existing IPsec policy; you can only delete the policy and then re-create it with the new mode.

IPsec policies with the same name constitute an IPsec policy group. An IPsec policy is identified uniquely by its name and sequence number. In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

The undo ipsec policy command without the seq-number argument deletes an IPsec policy group.

Related commands: ipsec policy (interface view) and display ipsec policy.

Examples

# Create an IPsec policy with the name policy1 and sequence number 100, and specify to set up SAs through IKE negotiation.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100]

# Create an IPsec policy with the name policy1 and specify the manual mode for it.

<Sysname> system-view

[Sysname] ipsec policy policy1 101 manual

[Sysname-ipsec-policy-manual-policy1-101]

ipsec policy isakmp template

Syntax

ipsec policy policy-name seq-number isakmp template template-name

undo ipsec policy policy-name [ seq-number ]

View

System view

Default level

2: System level

Parameters

policy-name: Name for the IPsec policy, a case-insensitive string of 1 to 15 characters. No minus sign (-) can be included.

seq-number: Sequence number for the IPsec policy, in the range of 1 to 65535.

isakmp template template-name: Name of the IPsec policy template to be referenced.

Description

Use ipsec policy isakmp template to create an IPsec policy by referencing an existing IPsec policy template, so that IKE can use the IPsec policy for SA negotiation.

Use undo ipsec policy with the seq-number argument to delete an IPsec policy.

Use undo ipsec policy without the seq-number argument to delete an IPsec policy group.

In an IPsec policy group, an IPsec policy with a smaller sequence number has a higher priority.

After you create an IPsec policy by referencing an IPsec policy template, to modify the configuration for the IPsec policy, you must enter the IPsec policy template view instead of the IPsec policy view.

You cannot change the negotiation mode of an IPsec policy. To do so, you must delete the IPsec policy and then re-create it.

Related commands: ipsec policy (system view) and ipsec policy-template.

Examples

# Create an IPsec policy with the name policy2 and sequence number 200 by referencing IPsec policy template temp1.

<Sysname> system-view

[Sysname] ipsec policy policy2 200 isakmp template temp1

ipsec policy-template

Syntax

ipsec policy-template template-name seq-number

undo ipsec policy-template template-name [ seq-number ]

View

System view

Default level

2: System level

Parameters

template-name: Name for the IPsec policy template, a case-insensitive string of 1 to 41 characters. No minus sign (-) can be included.

seq-number: Sequence number for the IPsec policy template, in the range 1 to 65535.

Description

Use ipsec policy-template to create an IPsec policy template and enter the IPsec policy template view.

Use undo ipsec policy-template to delete the specified IPsec policy templates.

By default, no IPsec policy template exists.

Using the undo command without the seq-number argument deletes an IPsec policy template group.

In an IPsec policy template group, an IPsec policy template with a smaller sequence number has a higher priority.

Related commands: display ipsec policy template.

Examples

# Create an IPsec policy template with the name template1 and the sequence number 100.

<Sysname> system-view

[Sysname] ipsec policy-template template1 100

[Sysname-ipsec-policy-template-template1-100]

ipsec proposal

Syntax

ipsec proposal proposal-name

undo ipsec proposal proposal-name

View

System view

Default level

2: System level

Parameters

proposal-name: Name of an IPsec proposal, a case-insensitive string of 1 to 32 characters.

Description

Use ipsec proposal to create an IPsec proposal and enter IPsec proposal view.

Use undo ipsec proposal to delete an IPsec proposal.

By default, no IPsec proposal exists.

An IPsec proposal created by using the ipsec proposal command takes the security protocol of ESP, the encryption algorithm of DES, and the authentication algorithm of MD5 by default.

Related commands: display ipsec proposal.

Examples

# Create an IPsec proposal named newprop1 and enter its view.

<Sysname> system-view

[Sysname] ipsec proposal newprop1

ipsec sa global-duration

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

View

System view

Default level

2: System level

Parameters

seconds: Time-based global SA lifetime in seconds, in the range 180 to 604800.

kilobytes: Traffic-based global SA lifetime in kilobytes, in the range 2560 to 4294967295.

Description

Use ipsec sa global-duration to configure the global SA lifetime.

Use undo ipsec sa global-duration to restore the default.

By default, the time-based global SA lifetime is 3600 seconds, and the traffic-based global SA lifetime is 1843200 kilobytes.

When negotiating to set up an SA, IKE prefers the lifetime of the IPsec policy or IPsec profile that it uses. If the IPsec policy is not configured with its own lifetime, IKE uses the global SA lifetime.

When negotiating to set up an SA, IKE prefers the shorter one of the local lifetime and that proposed by the remote.

You can configure both a time-based and a traffic-based global SA lifetime. An SA is aged out when it has existed for the specified time period or has processed the specified volume of traffic.

The SA lifetime applies to only IKE negotiated SAs; it is not effective for manually configured SAs.

Related commands: sa duration and display ipsec sa duration.

Examples

# Set the time-based global SA lifetime to 7200 seconds (2 hours).

<Sysname> system-view

[Sysname] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA lifetime to 10240 kilobytes (10 Mbytes).

[Sysname] ipsec sa global-duration traffic-based 10240

ipsec synchronization enable

NOTE:

Support for this command depends on the device model. For whether your AC supports this command, see the command matrixes in About the WX series Access Controllers Command References.

Syntax

ipsec synchronization enable

undo ipsec synchronization enable

View

System view

Default level

2: System level

Description

Use ipsec synchronization enable to enable IPsec stateful failover.

Use undo ipsec synchronization enable to disable IPsec stateful failover.

By default, IPsec stateful failover is enabled.

You enable IPsec stateful failover typically on two redundant gateways in active/standby mode to ensure instant IPsec tunnel failover for nonstop services.

Disabling IPsec stateful failover will delete all active or standby IPsec SAs and IKE SA.

Examples

# Enable IPsec stateful failover.

<Sysname> system-view

[Sysname] ipsec synchronization enable

pfs

Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

undo pfs

View

IPsec policy view, IPsec policy template view, IPsec profile view

Default level

2: System level

Parameters

dh-group1: Uses 768-bit Diffie-Hellman group.

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

Description

Use pfs to enable and configure the perfect forward secrecy (PFS) feature so that the system uses the feature when employing the IPsec policy or IPsec profile to initiate a negotiation.

Use undo pfs to remove the configuration.

By default, the PFS feature is not used for negotiation.

In terms of security and necessary calculation time, the following four groups are in the descending order: 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2) and 768-bit Diffie-Hellman group (dh-group1).

This command allows IPsec to perform an additional key exchange process during the negotiation phase 2, providing an additional level of security.

The local Diffie-Hellman group must be the same as that of the peer.

