For a manual or IKEv1-based IPsec profile, the first specified AH authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first AH authentication algorithm.

Examples

# Specify HMAC-SHA1 as the AH authentication algorithm for IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1

description

Use description to configure a description for an IPsec profile.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for an IPsec policy, IPsec policy template, or IPsec profile.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

If the system has multiple IPsec profiles, you can use this command to configure different descriptions for them to distinguish them.

Examples

# