11-Security Command Reference

HomeSupportResource CenterNFVH3C VSRH3C VSRTechnical DocumentsCommandCommand ReferencesH3C VSR Series Virtual Services Routers Command References(V7)-R0621-6W30011-Security Command Reference
10-Group domain VPN commands
Title Size Download
10-Group domain VPN commands 121.32 KB

Group domain VPN commands

The device supports the FIPS mode that complies with NIST FIPS 140-2 requirements. Support for features, commands, and parameters might differ in FIPS mode and non-FIPS mode. For more information about FIPS mode, see Security Configuration Guide.

client anti-replay window

Use client anti-replay window to set the anti-replay window size for a GDOI GM group.

Use undo client anti-replay window to restore the default.

Syntax

client anti-replay window { sec seconds | msec milliseconds }

undo client anti-replay window

Default

The anti-replay window size is not set for a GDOI GM group.

Views

GDOI GM group view

Predefined user roles

network-admin

Parameters

sec seconds: Specifies the anti-replay window size in seconds in the range of 1 to 100.

msec milliseconds: Specifies the anti-replay window size in milliseconds in the range of 100 to 10000.

Usage guidelines

The anti-replay window size set in this command takes precedence over the anti-replay window size obtained from the KS.

This command must be used together with the Cisco IP-D3P feature.

Examples

# Set the anti-replay window size to 50 seconds for GDOI GM group group1.

<Sysname> system-view

[Sysname] gdoi gm group group1

[Sysname-gdoi-gm-group-group1] client anti-replay window sec 50

Related commands

display gdoi gm anti-replay

client registration

Use client registration to specify a registration interface for a GM in a GDOI GM group. The GM uses the registration interface to send packets to the KS.

Use undo client registration to restore the default.

Syntax

client registration interface interface-type interface-number

undo client registration interface

Default

A GM uses the output interface of the route to the KS as the registration interface.

Views

GDOI GM group view

Predefined user roles

network-admin

Parameters

interface interface-type interface-number: Specifies a registration interface by its type and number.

Usage guidelines

The default registration interface of a GM is the output interface of the route from the GM to the KS. The interface might also be used for traffic forwarding. When a lot of traffic travels through the interface, packet exchange between the GM and the KS is affected. To resolve the problem, specify an interface that is not used for traffic forwarding as the registration interface.

A GM uses the primary IPv4 address of the registration interface as the source address to register with the KS.

For a successful GM registration, make sure the registration interface and a KS in the GDOI GM group belong to the same VRF.

Examples

# In GDOI GM group abc, specify GigabitEthernet 1/0 as the registration interface for the GM.

<Sysname> system-view

[Sysname] gdoi gm group abc

[Sysname-gdoi-gm-group-abc] client registration interface gigabitethernet 1/0

Related commands

gdoi gm group

client rekey encryption

Use client rekey encryption to specify KEK encryption algorithms supported by a GM.

Use undo client rekey encryption to restore the default.

Syntax

In non-FIPS mode:

client rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } *

undo client rekey encryption

In FIPS mode:

client rekey encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } *

undo client rekey encryption

Default

In non-FIPS mode:

A GM supports DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-192, and AES-CBC-256.

In FIPS mode:

A GM supports AES-CBC-128, AES-CBC-192, and AES-CBC-256.

Views

GDOI GM group view

Predefined user roles

network-admin

Parameters

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode that uses a 128-bit key.

aes-cbc-192: Specifies the AES algorithm in CBC mode that uses a 192-bit key.

aes-cbc-256: Specifies the AES algorithm in CBC mode that uses a 256-bit key.

Usage guidelines

This command specifies the KEK encryption algorithms supported in registration and rekey processes.

·     During GM registration, a GM terminates the negotiation with the KS if the KEK encryption algorithm sent by the KS is not supported, and the registration fails.

·     During rekey, the GM discards rekey messages received from the KS if the KEK encryption algorithm sent by the KS is not supported.

Examples

# Specify the supported KEK encryption algorithm as AES-CBC-128 for GDOI GM group abc.

<Sysname> system-view

[Sysname] gdoi gm group abc

[Sysname-gdoi-gm-group-abc] client rekey encryption aes-cbc-128

Related commands

gdoi gm group

client transform-sets

Use client transform-sets to specify IPsec transform sets supported by a GM.

Use undo client transform-sets to restore the default.

Syntax

client transform-sets transform-set-name&<1-6>

undo client transform-sets

Default

A GM supports the IPsec transform set configured with the following security parameters:

·     The ESP security protocol.