This command can be used only when the SAs are to be set up through IKE negotiation.

Related commands: ipsec policy-template, ipsec policy (system view), and ipsec profile (system view).

Examples

# Enable and configure PFS for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 200 isakmp

[Sysname-ipsec-policy-isakmp-policy1-200] pfs dh-group1

policy enable

Syntax

policy enable

undo policy enable

View

IPsec policy view, IPsec policy template view

Default level

2: System level

Description

Use policy enable to enable the IPsec policy.

Use undo policy enable to disable the IPsec policy.

By default, the IPsec policy is enabled.

The command is not applicable to manual IPsec policies.

If the IPsec policy is not enabled for the IKE peer, the peer cannot take part in the IKE negotiation.

Related commands: ipsec policy (system view) and ipsec policy-template.

Examples

# Enable the IPsec policy with the name policy1 and sequence number 100.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] policy enable

proposal (IPsec policy view/IPsec policy template view/IPsec profile view)

Syntax

proposal proposal-name&<1-6>

undo proposal [ proposal-name ]

View

IPsec policy view, IPsec policy template view, IPsec profile view

Default level

2: System level

Parameters

proposal-name&<1-6>: Name of the IPsec proposal, a string of 1 to 32 characters. &<1-6> means that you can specify up to six proposals, which are separated by space.

Description

Use proposal to specify an IPsec proposal for the IPsec policy or IPsec profile to reference.

Use undo proposal to remove an IPsec proposal referenced by the IPsec policy or IPsec profile.

By default, an IPsec policy or IPsec profile references no IPsec proposal.

The specified IPsec proposals must already exist.

A manual IPsec policy can reference only one IPsec proposal. To replace a referenced IPsec proposal, use the undo proposal command to remove the original proposal binding and then use the proposal command to reconfigure one.

An IKE negotiated IPsec policy can reference up to six IPsec proposals. The IKE negotiation process will search for and use the exactly matched proposal.

An IPsec profile can reference up to six IPsec proposals. The IKE negotiation process will search for and use the exactly matched proposal.

Related commands: ipsec proposal, ipsec policy (system view) and ipsec profile (system view).

Examples

# Configure IPsec policy policy1 to reference IPsec proposal prop1.

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] proposal prop1

# Configure IPsec profile profile1 to reference IPsec proposal prop2.

<Sysname> system-view

[Sysname] ipsec proposal prop2

[Sysname-ipsec-proposal-prop2] quit

[Sysname] ipsec profile profile1

[Sysname-ipsec-profile-profile1] proposal prop2

reset ipsec sa

Syntax

reset ipsec sa [ active | parameters dest-address protocol spi | policy policy-name [ seq-number ] | remote ip-address | standby ]

View

User view

Default level

2: System level

Parameters

active: Specifies all active IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

parameters: Specifies IPsec SAs that use the specified destination address, security protocol, and SPI.

dest-address: Destination address, in dotted decimal notation.

protocol: Security protocol, which can be keyword ah or esp, case insensitive.

spi: Security parameter index, in the range 256 to 4294967295.

policy: Specifies IPsec SAs that use an IPsec policy or IPsec profile.

policy-name: Name of the IPsec policy or IPsec profile, a case-sensitive string of 1 to 15 alphanumeric characters.

seq-number: Sequence number of the IPsec policy, in the range 1 to 65535. If no seq-number is specified, all the policies in the IPsec policy group named policy-name are specified.

remote: Specifies SAs to or from a remote address, in dotted decimal notation.

standby: Specifies all standby IPsec SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

Description

Use reset ipsec sa to clear IPsec SAs.

If you do not specify any parameter, the command clears all IPsec SAs.

Immediately after a manually set up SA is cleared, the system automatically sets up a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system sets up new SAs only when IKE negotiation is triggered by interesting packets.

IPsec SAs appear in pairs. If you specify the parameters keyword to clear an IPsec SA, the IPsec SA in the other direction is also automatically cleared.

When you use this command in a stateful failover environment, note the following issues:

· If you specify neither active nor standby, the command clears both active and standby IPsec SAs.

· When you clear the active IPsec SAs on the active device, the active device automatically notifies the standby device to clear the standby IPsec SAs.

· When you clear the standby IPsec SAs on the standby device, the standby device re-synchronizes the IPsec service data with the active device to set up new standby IPsec SAs.

Related commands: display ipsec sa.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the IPsec SA with a remote IP address of 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

# Clear all IPsec SAs of IPsec policy template policy1.

<Sysname> reset ipsec sa policy policy1

# Clear the IPsec SA of the IPsec policy with the name of policy1 and sequence number of 10.

<Sysname> reset ipsec sa policy policy1 10

# Clear the IPsec SA with a remote IP address of 10.1.1.2, security protocol of AH, and SPI of 10000.

<Sysname> reset ipsec sa parameters 10.1.1.2 ah 10000

# Clear all IPsec SAs of IPsec profile policy1.

<Sysname> reset ipsec sa policy policy1

# Clear active IPsec SAs on an IPsec stateful failover device.

<Sysname> reset ipsec sa active

reset ipsec statistics

Syntax

reset ipsec statistics

View

User view

Default level

2: System level

Description

Use reset ipsec statistics to clear IPsec packet statistics.

Related commands: display ipsec statistics.

Examples

# Clear IPsec packet statistics.

<Sysname> reset ipsec statistics

sa authentication-hex

Syntax

sa authentication-hex { inbound | outbound } { ah | esp } hex-key

undo sa authentication-hex { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

hex-key: Specifies the hexadecimal key string. This argument is a 16-byte string for MD5 and is a 20-byte string for SHA1.

Description

Use sa authentication-hex to configure an authentication key for an SA.

Use undo sa authentication-hex to remove the configuration.

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The authentication key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the authentication key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

At each end of an IPsec tunnel, the keys for the inbound and outbound SAs must be in the same format (both in hexadecimal format or both in string format), and the keys must be specified in the same format for both ends of the tunnel.

Related commands: ipsec policy (system view).

Examples

# Configure the authentication keys of the inbound and outbound SAs that use AH as 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa authentication-hex outbound ah aabbccddeeff001100aabbccddeeff00

sa duration

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

View

IPsec policy view, IPsec policy template view, IPsec profile view

Default level

2: System level

Parameters

seconds: Time-based SA lifetime in seconds, in the range 180 to 604800.

kilobytes: Traffic-based SA lifetime in kilobytes, in the range 2560 to 4294967295.

Description

Use sa duration to set an SA lifetime for the IPsec policy or IPsec profile.

Use undo sa duration to restore the default.

