- Table of Contents
-
- 12-Security Command Reference
- 00-Preface
- 01-MAC authentication commands
- 02-Password control commands
- 03-Keychain commands
- 04-Public key management commands
- 05-PKI commands
- 06-IPsec commands
- 07-SSH commands
- 08-SSL commands
- 09-Session management commands
- 10-Object group commands
- 11-Attack detection and prevention commands
- 12-TCP and ICMP attack prevention commands
- 13-IP source guard commands
- 14-ARP attack protection commands
- 15-ND attack defense commands
- 16-uRPF commands
- 17-Crypto engine commands
- 18-DAE proxy commands
- 19-802.1X commands
- Related Documents
-
Title | Size | Download |
---|---|---|
06-IPsec commands | 104.40 KB |
IPsec commands
ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to restore the default.
Syntax
ah authentication-algorithm { md5 | sha1 | sha256 | sha384 | sha512 } *
undo ah authentication-algorithm
Default
AH does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.
Usage guidelines
You can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
Examples
# Specify HMAC-SHA1 as the AH authentication algorithm for IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1
description
Use description to configure a description for an IPsec profile.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for an IPsec profile.
Views
IPsec profile view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 80 characters.
Examples
# Configure the description for IPsec profile profile1 as CenterToA.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile—manual-profile1] description CenterToA
display ipsec profile
Use display ipsec profile to display information about IPsec profiles.
Syntax
display ipsec profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec profiles.
Examples
# Display information about all IPsec profiles.
<Sysname> display ipsec profile
-----------------------------------------------
IPsec profile: profile
Mode: manual
-----------------------------------------------
Transform set: prop1
Inbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Inbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex-key: ******
ESP authentication hex-key: ******
Outbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Outbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******
Table 1 Command output
Field |
Description |
IPsec profile |
IPsec profile name. |
Mode |
Negotiation mode used by the IPsec profile. |
Description |
Description of the IPsec profile. |
Transform set |
IPsec transform set used by the IPsec profile. |
Related commands
ipsec profile
display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ brief | count | profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about all IPsec SAs.
count: Displays the number of IPsec SAs.
profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.
remote ip-address: Specifies an IPsec SA by its remote end IP address.
ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.
Usage guidelines
If you do not specify any parameters, this command displays detailed information about all IPsec SAs.
Examples
# Display brief information about IPsec SAs.
<Sysname> display ipsec sa brief
-----------------------------------------------------------------------
Interface/Global Dst Address SPI Protocol Status
-----------------------------------------------------------------------
GE3/1/1 10.1.1.1 400 ESP Active
GE3/1/1 255.255.255.255 4294967295 ESP Active
GE3/1/1 100::1/64 500 AH Active
Global -- 600 ESP Active
Table 2 Command output
Field |
Description |
Interface/Global |
Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile). |
Dst Address |
Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
SPI |
IPsec SA SPI. |
Protocol |
Security protocol used by IPsec. |
Status |
Status of the IPsec SA: Active or Standby. In standalone mode, this field always displays Active. |
# Display the number of IPsec SAs.
<Sysname> display ipsec sa count
Total IPsec SAs count: 4
reset ipsec sa
display ipsec statistics
Use display ipsec statistics to display IPsec packet statistics.
Syntax
display ipsec statistics [ tunnel-id tunnel-id ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.
Usage guidelines
If you do not specify any parameters, this command displays statistics for all IPsec packets.