·     The tunnel or transport encapsulation mode.

·     The DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-192, or AES-CBC-256 encryption algorithm.

·     The MD5 or SHA1 authentication algorithm.

Views

GDOI GM group view

Predefined user roles

network-admin

Parameters

transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names. An IPsec transform set name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

This command specifies the IPsec transform sets supported in registration and rekey processes.

·     During GM registration, a GM terminates the negotiation with the KS if the IPsec transform set sent by the KS is not supported, and the registration fails.

·     During rekey, the GM discards rekey messages received from the KS if the IPsec transform set sent by the KS is not supported.

GMs support only the ESP security protocol. For a successful registration, do not specify an IPsec transform set that uses the AH security protocol for GMs.

Examples

# Specify the supported IPsec transform set as gdoi-esp-aes for GDOI GM group abc.

<Sysname> system-view

[Sysname] gdoi gm group abc

[Sysname-gdoi-gm-group-abc] client transform-sets gdoi-esp-aes

Related commands

gdoi gm group

display gdoi gm

Use display gdoi gm to display GDOI GM group information, including GDOI configuration parameters, negotiation parameters, and the IPsec information obtained after successful registrations.

Syntax

display gdoi gm [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays information about all GDOI GM groups.

Examples

# Display information about all GDOI GM groups.

<Sysname> display gdoi gm

Group name: GDOI-GROUP1

 

  Group identity             : 12345

  Address family             : IPv4

  Rekeys received            : 1

 

  Group server               : 90.1.1.1

    VRF name                 : vrf1

  Group server               : 90.1.1.2

 

  Group member               : 80.1.1.1

    VRF name                 : vrf1

    Registration status      : Registered

    Registered with          : 90.1.1.1

    Re-register in           : 346 sec

    Succeeded registrations  : 1125

    Attempted registrations  : 1133

    Last rekey from          : 90.1.1.1

    Last rekey seq num       : 3

    Multicast rekeys received: 1

 

  Allowable rekey cipher     : Any

  Allowable rekey hash       : Any

  Allowable transform        : Any

 

  Rekeys cumulative:

    Total received                  : 5

    Rekeys after latest registration: 3

    Last rekey received for         : 00hr 02min 11sec

 

  ACL downloaded from KS 90.1.1.1:

    rule 0 deny udp source-port eq 848 destination-port eq 848

    rule 1 deny ospf

    rule 2 permit icmp

 

  KEK:

    Rekey transport type       : Multicast

    Remaining key lifetime     : 159 sec

    Encryption algorithm       : AES-CBC

    Key size                   : 128

    Signature algorithm        : RSA

    Signature hash algorithm   : SHA1

    Signature key length       : 1024 bits

 

  TEK:

    SPI                        : 0x9AE5951E(2598737182)

    Transform                  : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

    Remaining key lifetime     : 190 sec

 

    SPI                        : 0x12C55CFF(314924287)

    Transform                  : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

    Remaining key lifetime     : 402 sec

# Display information about GDOI GM group GDOI-GROUP2.

<Sysname> display gdoi gm group GDOI-GROUP2

Group name: GDOI-GROUP2

 

  Group identity             : 12345

  Address family             : IPv4

  Rekeys received            : 52

 

  Group server               : 90.1.1.1

    VRF name                 : vrf1

  Group server               : keyserver

 

  Group member               : 80.1.1.1

    VRF name                 : vrf1

    Registration status      : Registered

    Registered with          : keyserver(90.1.1.2)

    Re-register in           : 143 sec

    Succeeded registrations  : 10

    Attempted registrations  : 15

    Last rekey from          : 90.1.1.2

    Last rekey seq num       : 13

    Unicast rekeys received  : 10

    Rekey ACKs sent          : 10

 

  Allowable rekey cipher     : Any

  Allowable rekey hash       : Any

  Allowable transform        : Any

 

  Rekeys cumulative:

    Total received                  : 52

    Rekeys after latest registration: 3

    Total rekey ACKs sent           : 23

 

  ACL downloaded from KS 90.1.1.2:

    rule 0 deny udp source-port eq 848 destination-port eq 848

    rule 1 deny ospf

    rule 2 permit icmp

 

  KEK:

    Rekey transport type       : Unicast

    Remaining key lifetime     : 159 sec

    Encryption algorithm       : AES-CBC

    Key size                   : 128

    Signature algorithm        : RSA

    Signature hash algorithm   : SHA1

    Signature key length       : 1024 bits

 

  TEK:

    SPI                        : 0x9AE5951E(2598737182)

    Transform                  : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

    Remaining key lifetime     : 190 sec

 

    SPI                        : 0x12C55CFF(314924287)

    Transform                  : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

    Remaining key lifetime     : 402 sec

Table 1 Command output

Field

Description

Group name

GDOI GM group name.