By default, the SA lifetime of an IPsec policy or an IPsec profile equals the current global SA lifetime. The time-based global SA lifetime is 3600 seconds, and traffic-based SA lifetime is 1843200 kilobytes.

When negotiating to set up an SA, IKE prefers the lifetime settings of the IPsec policy or IPsec profile that it uses. If the IPsec policy or IPsec proposal is not configured with its own lifetime settings, IKE uses the global SA lifetime settings, which are configured with the ipsec sa global-duration command.

When negotiating to set up an SA, IKE prefers the shorter ones of the local lifetime settings and those proposed by the remote.

The SA lifetime applies to only IKE negotiated SAs. It is not effective for manually configured SAs.

Related commands: ipsec sa global-duration, ipsec policy (system view), and ipsec profile (system view).

Examples

# Set the SA lifetime for IPsec policy1 to 7200 seconds (two hours).

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime for IPsec policy policy1 to 20480 kilobytes (20 Mbytes).

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480

# Set the SA lifetime for IPsec profile profile1 to 7200 seconds (two hours).

<Sysname> system-view

[Sysname] ipsec profile profile1

[Sysname-ipsec-profile-profile1] sa duration time-based 7200

# Set the SA lifetime for IPsec profile profile1 to 20480 kilobytes (20 Mbytes).

<Sysname> system-view

[Sysname] ipsec profile profile1

[Sysname-ipsec-profile-profile1] sa duration traffic-based 20480

sa encryption-hex

Syntax

sa encryption-hex { inbound | outbound } esp hex-key

undo sa encryption-hex { inbound | outbound } esp

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

esp: Uses ESP.

hex-key: Encryption key for the SA, in hexadecimal format. The length of the key must be 8 bytes for DES-CBC, 16 bytes for AES128-CBC, 24 bytes for 3DES-CBC and AES192-CBC, 42 bytes for AES256-CBC, and 64 bytes for AES128-CBC.

Description

Use sa encryption-hex to configure an encryption key for an SA.

Use undo sa encryption-hex to remove the configuration.

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set the parameters of both the inbound and outbound SAs.

The encryption key for the inbound SA at the local end must be the same as that for the outbound SA at the remote end, and the encryption key for the outbound SA at the local end must be the same as that for the inbound SA at the remote end.

Related commands: ipsec policy (system view).

Examples

# Configure the encryption keys for the inbound and outbound SAs that use ESP as 0x1234567890abcdef and 0xabcdefabcdef1234.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex inbound esp 1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa encryption-hex outbound esp abcdefabcdef1234

sa spi

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

spi-number: Security parameters index (SPI) in the SA triplet, in the range 256 to 4294967295.

Description

Use sa spi to configure an SPI for an SA.

Use undo sa spi to remove the configuration.

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must configure parameters for both inbound and outbound SAs. For an ACL-based manual IPsec policy, specify different SPIs for different SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

Related commands: ipsec policy (system view).

Examples

# Set the SPI for the inbound SA to 10000 and that for the outbound SA to 20000 in a manual IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000

[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000

sa string-key

Syntax

sa string-key { inbound | outbound } { ah | esp } string-key

undo sa string-key { inbound | outbound } { ah | esp }

View

IPsec policy view

Default level

2: System level

Parameters

inbound: Specifies the inbound SA through which IPsec processes the received packets.

outbound: Specifies the outbound SA through which IPsec processes the packets to be sent.

ah: Uses AH.

esp: Uses ESP.

string-key: Specifies the key string for the SA, consisting of 1 to 255 characters. For different algorithms, enter a string at any length in the specified range and the system automatically generates a key meeting the algorithm requirements. When the protocol is ESP, the system generates the keys for the authentication algorithm and the encryption algorithm, respectively.

Description

Use sa string-key to set a key string for an SA.

Use undo sa string-key to remove the configuration.

This command applies to only manual IPsec policies.

When configuring a manual IPsec policy, you must set parameters for both inbound and outbound SAs.

The local inbound SA must use the same SPI and keys as the remote outbound SA. The same is true of the local outbound SA and remote inbound SA.

Enter keys in the same format for the local and remote inbound and outbound SAs. For example, if the local inbound SA uses a key in characters, the local outbound SA and remote inbound and outbound SAs must use keys in characters.

Related commands: ipsec policy (system view).

Examples

# Configure the inbound and outbound SAs that use AH to use keys abcdef and efcdab, respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah efcdab

security acl

Syntax

security acl acl-number [ aggregation | per-host ]

undo security acl

View

IPsec policy view, IPsec policy template view

Default level

2: System level

Parameters

acl-number: Number of the ACL for the IPsec policy to reference, in the range 3000 to 3999.

aggregation: Uses the data flow protection mode of aggregation. If you do not specify this keyword, the standard mode is used. This keyword is not available for IPv6.

per-host: Uses the data flow protection mode of per-host. If you do not specify this keyword, the standard mode is used. This keyword is not available for IPv6.

Description

Use security acl to specify the ACL for the IPsec policy to reference.

Use undo security acl to remove the configuration.

By default, An IPsec policy references no ACL.

With an IKE-dependent IPsec policy configured, data flows can be protected in the following modes:

· Standard mode—One tunnel protects one data flow. The data flow permitted by each ACL rule is protected by one tunnel that is established separately for it.

· Aggregation mode—One tunnel protects all data flows permitted by all the rules of an ACL.

· Per-host mode—One tunnel protects one host-to-host data flow. Each ACL rule matches a host-to-host data flow, and the data flow permitted by each ACL rule is protected by one tunnel that is established separately for it.

When your device works with an old-version device, use the aggregation mode on both devices.

An IPsec policy references only one ACL. If you specify more than one ACL for an IPsec policy, the IPsec policy references the one last specified.

The per-host mode can be configured only in the view of an IKE negotiated IPsec policy.

To use the per-host mode in a wired network, you only need to specify an ACL in per-host mode in the IPsec policy of the IPsec initiator, and you do not need to specify the per-host keyword in the IPsec policy of the responder.

In a wireless network where an IPsec tunnel is required between an AC and an AP, if the IPsec policy that the AC assigns to the APs references a per-host mode ACL, multiple APs can simultaneously initiate an SA negotiation with the AC, and the AC can establish different IPsec SAs with the APs at different IP addresses.

Related commands: ipsec policy (system view).

Examples

# Configure IPsec policy policy1 to reference ACL 3001.

<Sysname> system-view

[Sysname] acl number 3001

[Sysname-acl-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[Sysname-acl-adv-3001] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Configure IPsec policy policy2 to reference ACL 3002, setting the data flow protection mode to aggregation.