Examples
# Display statistics for all IPsec packets.
<Sysname> display ipsec statistics
IPsec packet statistics:
Received/sent packets: 47/64
Received/sent bytes: 3948/5208
Dropped packets (received/sent): 0/45
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 45
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
# Display statistics for the packets of IPsec tunnel 1.
<Sysname> display ipsec statistics tunnel-id 1
IPsec packet statistics:
Received/sent packets: 5124/8231
Received/sent bytes: 52348/64356
Dropped packets (received/sent): 0/0
Dropped packets statistics
No available SA: 0
Wrong SA: 0
Invalid length: 0
Authentication failure: 0
Encapsulation failure: 0
Decapsulation failure: 0
Replayed packets: 0
ACL check failure: 0
MTU check failure: 0
Loopback limit exceeded: 0
Crypto speed limit exceeded: 0
Table 3 Command output
Field |
Description |
Received/sent packets |
Number of received/sent IPsec-protected packets. |
Received/sent bytes |
Number of bytes of received/sent IPsec-protected packets. |
Dropped packets (received/sent) |
Number of dropped IPsec-protected packets (received/sent). |
No available SA |
Number of packets dropped due to lack of available IPsec SA. |
Wrong SA |
Number of packets dropped due to wrong IPsec SA. |
Invalid length |
Number of packets dropped due to invalid packet length. |
Authentication failure |
Number of packets dropped due to authentication failure. |
Encapsulation failure |
Number of packets dropped due to encapsulation failure. |
Decapsulation failure |
Number of packets dropped due to decapsulation failure. |
Replayed packets |
Number of dropped replayed packets. |
ACL check failure |
Number of packets dropped due to ACL check failure. |
MTU check failure |
Number of packets dropped due to MTU check failure. |
Loopback limit exceeded |
Number of packets dropped due to loopback limit exceeded. |
Crypto speed limit exceeded |
Number of packets dropped due to crypto speed limit exceeded. |
Related commands
reset ipsec statistics
display ipsec transform-set
Use display ipsec transform-set to display information about IPsec transform sets.
Syntax
display ipsec transform-set [ transform-set-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.
Usage guidelines
If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.
Examples
# Display information about all IPsec transform sets.
<Sysname> display ipsec transform-set
IPsec transform set: mytransform
State: incomplete
Encapsulation mode: tunnel
ESN: Enabled
Transform: ESP
IPsec transform set: completeTransform
State: complete
Encapsulation mode: transport
ESN: Enabled
Transform: AH-ESP
AH protocol:
Integrity: SHA1
ESP protocol:
Integrity: SHA1
Encryption: AES-CBC-128
Table 4 Command output
Field |
Description |
IPsec transform set |
Name of the IPsec transform set. |
State |
Whether the IPsec transform set is complete. |
Encapsulation mode |
Encapsulation mode used by the IPsec transform set: transport or tunnel. |
ESN |
Whether Extended Sequence Number (ESN) is enabled. |
Transform |
Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH. |
AH protocol |
AH settings. |
ESP protocol |
ESP settings. |
Integrity |
Authentication algorithm used by the security protocol. |
Encryption |
Encryption algorithm used by the security protocol. |
Related commands
ipsec transform-set
display ipsec tunnel
Use display ipsec tunnel to display information about IPsec tunnels.
Syntax
display ipsec tunnel { brief | count | tunnel-id tunnel-id }
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
brief: Displays brief information about IPsec tunnels.
count: Displays the number of IPsec tunnels.
tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.
Usage guidelines
IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.
Examples
# Display brief information about all IPsec tunnels.
<Sysname> display ipsec tunnel brief
----------------------------------------------------------------------------
Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status
----------------------------------------------------------------------------
0 -- -- 1000 2000 Active
3000 4000
1 1.2.3.1 2.2.2.2 5000 6000 Active
7000 8000
Table 5 Command output
Field |
Description |
Src Address |
Source IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
Dst Address |
Destination IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--). |
Inbound SPI |
Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines. |
Outbound SPI |
Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines. |
Status |
Status of the IPsec SA: Active or Standby. In standalone mode, this field always displays Active. |