Group identity

GDOI GM group ID (a number or an IPv4 address).

N/A indicates that the group is not configured with an ID.

Address family

Address family of data flows protected by the GDOI GM group, IPv4 or IPv6.

Rekeys received

Number of rekey messages received.

Group server

IP addresses or host names of KSs in the GDOI GM group. A group supports a maximum of 16 KS IP addresses or host names.

VRF name

Name of the VRF to which the KS belongs. If the KS belongs to the public network, this field is not displayed.

Group member

IP address of the GM.

VRF name

Name of the VRF to which the GM belongs. If the GM belongs to the public network, this field is not displayed.

Registration status

Registration status: Registered, Registering, or Not registered.

Registered with

IP address or host name of the KS with which the GM registers.

If a host name is displayed, this field also displays the IP address of the host in brackets.

Re-register in

Period of time after which the GM re-registers with a KS.

N/A indicates that the GM does not re-register with a KS.

Succeeded registrations

Number of successful registrations.

Attempted registrations

Number of registration attempts.

Last rekey from

KS from which the GM receives the last rekey message.

N/A indicates that the GM does not receive any rekey messages.

Last rekey seq num

Sequence number of the last received rekey message.

N/A indicates that the GM does not receive any rekey messages.

Multicast rekeys received

Number of multicast rekeys received. This field is displayed only when the GDOI GM group is a multicast group.

Unicast rekeys received

Number of unicast rekeys received. This field is displayed only when the GDOI GM group is a unicast group.

Rekey ACKs sent

Number of rekey ACK messages sent. This field is displayed only when the GDOI GM group is a unicast group.

Allowable rekey cipher

Rekey encryption algorithms that the GM allows. Any indicates that the GM allows all encryption algorithms.

Allowable rekey hash

Rekey hash algorithms that the GM allows. Any indicates that the GM allows all hash algorithms.

Allowable transform

Rekey transform modes that the GM allows. Any indicates that the GM allows all transform modes.

Rekeys cumulative

Rekey statistics.

Total received

Total number of rekeys that the GM has received.

Rekeys after latest registration

Number of rekeys that the GM has received after the last successful registration.

Last rekey received for

Period of time for which the key has existed after the last rekey operation. N/A indicates that no rekey message is received. This field is displayed only in multicast mode.

Total rekey ACKs sent

Number of rekey ACK messages sent. This field is displayed only in unicast mode.

ACL downloaded from KS 90.1.1.1

ACL information downloaded from the KS at 90.1.1.1.

rule 0 deny udp source-port eq 848 destination-port eq 848

UDP packets whose source and destination port numbers are both 848 do not need to be protected by IPsec.

rule 1 deny ospf

OSPF protocol packets do not need to be protected by IPsec.

rule 2 permit icmp

All ICMP packets need to be protected by IPsec.

KEK

KEK information.

Rekey transport type

Transport type of rekey messages: Multicast or Unicast.

Remaining key lifetime

KEK lifetime in seconds.

Encrypt algorithm

KEK encryption algorithm.

Key size

KEK key length.

Signature algorithm

KEK signature algorithm.

Signature hash algorithm

KEK signature hash algorithm.

Signature key length

KEK signature key length in bits.

TEK

TEK information.

SPI

SPI of the IPsec SA.

Transform

Transform set list.

Remaining key lifetime

IPsec SA remaining lifetime in seconds.

 

display gdoi gm acl

Use display gdoi gm acl to display ACL information for the GM.

Syntax

display gdoi gm acl [ download | local ] [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

download: Displays the ACL information that the GM downloaded from the KS.

local: Displays the ACL information locally configured on the GM.

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays ACL information for all GM groups.

Usage guidelines

If you do not specify any parameters, this command displays information about all ACLs for all GM groups, including the downloaded ACLs and the locally configured ACLs. A locally configured ACL refers to the ACL used by the GDOI IPsec policy.