<Sysname> system-view

[Sysname] acl number 3002

[Sysname-acl-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255

[Sysname-acl-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255

[Sysname] ipsec policy policy2 1 isakmp

[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

# Configure IPsec policy policy1 to reference ACL 3003, setting the data flow protection mode to per-host.

<Sysname> system-view

[Sysname] acl number 3003

[Sysname-acl-adv-3003] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[Sysname-acl-adv-3003] quit

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] security acl 3003 per-host

synchronization anti-replay-interval (IPsec policy view/IPsec policy template view/IPsec profile view)

NOTE:

Support for the command depends on the device model. For whether your AC supports this command, see the command matrixes in About the WX series Access Controllers Command References.

Syntax

synchronization anti-replay-interval inbound inbound-number outbound outbound-number

undo synchronization anti-replay-interval

View

IPsec policy view, IPsec policy template view, IPsec profile view

Default level

2: System level

Parameters

inbound-number: Interval at which the device, when functioning as the active device, synchronizes the inbound anti-replay window to the standby device. It is expressed in the number of received packets and ranges from 0 to 1000. If you set the argument to 0, inbound anti-replay window synchronization is disabled.

outbound-number: Interval at which the device, when functioning as the active device, synchronizes the outbound anti-replay sequence number to the standby device. It is expressed in the number of sent packets and ranges from 1000 to 100000.

Description

Use synchronization anti-replay-interval to set the inbound anti-replay window synchronization interval and the outbound anti-replay sequence number synchronization interval.

Use undo synchronization anti-replay-interval to restore the defaults.

By default, the inbound anti-replay window synchronization interval is 1000, and the outbound anti-replay sequence number synchronization interval is 100000.

In an IPsec stateful failover scenario, the active device regularly synchronizes anti-replay information to the standby device. When the active device fails, the standby device continues to provide the anti-replay service based on the synchronized anti-replay information.

A short interval improves the anti-replay information consistency between the active device and the standby device, but also increases the anti-replay information synchronization frequency and the impact on the performance of the devices.

Related commands: display ipsec policy and display ipsec policy-template.

Examples

# Set the inbound anti-replay window synchronization interval to 800 and the outbound anti-replay sequence number synchronization interval to 50000.

<Sysname> system-view

[Sysname] ipsec policy test 10 isakmp

[Sysname-ipsec-policy-isakmp-test-10] synchronization anti-replay-interval inbound 800 outbound 50000

transform

Syntax

transform { ah | ah-esp | esp }

undo transform

View

IPsec proposal view

Default level

2: System level

Parameters

ah: Uses the AH protocol.

ah-esp: Uses ESP first and then AH.

esp: Uses the ESP protocol.

Description

Use transform to specify a security protocol for an IPsec proposal.

Use undo transform to restore the default.

By default, the ESP protocol is used.

The IPsec proposals at the two ends of an IPsec tunnel must use the same security protocol.

If the security protocol is ESP, the default encryption algorithm is DES and the default authentication algorithm is MD5.

If the security protocol is AH, the default authentication algorithm is MD5.

If you specify both the ESP and AH (by using the ah-esp keyword), by default, the authentication algorithm for AH is MD5, the encryption algorithm for ESP is DES, and no authentication algorithm is used for ESP.

Related commands: ipsec proposal.

Examples

# Configure IPsec proposal prop1 to use AH.

<Sysname> system-view

[Sysname] ipsec proposal prop1

[Sysname-ipsec-proposal-prop1] transform ah

tunnel local

Syntax

tunnel local ip-address

undo tunnel local

View

IPsec policy view

Default level

2: System level

Parameters

ip-address: Local address for the IPsec tunnel.

Description

Use tunnel local to configure the local address of an IPsec tunnel.

Use undo tunnel local to remove the configuration.

By default, no local address is configured for an IPsec tunnel.

This command applies to only manual IPsec policies.

The local address, if not configured, will be the address of the interface to which the IPsec policy is applied.

Related commands: ipsec policy (system view).

Examples

# Set the local address of the IPsec tunnel to the address of Loopback 0, 10.0.0.1.

<Sysname> system-view

[Sysname] interface loopback 0

[Sysname-LoopBack0] ip address 10.0.0.1 32

[Sysname-LoopBack0] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] tunnel local 10.0.0.1

tunnel remote

Syntax

tunnel remote ip-address

undo tunnel remote [ ip-address ]

Default

No remote address is configured for the IPsec tunnel.

View

IPsec policy view

Default level

2: System level

Parameters

ip-address: Remote address for the IPsec tunnel.

Description

Use tunnel remote to configure the remote address of an IPsec tunnel.

Use undo tunnel remote to remove the configuration.

By default, no remote address is configured for the IPsec tunnel.

This command applies to only manual IPsec policies.

If you configure the remote address repeatedly, the last one takes effect.

An IPsec tunnel is established between the local and remote ends. The remote IP address of the local end must be the same as that of the local IP address of the remote end.

Related commands: ipsec policy (system view).

Examples

# Set the remote address of the IPsec tunnel to 10.1.1.2.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 manual

[Sysname-ipsec-policy-policy1-10] tunnel remote 10.1.1.2

IKE configuration commands

authentication-algorithm

Syntax

authentication-algorithm { md5 | sha }

undo authentication-algorithm

Default

An IKE proposal uses the SHA1 authentication algorithm.

View

IKE proposal view

Default level

2: System level

Parameters

md5: Uses HMAC-MD5.

sha: Uses HMAC-SHA1.

Description

Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.

Use undo authentication-algorithm to restore the default.

By default, an IKE proposal uses the SHA1 authentication algorithm.

Related commands: ike proposal and display ike proposal.

Examples

# Set MD5 as the authentication algorithm for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] authentication-algorithm md5

authentication-method

Syntax

authentication-method { pre-share | rsa-signature }

undo authentication-method

Default

An IKE proposal uses the pre-shared key authentication method.

View

IKE proposal view

Default level

2: System level

Parameters

pre-share: Uses the pre-shared key method.

rsa-signature: Uses the RSA digital signature method.

Description

Use authentication-method to specify an authentication method for an IKE proposal.

Use undo authentication-method to restore the default.

By default, an IKE proposal uses the pre-shared key authentication method.

Related commands: ike proposal and display ike proposal.

Examples

# Specify that IKE proposal 10 uses the pre-shared key authentication method.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] authentication-method pre-share

certificate domain

Syntax

certificate domain domain-name

undo certificate domain

View

IKE peer view

Default level

2: System level

Parameters

domain-name: Name of the PKI domain, a string of 1 to 15 characters.

Description

Use certificate domain to configure the PKI domain of the certificate when IKE uses digital signature as the authentication mode.

Use undo certificate domain to remove the configuration.

Related commands: authentication-method and pki domain.