# Display the number of IPsec tunnels.
<Sysname> display ipsec tunnel count
Total IPsec Tunnel Count: 2
# Display detailed information about all IPsec tunnels.
<Sysname> display ipsec tunnel
Tunnel ID: 0
Status: Active
Inside vpn-instance:
SA's SPI:
outbound: 2000 (0x000007d0) [AH]
inbound: 1000 (0x000003e8) [AH]
outbound: 4000 (0x00000fa0) [ESP]
inbound: 3000 (0x00000bb8) [ESP]
Tunnel:
local address:
remote address:
Flow:
Tunnel ID: 1
Status: Active
Inside vpn-instance:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL 3100
# Display detailed information about IPsec tunnel 1.
<Sysname> display ipsec tunnel tunnel-id 1
Tunnel ID: 1
Status: Active
Inside vpn-instance:
SA's SPI:
outbound: 6000 (0x00001770) [AH]
inbound: 5000 (0x00001388) [AH]
outbound: 8000 (0x00001f40) [ESP]
inbound: 7000 (0x00001b58) [ESP]
Tunnel:
local address: 1.2.3.1
remote address: 2.2.2.2
Flow:
as defined in ACL 3100
Table 6 Command output
Field |
Description |
Tunnel ID |
IPsec ID, used to uniquely identify an IPsec tunnel. |
Status |
IPsec tunnel status: Active or Standby. In standalone mode, this field always displays Active. |
Inside vpn-instance |
VPN instance where the IPsec-protected data flows belong. |
SA's SPI |
SPIs of the inbound and outbound SAs. |
Tunnel |
Local and remote addresses of the IPsec tunnel. |
local address |
Local end IP address of the IPsec tunnel. |
remote address |
Remote end IP address of the IPsec tunnel. |
Flow |
Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol. |
as defined in ACL 3001 |
Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001. |
encapsulation-mode
Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.
Use undo encapsulation-mode to restore the default.
Syntax
encapsulation-mode { transport | tunnel }
undo encapsulation-mode
Default
IP packets are encapsulated in tunnel mode.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
transport: Uses the transport mode for IP packet encapsulation.
tunnel: Uses the tunnel mode for IP packet encapsulation.
Usage guidelines
IPsec supports the following encapsulation modes:
· Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.
· Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.
The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.
Examples
# Configure IPsec transform set tran1 to use the transport mode for IP packet encapsulation.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport
Related commands
ipsec transform-set
esn enable
Use esn enable to enable the Extended Sequence Number (ESN) feature.
Use undo esn enable to disable the ESN feature.
Syntax
esn enable [ both ]
undo esn enable
Default
The ESN feature is disabled.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number.
Usage guidelines
The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.
This feature must be enabled at both the initiator and the responder.
Examples
# Enable the ESN feature in IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esn enable
Related commands
display ipsec transform-set
esp authentication-algorithm
Use esp authentication-algorithm to specify authentication algorithms for ESP.
Use undo esp authentication-algorithm to restore the default.
Syntax
esp authentication-algorithm { md5 | sha1 | sha256 | sha384 | sha512 } *
undo esp authentication-algorithm
Default
ESP does not use any authentication algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.
sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.
Usage guidelines
You can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
The first ESP authentication algorithm specified in an IPsec transform set takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.
Examples
# Configure IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP authentication algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1
Related commands
ipsec transform-set
esp encryption-algorithm
Use esp encryption-algorithm to specify encryption algorithms for ESP.
Use undo esp encryption-algorithm to restore the default.
Syntax
esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null } *
undo esp encryption-algorithm
Default
ESP does not use any encryption algorithms.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.
null: Specifies the NULL algorithm, which means encryption is not performed.
Usage guidelines
You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.
The first ESP encryption algorithm specified in an IPsec transform set takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.
Examples
# Configure IPsec transform set tran1 to use the AES-CBC-128 algorithm as the ESP encryption algorithm.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128
Related commands
ipsec transform-set
ipsec fragmentation
Use ipsec fragmentation to configure the IPsec fragmentation feature.
Use undo ipsec fragmentation to restore the default.