Examples

# Display information about all ACLs for all GM groups.

<Sysname> display gdoi gm acl

Group name: abc

  ACL downloaded from KS 12.1.1.100:

    rule 0 permit ip

    rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255

 

  ACL configured locally:

    IPsec policy name: gdoi-group1

      ACL identifier: 3001

        rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

 

Group Name: 123

  ACL downloaded from KS 12.1.1.100:

rule 1 permit ip source 13.1.1.0 0.0.0.255 destination 13.1.2.0 0.0.0.255

 

Group name: ipv6

  ACL configured locally:

    IPsec policy name: gdoi-group1

      IPv6 ACL identifier: 3001

        rule 0 permit ipv6 source 1::/64 destination 2::/64

# Display information about ACLs that the GM downloaded from the KS.

<Sysname> display gdoi gm acl download

Group name: abc

  ACL downloaded from KS 12.1.1.100:

    rule 0 permit ip

    rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255

# Display information about ACLs that are locally configured on the GM.

<Sysname> display gdoi gm acl local

Group name: abc

  ACL configured locally:

    IPsec policy name: gdoi-group1

      ACL identifier: 3001

        rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

Table 2 Command output

Field

Description

Group name

GDOI GM group name.

rule 0 permit ip

IPsec protects any IP packets.

rule 1 permit ip source 12.1.1.0 0.0.0.255 destination 12.1.1.0 0.0.0.255

IPsec protects IP packets whose source and destination addresses are within subnet 12.1.1.0/24.

rule 0 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

IPsec does not protect IP packets whose source and destination addresses are within subnet 10.1.1.0/24.

 

display gdoi gm anti-replay

Use display gdoi gm anti-replay to display anti-replay information for GDOI GM groups.

Syntax

display gdoi gm anti-replay [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group group-name: Specifies a GDOI GM group by its name, a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays anti-replay information for all GDOI GM groups.

Examples

# Display anti-replay information for all GDOI GM groups.

<Sysname> display gdoi gm anti-replay

Group name: abc

  Anti-replay timestamp type         : POSIX-TIME

  Anti-replay window                 : 200.16 ms

Related commands

client anti-replay window

display gdoi gm ipsec sa

Use display gdoi gm ipsec sa to display IPsec SA information obtained by the GM.

Syntax

display gdoi gm ipsec sa [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays IPsec SA information obtained by all GM groups.

Examples

# Display IPsec SA information obtained by all GM groups.

<Sysname> display gdoi gm ipsec sa

SA created for group abc:

  SPI                    : 0x9AE5951E(2598737182)

  Transform              : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

  Remaining key lifetime : 190 sec

 

  SPI                    : 0x9AE5951F(2598737183)

  Transform              : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

  Remaining key lifetime : 3600 sec

 

SA created for group hh:

  SPI                    : 0xDCC66F7B(3703992187)

  Transform              : ESP-ENCRYPT-AES-128 ESP-AUTH-SHA1

  Remaining key lifetime : 280 sec

Table 3 Command output

Field

Description

SA created for group abc

IPsec SAs created for the GDOI GM group abc.

SPI

SPI of the IPsec SA.

Transform

Transform set.

Remaining key lifetime

Remaining lifetime of the IPsec SA, in seconds.

 

display gdoi gm members

Use display gdoi gm members to display brief information about the GM.

Syntax

display gdoi gm members [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays brief information about all GM groups.

Examples

# Display brief information about all GM groups.

<Sysname> display gdoi gm members

Group member information for group GDOI-GROUP1:

 

  Group member               : 80.1.1.1

    VRF name                 : vrf1

    Registration status      : Registered

    Registered with          : 90.1.1.1

    Re-register in           : 308 sec

    Succeeded registrations  : 1131

    Attempted registrations  : 1139

    Last rekey from          : 90.1.1.1

    Last rekey seq num       : 3

    Multicast rekeys received: 1

Table 4 Command output

Field

Description

Group member information for group GDOI-GROUP1

Brief information about GMs of the GDOI GM group GDOI-GROUP1.

Group member

IP address of the GM.

VRF name

Name of the VRF to which the GM belongs. If the GM belongs to the public network, this field is not displayed.

Registration status

Registration status: Registered, Registering, or Not registered.

Registered with

IP address or host name of the KS with which the GM registers.

If the host name is displayed, this field also displays the IP address of the host in brackets.

Re-register in

Period of time after which the GM re-registers with a KS.

Succeeded registrations

Number of successful registrations.

Attempted registrations

Number of registration attempts.

Last rekey from

KS from which the GM receives the last rekey message.

N/A indicates that the GM does not receive any rekey messages.