Examples

# Configure the PKI domain as abcde for IKE negotiation.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] certificate domain abcde

dh

Syntax

dh { group1 | group2 | group5 | group14 }

undo dh

View

IKE proposal view

Default level

2: System level

Parameters

group1: Uses the 768-bit Diffie-Hellman group for key negotiation in phase 1

group2: Uses the 1024-bit Diffie-Hellman group for key negotiation in phase 1.

group5: Uses the 1536-bit Diffie-Hellman group for key negotiation in phase 1.

group14: Uses the 2048-bit Diffie-Hellman group for key negotiation in phase 1.

Description

Use dh to specify the DH group to be used in key negotiation phase 1 for an IKE proposal.

Use undo dh to restore the default.

By default, group1, the 768-bit Diffie-Hellman group, is used.

Related commands: ike proposal and display ike proposal.

Examples

# Specify 768-bit Diffie-Hellman for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] dh group1

display ike dpd

Syntax

display ike dpd [ dpd-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

dpd-name: DPD name, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ike dpd to display information about Dead Peer Detection (DPD) detectors.

If you do not specify any parameters, the command displays information about all DPD detectors.

Related commands: ike dpd.

Examples

# Display information about all DPD detectors.

<Sysname> display ike dpd

---------------------------

IKE dpd: dpd1

references: 1

interval-time: 10

time_out: 5

---------------------------

Table 10 Command output

Field	Description
references	Number of IKE peers that use the DPD detector
Interval-time	DPD query trigging interval in seconds
time_out	DPD packet retransmission interval in seconds

display ike peer

Syntax

display ike peer [ peer-name ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

peer-name: Name of the IKE peer, a string of 1 to 15 characters.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ike peer to display information about IKE peers.

If you do not specify any parameters, the command displays information about all IKE peers.

Related commands: ike peer.

Examples

# Display information about all IKE peers.

<Sysname> display ike peer

---------------------------

IKE Peer: rtb4tunn

exchange mode: main on phase 1

pre-shared-key simple 123

peer id type: ip

peer ip address: 44.44.44.55

local ip address:

peer name:

nat traversal: disable

dpd: dpd1

---------------------------

Table 11 Command output

Field	Description
exchange mode	IKE negotiation mode in phase 1
pre-shared-key	Pre-shared key used in phase 1
peer id type	ID type used in phase 1
peer ip address	IP address of the remote security gateway
local ip address	IP address of the local security gateway
peer name	Name of the remote security gateway
nat traversal	Whether NAT traversal is enabled
dpd	Name of the peer DPD detector

display ike proposal

Syntax

display ike proposal [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ike proposal to view the settings of all IKE proposals.

This command displays the configuration information of all IKE proposals in the descending order of proposal priorities.

Related commands: authentication-method, ike proposal, encryption-algorithm, authentication-algorithm, dh, and sa duration.

Examples

# Display the settings of all IKE proposals.

<Sysname> display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

--------------------------------------------------------------------------

10 PRE_SHARED SHA DES_CBC MODP_1024 5000

11 PRE_SHARED MD5 DES_CBC MODP_768 50000

default PRE_SHARED SHA DES_CBC MODP_768 86400

Table 12 Command output

Field	Description
priority	Priority of the IKE proposal
authentication method	Authentication method used by the IKE proposal
authentication algorithm	Authentication algorithm used by the IKE proposal
encryption algorithm	Encryption algorithm used by the IKE proposal
Diffie-Hellman group	DH group used in IKE negotiation phase 1
duration (seconds)	ISAKMP SA lifetime of the IKE proposal in seconds

display ike sa

Syntax

display ike sa [ active | standby | verbose [ connection-id connection-id | remote-address remote-address ] ] [ | { begin | exclude | include } regular-expression ]

View

Any view

Default level

1: Monitor level

Parameters

active: Displays the summary of active IKE SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

standby: Displays the summary of standby IKE SAs in an IPsec stateful failover scenario. Support for this keyword depends on the device model. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID, in the range 1 to 2000000000.

remote-address remote-address: Displays detailed information about IKE SAs with a specified remote address.

|: Filters command output by specifying a regular expression. For more information about regular expressions, see Fundamentals Configuration Guide.

begin: Displays the first line that matches the specified regular expression and all lines that follow.

include: Displays all lines that match the specified regular expression.

regular-expression: Specifies a regular expression, a case-sensitive string of 1 to 256 characters.

Description

Use display ike sa to display information about the current IKE SAs.

If you do not specify any parameters or keywords, the command displays brief information about the current IKE SAs.

Related commands: ike proposal and ike peer.

Examples

# Display brief information about the current IKE SAs.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

# Display brief information about IKE SAs in an IPsec stateful failover scenario.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi status

--------------------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC ACTIVE

2 202.38.0.2 RD|ST 2 IPSEC ACTIVE

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—-TIMEOUT

Table 13 Command output

Field	Description
total phase-1 SAs	Total number of SAs for phase 1.
connection-id	Identifier of the ISAKMP SA.
peer	Remote IP address of the SA.
flag	Status of the SA: · RD (READY)—The SA has been established. · ST (STAYALIVE)—This end is the initiator of the tunnel negotiation. · RL (REPLACED)—The tunnel has been replaced by a new one and will be deleted later. · FD (FADING)—The soft lifetime is over but the tunnel is still in use. The tunnel will be deleted when the hard lifetime is over. · TO (TIMEOUT)—The SA has received no keepalive packets after the last keepalive timeout. If no keepalive packets are received before the next keepalive timeout, the SA will be deleted.
phase	The phase the SA belongs to: · Phase 1—The phase for establishing the ISAKMP SA. · Phase 2—The phase for negotiating the security service. IPsec SAs are established in this phase.
doi	Interpretation domain the SA belongs to.
status	Stateful failover status of the SA, active or standby. This field appears only in an IPsec stateful failover scenario.

# Display detailed information about the current IKE SAs.

<Sysname> display ike sa verbose

---------------------------------------------

connection id: 2

vpn-instance:

transmitting entity:

initiatorstatus: active

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED

authentication-algorithm: SHA

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 86379

exchange-mode: MAIN

diffie-hellman group: GROUP1

nat traversal: NO

# Display detailed information about the IKE SA with the connection ID of 2.

<Sysname> display ike sa verbose connection-id 2

---------------------------------------------

connection id: 2

vpn-instance:

transmitting entity:

initiator status: active

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED

authentication-algorithm: SHA

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82480

exchange-mode: MAIN

diffie-hellman group: GROUP1

nat traversal: NO

# Display detailed information about the IKE SA with the remote address of 4.4.4.5.

<Sysname> display ike sa verbose remote-address 4.4.4.5

---------------------------------------------

connection id: 2

vpn-instance:

transmitting entity: initiator

status: active

---------------------------------------------

local ip: 4.4.4.4

local id type: IPV4_ADDR

local id: 4.4.4.4

remote ip: 4.4.4.5

remote id type: IPV4_ADDR

remote id: 4.4.4.5

authentication-method: PRE-SHARED

authentication-algorithm: SHA

encryption-algorithm: DES-CBC

life duration(sec): 86400

remaining key duration(sec): 82236

exchange-mode: MAIN

diffie-hellman group: GROUP1

nat traversal: NO

Table 14 Command output

Field	Description
connection id	Identifier of the ISAKMP SA.
vpn-instance	MPLS L3VPN that the protected data belongs to. The WX series access controllers do not support VPN.
transmitting entity	Entity in the IKE negotiation.
status	Stateful failover status of the SA, active or standby. This field appears only in an IPsec stateful failover scenario.
local ip	IP address of the local gateway.
local id type	Identifier type of the local gateway.
local id	Identifier of the local gateway.
remote ip	IP address of the remote gateway.
remote id type	Identifier type of the remote gateway.
remote id	Identifier of the remote security gateway.
authentication-method	Authentication method used by the IKE proposal.
authentication-algorithm	Authentication algorithm used by the IKE proposal.
encryption-algorithm	Encryption algorithm used by the IKE proposal.
life duration(sec)	Lifetime of the ISAKMP SA in seconds.
remaining key duration(sec)	Remaining lifetime of the ISAKMP SA in seconds.
exchange-mode	IKE negotiation mode in phase 1.
diffie-hellman group	DH group used for key negotiation in IKE phase 1.
nat traversal	Whether NAT traversal is enabled.

dpd

Syntax

dpd dpd-name

undo dpd

View

IKE peer view

Default level

2: System level

Parameters

dpd-name: DPD detector name, a string of 1 to 32 characters.

Description

Use dpd to apply a DPD detector to an IKE peer.

Use undo dpd to remove the application.

By default, no DPD detector is applied to an IKE peer.

Examples

# Apply dpd1 to IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] dpd dpd1

encryption-algorithm

Syntax

encryption-algorithm { aes-cbc [ key-length ] | des-cbc }

undo encryption-algorithm

View

IKE proposal view

Default level

2: System level

Parameters

aes-cbc: Uses the AES algorithm in CBC mode as the encryption algorithm. The AES algorithm uses 128-bit, 192-bit, or 256-bit keys for encryption.

key-length: Key length for the AES algorithm, which can be 128, 192 or 256 bits and is defaulted to 128 bits.

des-cbc: Uses the DES algorithm in CBC mode as the encryption algorithm. The DES algorithm uses 56-bit keys for encryption.

Description

Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.

Use undo encryption-algorithm to restore the default.

By default, an IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.

Related commands: ike proposal and display ike proposal.

Examples

# Use 56-bit DES in CBC mode as the encryption algorithm for IKE proposal 10.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] encryption-algorithm des-cbc

exchange-mode

Syntax

exchange-mode { aggressive | main }

undo exchange-mode

Default

Main mode is used.

View

IKE peer view

Default level

2: System level

Parameters

aggressive: Aggressive mode.

main: Main mode.

Description

Use exchange-mode to select an IKE negotiation mode.

Use undo exchange-mode to restore the default.

By default, main mode is used.

When the user (for example, a dial-up user) at the remote end of an IPsec tunnel obtains an IP address automatically and pre-shared key authentication is used, H3C recommends setting the IKE negotiation mode to aggressive at the local end.

Related commands: id-type.

Examples

# Specify that IKE negotiation operates in main mode.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] exchange-mode main

id-type

Syntax

id-type { ip | name | user-fqdn }

undo id-type

View

IKE peer view

Default level

2: System level

Parameters

ip: Uses an IP address as the ID during IKE negotiation.

name: Uses a name of the Fully Qualified Domain Name (FQDN) type as the ID during IKE negotiation.

user-fqdn: Uses a name of the user FQDN type as the ID during IKE negotiation.

Description

Use id-type to select the type of the ID for IKE negotiation.

Use undo id-type to restore the default.

By default, the ID type is IP address.

In main mode, only the ID type of IP address can be used in IKE negotiation and SA creation. In aggressive mode, either type can be used.

If the ID type of FQDN is used, configure a name without any at sign (@) for the local security gateway, for example, foo.bar.com. If the ID type of user FQDN is used, configure a name with an at sign (@) for the local security gateway, for example, [email protected].

Related commands: local-name, ike local-name, remote-name, remote-address, local-address, and exchange-mode.

Examples

# Use the ID type of name during IKE negotiation.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] id-type name

ike dpd

Syntax

ike dpd dpd-name

undo ike dpd dpd-name

View

System view

Default level

2: System level

Parameters

dpd-name: Name for the dead peer detection (DPD) detector, a string of 1 to 32 characters.

Description

Use ike dpd to create a DPD detector and enter IKE DPD view.

Use undo ike dpd to remove a DPD detector.

Dead peer detection (DPD) irregularly detects dead IKE peers. It works as follows:

1. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer.

2. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

3. If the local end receives no DPD acknowledgement within the DPD packet retransmission interval, it retransmits the DPD hello.

4. If the local end still receives no DPD acknowledgement after having made the maximum number of retransmission attempts (two by default), it considers the peer already dead, and clears the IKE SA and the IPsec SAs based on the IKE SA.

DPD enables an IKE entity to check the liveliness of its peer only when necessary. It generates less traffic than the keepalive mechanism, which exchanges messages periodically.

Related commands: display ike dpd, interval-time, and time-out.

Examples

# Create a DPD detector named dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

ike local-name

Syntax

ike local-name name

undo ike local-name

View

System view

Default level

2: System level

Parameters

name: Name of the local security gateway for IKE negotiation, a case-sensitive string of 1 to 32 characters.

Description

Use ike local-name to configure a name for the local security gateway.

Use undo ike local-name to restore the default.

By default, the device name is used as the name of the local security gateway.

If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation peer uses the security gateway name as its ID to initiate IKE negotiation, and you must configure the ike local-name command in system view or the local-name command in IKE peer view on the local device. If you configure both the ike local-name command and the local-name command, the name configured by the local-name command is used.

The IKE negotiation initiator sends its security gateway name as its ID to the peer, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

Related commands: remote-name and id-type.

Examples

# Configure the local security gateway name as app.

<Sysname> system-view

[Sysname] ike local-name app

ike next-payload check disabled

Syntax

ike next-payload check disabled

undo ike next-payload check disabled

View

System view

Default level

2: System level

Description

Use ike next-payload check disabled to disable the checking of the Next payload field in the last payload of an IKE message during IKE negotiation, gaining interoperation with products assigning the field a value other than zero.

Use undo ike next-payload check disabled to restore the default.

By default, the Next payload field is checked.

Examples

# Disable Next payload field checking for the last payload of an IKE message.

<Sysname> system-view

[Sysname] ike next-payload check disabled

ike peer (system view)

Syntax

ike peer peer-name

undo ike peer peer-name

View

System view

Default level

2: System level

Parameters

peer-name: IKE peer name, a string of 1 to 32 characters.

Description

Use ike peer to create an IKE peer and enter IKE peer view.

Use undo ike peer to delete an IKE peer.

Examples

# Create an IKE peer named peer1 and enter IKE peer view.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1]

ike proposal

Syntax

ike proposal proposal-number

undo ike proposal proposal-number

View

System view

Default level

2: System level

Parameters

proposal-number: IKE proposal number, in the range 1 to 65535. The lower the number, the higher the priority of the IKE proposal. During IKE negotiation, a high priority IKE proposal is matched before a low priority IKE proposal.

Description

Use ike proposal to create an IKE proposal and enter IKE proposal view.

Use undo ike proposal to delete an IKE proposal.

The system provides a default IKE proposal, which has the lowest priority and uses these settings:

· Encryption algorithm DES-CBC

· Authentication algorithm HMAC-SHA1

· Authentication method Pre-shared key

· DH group MODP_768

· SA lifetime 86400 seconds

Related commands: display ike proposal.

Examples

# Create IKE proposal 10 and enter IKE proposal view.

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10]

ike sa keepalive-timer interval

Syntax

ike sa keepalive-timer interval seconds

undo ike sa keepalive-timer interval

View

System view

Default level

2: System level

Parameters

seconds: Transmission interval of ISAKMP SA keepalives in seconds, in the range 20 to 28,800.

Description

Use ike sa keepalive-timer interval to set the ISAKMP SA keepalive interval.

Use undo ike sa keepalive-timer interval to disable the ISAKMP SA keepalive transmission function.

By default, no keepalive packet is sent.

The keepalive interval configured at the local end must be shorter than the keepalive timeout configured at the remote end.

Related commands: ike sa keepalive-timer timeout.

Examples

# Set the keepalive interval to 200 seconds.

<Sysname> system-view

[Sysname] ike sa keepalive-timer interval 200

ike sa keepalive-timer timeout

Syntax

ike sa keepalive-timer timeout seconds

undo ike sa keepalive-timer timeout

View

System view

Default level

2: System level

Parameters

seconds: ISAKMP SA keepalive timeout in seconds, in the range 20 to 28,800.

Description

Use ike sa keepalive-timer timeout to set the ISAKMP SA keepalive timeout.

Use undo ike sa keepalive-timer timeout to disable the function.

By default, no keepalive packet is sent.

The keepalive timeout configured at the local end must be longer than the keepalive interval configured at the remote end. Since it seldom occurs that more than three consecutive packets are lost on a network, the keepalive timeout can be configured to be three times of the keepalive interval.

Related commands: ike sa keepalive-timer interval.

Examples

# Set the keepalive timeout to 20 seconds.

<Sysname> system-view

[Sysname] ike sa keepalive-timer timeout 20

ike sa nat-keepalive-timer interval

Syntax

ike sa nat-keepalive-timer interval seconds

undo ike sa nat-keepalive-timer interval

View

System view

Default level

2: System level

Parameters

seconds: NAT keepalive interval in seconds, in the range 5 to 300.

Description

Use ike sa nat-keepalive-timer interval to set the NAT keepalive interval.

Use undo ike sa nat-keepalive-timer interval to disable the function.

By default, the NAT keepalive interval is 20 seconds.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ike sa nat-keepalive-timer interval 5

interval-time

Syntax

interval-time interval-time

undo interval-time

View

IKE DPD view

Default level

2: System level

Parameters

interval-time: Sets DPD interval in seconds, in the range of 1 to 300 seconds. When the local end sends an IPsec packet, it checks the time the last IPsec packet was received from the peer. If the time interval exceeds the DPD interval, it sends a DPD hello to the peer.

Description

Use interval-time to set the DPD query triggering interval for a DPD detector.

Use undo interval-time to restore the default.

By default, the default DPD interval is 10 seconds.

Examples

# Set the DPD interval to 1 second for dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

[Sysname-ike-dpd-dpd2] interval-time 1

local-address

Syntax

local-address ip-address

undo local-address

View

IKE peer view

Default level

2: System level

Parameters

ip-address: IP address of the local security gateway to be used in IKE negotiation.

Description

Use local-address to configure the IP address of the local security gateway in IKE negotiation.

Use undo local-address to remove the configuration.

By default, the primary address of the interface referencing the IPsec policy is used as the local security gateway IP address for IKE negotiation. Use this command if you want to specify a different address for the local security gateway.

Examples

# Set the IP address of the local security gateway to 1.1.1.1.

<Sysname> system-view

[Sysname] ike peer xhy

[Sysname-ike-peer-xhy] local-address 1.1.1.1

local-name

Syntax

local-name name

undo local-name

View

IKE peer view

Default level

2: System level

Parameters

name: Name for the local security gateway to be used in IKE negotiation, a case-sensitive string of 1 to 32 characters.

Description

Use local-name to configure a name for the local security gateway to be used in IKE negation.

Use undo local-name to restore the default.

By default, the device name is used as the name of the local security gateway view.

Related commands: remote-name and id-type.

Examples

# Set the name of the local security gateway to localgw in IKE peer view of peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] local-name localgw

pre-shared-key

Syntax

pre-shared-key [ cipher | simple ] key

undo pre-shared-key

View

IKE peer view

Default level

2: System level

Parameters

cipher: Sets a ciphertext pre-shared key.

simple: Sets a plaintext pre-shared key.

key: Specifies the key string. This argument is case sensitive. If cipher is specified, it must be a ciphertext string of 1 to 201 characters. If simple is specified, it must be a string of 1 to 128 characters. If neither cipher nor simple is specified, you set a plaintext key string.

Description

Use pre-shared-key to configure the pre-shared key to be used in IKE negotiation.

Use undo pre-shared-key to remove the configuration.

Related commands: authentication-method.

Examples

# Set the pre-shared key used in IKE negotiation to string abcde.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] pre-shared-key abcde

proposal (IKE peer view)

Syntax

proposal proposal-number&<1-6>

undo proposal [ proposal-number ]

Default

An IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.

View

IKE peer view

Default level

2: System level

Description

Use proposal to specify the IKE proposals for the IKE peer to reference.

Use undo proposal to remove one or all IKE proposals referenced by the IKE peer.

By default, an IKE peer references no IKE proposals and, when initiating IKE negotiation, it uses the IKE proposals configured in system view.

In the IKE negotiation phase 1, the local end uses the IKE proposals specified for it, if any.

An IKE peer can reference up to six IKE proposals.

The responder uses the IKE proposals configured in system view for negotiation.

Related commands: ike proposal and ike peer (system view).

Examples

# Configure IKE peer peer1 to reference IKE proposal 10.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] proposal 10

remote-address

Syntax

remote-address { hostname [ dynamic ] | low-ip-address [ high-ip-address ] }

undo remote-address

View

IKE peer view

Default level

2: System level

Parameters

hostname: Host name of the IPsec remote security gateway, a case-insensitive string of 1 to 255 characters. The host name uniquely identifies the remote IPsec peer and can be resolved to an IP address by the DNS server.

dynamic: Specifies to use dynamic address resolution for the IPsec remote peer name. If you do not provide this keyword, the local end has the remote host name resolved only once after you configure the remote host name.

low-ip-address: IP address of the IPsec remote security gateway. It is the lowest address in the address range if you want to specify a range of addresses.

high-ip-address: Highest address in the address range if you want to specify a range of addresses.

Description

Use remote-address to configure the IP address of the IPsec remote security gateway.

Use undo remote-address to remove the configuration.

The IP address configured with the remote-address command must match the local security gateway IP address that the remote security gateway uses for IKE negotiation, which is the IP address configured with the local-address command or, if the local-address command is not configured, the primary IP address of the interface to which the policy is applied.

The local end can be the initiator of IKE negotiation if the remote address is a host IP address or a host name. The local end can only be the responder of IKE negotiation if the remote address is an address range that the local end can respond to.

If the IP address of the remote address changes frequently, configure the host name of the remote gateway with the dynamic keyword so that the local end can use the up-to-date remote IP address to initiate IKE negotiation.

Related commands: id-type ip and local-address.

Examples

# Configure the IP address of the remote security gateway as 10.0.0.1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] remote-address 10.0.0.1

# Configure the host name of the remote gateway as test.com, and specify the local end to dynamically update the remote IP address.

<Sysname> system-view

[Sysname] ike peer peer2

[Sysname-ike-peer-peer2] remote-address test.com dynamic

remote-name

Syntax

remote-name name

undo remote-name

View

IKE peer view

Default level

2: System level

Parameters

name: Name of the peer security gateway for IKE negotiation, a string of 1 to 32 characters.

Description

Use remote-name to configure the name of the remote gateway.

Use undo remote-name to remove the configuration.

If you configure the id-type name or id-type user-fqdn command on the initiator, the IKE negotiation initiator sends its security gateway name as its ID for IKE negotiation, and the peer uses the security gateway name configured with the remote-name command to authenticate the initiator. Make sure the local gateway name matches the remote gateway name configured on the peer.

Related commands: id-type, local-name, and ike local-name.

Examples

# Configure the remote security gateway name as apple for IKE peer peer1.

<Sysname> system-view

[Sysname] ike peer peer1

[Sysname-ike-peer-peer1] remote-name apple

reset ike sa

Syntax

reset ike sa [ connection-id | active | standby ]

View

User view

Default level

2: System level

Parameters

connection-id: Connection ID of the IKE SA to be cleared, in the range 1 to 2000000000.

active: Clears all active IKE SAs in an IPsec stateful failover scenario. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

standby: Clears all standby IKE SAs in an IPsec stateful failover scenario. For whether your AC supports this keyword, see the command matrixes in About the WX series Access Controllers Command References.

Description

Use reset ike sa to clear IKE SAs.

If you do not specify any parameter, the command clears all IKE SAs.

If you specify only a connection ID, the command clears all IKE SAs with the specified connection ID, including the active and standby IKE SAs.

When you clear the active IKE SAs on the active device, the active device automatically notifies the standby device to clear the standby IKE SAs.

When you clear the standby IKE SAs on the standby device, the standby device re-synchronizes the IKE SA data with the active device to set up new standby IKE SAs.

When you clear a local IPsec SA, its IKE SA can transmit the Delete message to notify the remote end to delete the paired IPsec SA. If the IKE SA has been cleared, the local end cannot notify the remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.

Related commands: display ike sa.

Examples

# Clear the IKE SA that uses connection ID 2.

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT

<Sysname> reset ike sa 2

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi

----------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT

# Clear all active IKE SAs.

<Sysname> display ike sa

total phase-1 SAs: 2

connection-id peer flag phase doi status

----------------------------------------------------------------

1 202.38.0.2 RD|ST 1 IPSEC ACTIVE

1 201.31.0.9 RD|ST 1 IPSEC STANDBY

2 202.38.0.2 RD|ST 2 IPSEC ACTIVE

2 201.31.0.9 RD|ST 2 IPSEC STANDBY

flag meaning

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT

<Sysname> reset ike sa active

<Sysname> display ike sa

total phase-1 SAs: 1

connection-id peer flag phase doi status

----------------------------------------------------------------

1 201.31.0.9 RD|ST 1 IPSEC STANDBY

2 201.31.0.9 RD|ST 2 IPSEC STANDBY

sa duration

Syntax

sa duration seconds

undo sa duration

View

IKE proposal view

Default level

2: System level

Parameters

Seconds: Specifies the ISAKMP SA lifetime in seconds, in the range 60 to 604800.

Description

Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.

Use undo sa duration to restore the default.

By default, the ISAKMP SA lifetime is 86400 seconds.

Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up, and the old one will be cleared automatically when it expires.

Related commands: ike proposal and display ike proposal.

Examples

# Specify the ISAKMP SA lifetime for IKE proposal 10 as 600 seconds (10 minutes).

<Sysname> system-view

[Sysname] ike proposal 10

[Sysname-ike-proposal-10] sa duration 600

time-out

Syntax

time-out time-out

undo time-out

View

IKE DPD view

Default level

2: System level

Parameters

time-out: DPD packet retransmission interval in seconds, in the range 1 to 60.

Description

Use time-out to set the DPD packet retransmission interval for a DPD detector.

Use undo time-out to restore the default.

The default DPD packet retransmission interval is 5 seconds.

Examples

# Set the DPD packet retransmission interval to 1 second for dpd2.

<Sysname> system-view

[Sysname] ike dpd dpd2

[Sysname-ike-dpd-dpd2] time-out 1

07-Security Command Reference

IPsec configuration commands

connection-name

display ipsec policy

esp authentication-algorithm

ike-peer (IPsec policy view/IPsec policy template view/IPsec profile view)

pfs

reset ipsec sa

tunnel remote

dh

display ike dpd

ike proposal

pre-shared-key

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us