Syntax
ipsec fragmentation { after-encryption | before-encryption }
undo ipsec fragmentation
Default
The device fragments packets before IPsec encapsulation.
Views
System view
Predefined user roles
network-admin
Parameters
after-encryption: Fragments packets after IPsec encapsulation.
before-encryption: Fragments packets before IPsec encapsulation.
Usage guidelines
If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface and the DF bit is not set, the device fragments the packet before encapsulation. If the packet's DF bit is set, the device drops the packet and sends an ICMP error message.
If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules.
Examples
# Configure the device to fragment packets after IPsec encapsulation.
<Sysname>system-view
[Sysname] ipsec fragmentation after-encryption
ipsec logging packet enable
Use ipsec logging packet enable to enable logging for IPsec packets.
Use undo ipsec logging packet enable to disable logging for IPsec packets.
Syntax
ipsec logging packet enable
undo ipsec logging packet enable
Default
Logging for IPsec packets is disabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.
Examples
# Enable logging for IPsec packets.
<Sysname> system-view
[Sysname] ipsec logging packet enable
ipsec profile
Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.
Use undo ipsec profile to delete an IPsec profile.
Syntax
ipsec profile profile-name manual
undo ipsec profile profile-name
Default
No IPsec profiles exist.
Views
System view
Predefined user roles
network-admin
Parameters
profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters.
manual: Specifies the IPsec SA setup mode as manual.
Usage guidelines
A manual IPsec profile is used exclusively for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng.
Examples
# Create a manual IPsec profile named profile1.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile-manual-profile1]
Related commands
display ipsec profile
ipsec transform-set
Use ipsec transform-set to create an IPsec transform set and enter its view, or enter the view of an existing IPsec transform set.
Use undo ipsec transform-set to delete an IPsec transform set.
Syntax
ipsec transform-set transform-set-name
undo ipsec transform-set transform-set-name
Default
No IPsec transform sets exist.
Views
System view
Predefined user roles
network-admin
Parameters
transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.
Usage guidelines
An IPsec transform set defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, authentication algorithms, and encapsulation mode.
Examples
# Create an IPsec transform set named tran1 and enter its view.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-transform-set-tran1]
display ipsec transform-set
protocol
Use protocol to specify a security protocol for an IPsec transform set.
Use undo protocol to restore the default.
Syntax
protocol { ah | ah-esp | esp }
undo protocol
Default
The IPsec transform set uses the ESP protocol.
Views
IPsec transform set view
Predefined user roles
network-admin
Parameters
ah: Specifies the AH protocol.
ah-esp: Specifies using the ESP protocol first and then using the AH protocol.
ah: Specifies the AH protocol.
Usage guidelines
The two tunnel ends must use the same security protocol in the IPsec transform set.
Examples
# Specify the AH protocol for the IPsec transform set.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] protocol ah
reset ipsec sa
Use reset ipsec sa to clear IPsec SAs.
Syntax
reset ipsec sa [ profile policy-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]
Views
User view
Predefined user roles
network-admin
Parameters
profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-insensitive string of 1 to 63 characters.
remote: Clears IPsec SAs for the specified remote address.
ipv4-address: Specifies a remote IPv4 address.
ipv6 ipv6-address: Specifies a remote IPv6 address.
spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.
· ipv4-address: Specifies a remote IPv4 address.
· ipv6 ipv6-address: Specifies a remote IPv6 address.
· ah: Specifies the AH protocol.
· esp: Specifies the ESP protocol.
· spi-num: Specifies the security parameter index in the range of 256 to 4294967295.
Usage guidelines
If you do not specify any parameters, this command clears all IPsec SAs.
If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPsec SAs using the other security protocol (AH or ESP).
An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.
After a manual IPsec SA is cleared, the system automatically creates a new SA.