Last rekey seq num

Sequence number of the last received rekey message.

N/A indicates that the GM does not receive any rekey messages.

Multicast rekeys received

Number of multicast rekeys received. This field is displayed only when the GDOI GM group is a multicast group.

Unicast rekeys received

Number of unicast rekeys received. This field is displayed only when the GDOI GM group is a unicast group.

Rekey ACKs sent

Number of rekey ACK messages sent. This field is displayed only when the GDOI GM group is a unicast group.

 

display gdoi gm pubkey

Use display gdoi gm pubkey to display public key information received by the GM.

Syntax

display gdoi gm pubkey [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays the public key information received by all GM groups.

Examples

# Display public key information received by all GM groups.

<Sysname> display gdoi gm pubkey

Group name: GDOI-GROUP1

  KS address: 90.1.1.1

  Conn-ID: 2044    My cookie: 7C9CB398    His cookie: 4E54C7EA

  Key data:

    30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00BB0F5B

    6B5788E7 6220C0C1 C4BCAAD7 D81322FF 7DB9436E 46E308DA D589243B 64946D2D

    FC502F64 7F38DDF5 E999F8F7 4A247508 9AF7765B F0B080AC 11CC08E4 B48A976F

    D3721818 B66201F0 BD1987BE DD28D533 C38E7D42 939D2B71 3FAAA17A 128DF862

    E45C531D A0C8593E D7D602E9 7A7E675A 94AF6B25 2972CF85 94E601BD 19020301

    0001

Table 5 Command output

Field

Description

Group name

GDOI GM group name.

KS address

IPv4 or IPv6 address of the KS.

Conn-ID

ID of the rekey SA.

My cookie

Local cookie of the rekey SA.

His cookie

Peer cookie of the rekey SA.

Key data

Public key data.

 

display gdoi gm rekey

Use display gdoi gm rekey to display rekey information for the GM.

Syntax

display gdoi gm rekey [ verbose ] [ group group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

verbose: Displays detailed rekey information for the GM. If you do not specify this keyword, the command displays brief rekey information for the GM.

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command displays rekey information for all GM groups.

Examples

# Display brief rekey information for all GM groups.

<Sysname> display gdoi gm rekey

Group name: abc (Unicast)

  Number of rekeys received (cumulative)       : 9

  Number of rekeys received after registration : 9

  Number of rekey ACKs sent                    : 105

 

Group name: 123 (Multicast)

  Number of rekeys received (cumulative)       : 9

  Number of rekeys received after registration : 9

  Multicast destination address                : 239.192.1.190

# Display detailed rekey information for all GM groups.

<Sysname> display gdoi gm rekey verbose

Group name: GDOI-GROUP1 (Multicast)

  Number of rekeys received (cumulative)       : 1904

  Number of rekeys received after registration : 889

  Multicast destination address                : 239.192.1.190

 

Rekey (KEK) SA information:

            Destination     Source            Conn-ID  My cookie  His cookie

New       : 239.192.1.190   90.1.1.1          9646     14406D26   8C58E504

Current   : 239.192.1.190   90.1.1.1          9646     14406D26   8C58E504

Previous  : ---             ---               ---      ---        ---

Table 6 Command output

Field

Description

Group name

GDOI GM group name.

Unicast

Unicast rekey transport type.

Multicast

Multicast rekey transport type.

Multicast destination address

Multicast destination address of the rekey messages.

Rekey (KEK) SA information

SA that protects the rekey messages.

Destination

Destination IP address of the rekey SA.

Source

Source IP address of the rekey SA.

Conn-ID

ID of the rekey SA.

My cookie

Local cookie of the rekey SA.

His cookie

Peer cookie of the rekey SA.

New

Information about the new rekey SA.

Current

Information about the currently used rekey SA.

Previous

Information about the most recently used rekey SA.

 

gdoi gm group

Use gdoi gm group to create a GDOI GM group and enter its view, or enter the view of an existing GDOI GM group.

Use undo gdoi gm group to delete a GDOI GM group.

Syntax

gdoi gm group [ ipv6 ] group-name

undo gdoi gm group [ ipv6 ] group-name

Default

No GDOI GM groups exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 GDOI GM group. If you do not specify this keyword, the command creates an IPv4 GDOI GM group.

group-name: Specifies a name for the GDOI GM group, a case-insensitive string of 1 to 63 characters.

Usage guidelines

IPv4 GDOI GM groups and IPv6 GDOI GM groups share the same namespace. You cannot specify the same name for an IPv4 GDOI GM group and an IPv6 GDOI GM group.

Examples

# Create a GDOI GM group named abc, and enter its view.

<Sysname> system-view

[Sysname] gdoi gm group abc

[Sysname-gdoi-gm-group-abc]

group

Use group to specify a GDOI GM group for a GDOI IPsec policy.

Use undo group to restore the default.

Syntax

group group-name

undo group

Default

No GDOI GM group is specified for a GDOI IPsec policy.

Views

GDOI IPsec policy view

Predefined user roles

network-admin

Parameters

group-name: Specifies the name of a GDOI GM group, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify only one GDOI GM group for a GDOI IPsec policy. If you execute this command multiple times, the most recent configuration takes effect.

A GDOI GM group can be specified for entries of different GDOI IPsec policies, but it cannot be specified for entries of the same GDOI IPsec policy.

An IPv6 GDOI GM group can be specified only for an IPv6 GDOI IPsec policy. An IPv4 GDOI GM group can be specified only for an IPv4 GDOI IPsec policy.

Examples

# Create a GDOI IPsec policy entry, and specify the IPsec policy name as map and the sequence number as 1.

<Sysname> system-view

[Sysname] ipsec policy map 1 gdoi

# Specify GDOI GM group abc for the GDOI IPsec policy.

[Sysname-ipsec-policy-gdoi-map-1] group abc

Related commands

gdoi gm group

ipsec { ipv6-policy | policy }

identity

Use identity to configure an ID for a GDOI GM group.

Use undo identity to restore the default.

Syntax

identity { address ip-address | number number }

undo identity

Default

No ID is configured for a GDOI GM group.

Views

GDOI GM group view

Predefined user roles

network-admin

Parameters

address ip-address: Specifies any valid IPv4 address to identify the GDOI GM group.

number number: Specifies a number in the range of 0 to 2147483647 to identify the GDOI GM group.

Usage guidelines

Only GMs in the same GDOI GM group can communicate with each other.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the ID for GDOI GM group abc as 123456.

<Sysname> system-view

[Sysname] gdoi gm group abc

[Sysname-gdoi-gm-group-abc] identity number 123456

# Configure the ID for GDOI GM group def as 202.202.202.10.

<Sysname> system-view

[Sysname] gdoi group def

[Sysname-gdoi-gm-group-def] identity address 202.202.202.10

reset gdoi gm

Use reset gdoi gm to clear GDOI information that the GM downloaded from a KS, and trigger the GM to re-register with the KS.

Syntax

reset gdoi gm [ group group-name ]

Views

User view

Predefined user roles

network-admin

Parameters

group group-name: Specifies a GDOI GM group by its name. A GDOI GM group name is a case-insensitive string of 1 to 63 characters. If you do not specify a group, this command clears GDOI information for all GM groups.

Usage guidelines

The downloaded GDOI information includes the IKE SA, rekey SA, IPsec SA, and ACL.

Examples

# Clear GDOI information for all GM groups, and trigger the GM to re-register with the KS.

<Sysname> reset gdoi gm

# Clear GDOI information for GDOI GM group abc, and trigger the GM to re-register with the KS.

<Sysname> reset gdoi gm group abc

server address

Use server address to specify the IP address of a key server (KS).

Use undo server address to delete a KS IP address.

Syntax

server address host [ vrf vrf-name ]

undo server address host [ vrf vrf-name ]

Default

No KS IP address is specified.

Views

GDOI GM group view

Predefined user roles

network-admin

Parameters

host: Specifies a KS IP address, a case-sensitive string of 1 to 253 characters.

vrf vrf-name: Specifies the VRF to which the KS IP address belongs. The vrf-name argument represents the VRF name, a case-sensitive string of 1 to 31 characters. If you do not specify a VRF, the KS IP address belongs to the public network.

Usage guidelines

You must specify KSs for GMs in a GDOI GM group.

A GDOI GM group can have a maximum of 16 KS addresses. A GM first sends a registration request to the first-specified KS. If the registration fails before the registration timer expires, the GM registers with other KSs one by one in the order they are configured until the registration succeeds. If all registration attempts fail, the GM repeats the registration process.

Examples

# Specify two KS addresses, 3.3.3.3 and 3.3.3.4, for GDOI GM group abc.

<Sysname> system-view

[Sysname] gdoi gm group abc

[Sysname-gdoi-gm-group-abc] server address 3.3.3.3

[Sysname-gdoi-gm-group-abc] server address 3.3.3.4