Examples
# Clear all IPsec SAs.
<Sysname> reset ipsec sa
# Clear the inbound and outbound IPsec SAs for the triplet of SPI 256, remote IP address 10.1.1.2, and security protocol AH.
<Sysname> reset ipsec sa spi 10.1.1.2 ah 256
# Clear all IPsec SAs for remote IP address 10.1.1.2.
<Sysname> reset ipsec sa remote 10.1.1.2
Related commands
display ipsec sa
reset ipsec statistics
Use reset ipsec statistics to clear IPsec packet statistics.
Syntax
reset ipsec statistics[ tunnel-id tunnel-id ]
Views
User view
Predefined user roles
network-admin
Parameters
tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics.
Examples
# Clear IPsec packet statistics.
<Sysname> reset ipsec statistics
display ipsec statistics
sa hex-key authentication
Use sa hex-key authentication to configure an authentication key for a manual IPsec SA.
Use undo sa hex-key authentication to delete an authentication key for a manual IPsec SA.
Syntax
sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } string
undo sa hex-key authentication { inbound | outbound } { ah | esp }
Default
No hexadecimal authentication keys are configured for manual IPsec SAs.
Views
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal authentication key for the inbound SA.
outbound: Specifies a hexadecimal authentication key for the outbound SA.
ah: Uses AH.
esp: Uses ESP.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its plaintext form is case insensitive and must be a 16-byte hexadecimal string for HMAC-MD5, a 20-byte hexadecimal string for HMAC-SHA1, and a 32-byte hexadecimal string for HMAC-SM3. Its encrypted form is a case-sensitive string of 1 to 85 characters.
Usage guidelines
You must set an authentication key for both the inbound and outbound SAs.
The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
If you execute this command multiple times for the same protocol and direction, the most recent configuration takes effect.
Examples
# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile—manual-profile1] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00
[Sysname-ipsec-profile—manual-profile1] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00
display ipsec sa
sa string-key
sa hex-key encryption
Use sa encryption-hex to configure an encryption key for a manual IPsec SA.
Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA.
Syntax
sa hex-key encryption { inbound | outbound } esp { cipher | simple } string
undo sa hex-key encryption { inbound | outbound } esp
Default
No hexadecimal encryption keys are configured for manual IPsec SAs.
Views
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies a hexadecimal encryption key for the inbound SA.
outbound: Specifies a hexadecimal encryption key for the outbound SA.
esp: Uses ESP.
cipher: Specifies a key in encrypted form.
simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.
string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.
The following matrix shows the key length for the algorithms:
Algorithm |
Key length (bytes) |
DES-CBC |
8 |
3DES-CBC |
24 |
AES128-CBC |
16 |
AES192-CBC |
24 |
AES256-CBC |
32 |
Usage guidelines
You must set an encryption key for both the inbound and outbound SAs.
The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.
In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.
The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
If you execute this command multiple times for the same direction, the most recent configuration takes effect.
Examples
# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile—manual-profile1] sa hex-key encryption inbound esp simple 1234567890abcdef
[Sysname-ipsec-profile—manual-profile1] sa hex-key encryption outbound esp simple abcdefabcdef1234
display ipsec sa
sa string-key
sa spi
Use sa spi to configure an SPI for IPsec SAs.
Use undo sa spi to remove the SPI.
Syntax
sa spi { inbound | outbound } { ah | esp } spi-number
undo sa spi { inbound | outbound } { ah | esp }
Default
No SPI is configured for IPsec SAs.
Views
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Specifies an SPI for inbound SAs.
outbound: Specifies an SPI for outbound SAs.
ah: Uses AH.
esp: Uses ESP.
spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.
Usage guidelines
You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.
The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.
When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:
· The local inbound and outbound SAs must use the same SPI.
· The IPsec SAs on the devices in the same scope must have the same SPI. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP4+, the scope consists of BGP4+ peers or a BGP4+ peer group.
Examples
# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in an IPsec profile.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile—manual-profile1] sa spi inbound ah 10000
[Sysname-ipsec-profile—manual-profile1] sa spi outbound ah 20000
display ipsec sa
sa string-key
Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.
Use undo sa string-key to remove the key string.
Syntax
sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string
undo sa string-key { inbound | outbound } { ah | esp }
Default
No key string is configured for manual IPsec SAs.
Views
IPsec profile view
Predefined user roles
network-admin
Parameters
inbound: Sets a key string for inbound IPsec SAs.
outbound: Sets a key string for outbound IPsec SAs.
ah: Uses AH.
esp: Uses ESP.
cipher: Specifies a key string in encrypted form.
simple: Specifies a key string in plaintext form. For security purposes, the key string specified in plaintext form will be stored in encrypted form.
string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system automatically generates keys for the authentication algorithm and encryption algorithm.
Usage guidelines
You must set a key for both inbound and outbound SAs.
The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.
The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.
When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:
· The local inbound and outbound SAs must use the same key.
· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Configure the inbound and outbound SAs that use AH to use plaintext keys abcdef and efcdab, respectively.
<Sysname> system-view
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile—manual-profile1] sa string-key inbound ah simple abcdef
[Sysname-ipsec-profile—manual-profile1] sa string-key outbound ah simple efcdab
Related commands
display ipsec sa
sa hex-key
snmp-agent trap enable ipsec
Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.
Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.
Syntax
snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach tunnel-start | tunnel-stop] *
Default
All SNMP notifications for IPsec are disabled.
Views
System view
Predefined user roles
network-admin
Parameters
auth-failure: Specifies notifications about authentication failures.
decrypt-failure: Specifies notifications about decryption failures.
encrypt-failure: Specifies notifications about encryption failures.
global: Specifies notifications globally.
invalid-sa-failure: Specifies notifications about invalid-SA failures.
no-sa-failure: Specifies notifications about SA-not-found failures.
policy-add: Specifies notifications about events of adding IPsec policies.
policy-attach: Specifies notifications about events of applying IPsec policies to interfaces.
policy-delete: Specifies notifications about events of deleting IPsec policies.
policy-detach: Specifies notifications about events of removing IPsec policies from interfaces.
tunnel-start: Specifies notifications about events of creating IPsec tunnels.
tunnel-stop: Specifies notifications about events of deleting IPsec tunnels.
Usage guidelines
If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.
To generate and output SNMP notifications for a specific IPsec failure type or event type, perform the following tasks:
1. Enable SNMP notifications for IPsec globally.
2. Enable SNMP notifications for the failure type or event type.
Examples
# Enable SNMP notifications for IPsec globally.
<Sysname> system-view
[Sysname] snmp-agent trap enable ipsec global
# Enable SNMP notifications for events of creating IPsec tunnels.
[Sysname] snmp-agent trap enable ipsec tunnel-start
transform-set
Use transform-set to specify an IPsec transform set for an IPsec profile.
Use undo transform-set to remove the IPsec transform set specified for an IPsec profile.
Syntax
transform-set transform-set-name&<1-6>
undo transform-set [ transform-set-name ]
Default
No IPsec transform set is specified for an IPsec profile.
Views
IPsec profile view
Predefined user roles
network-admin
Parameters
transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters.
Usage guidelines
You can specify only one IPsec transform set for an IPsec profile. If you execute this command for an IPsec profile multiple times, the most recent configuration takes effect.
If you do not specify the transform-set-name argument, the undo transform-set command removes all IPsec transform sets specified for the IPsec profile.
Examples
# Specify IPsec transform set prop1 for an IPsec profile.
<Sysname> system-view
[Sysname] ipsec transform-set prop1
[Sysname-ipsec-transform-set-prop1] quit
[Sysname] ipsec profile profile1 manual
[Sysname-ipsec-profile—manual-profile1] transform-set prop
Related commands
ipsec profile
ipsec transform-set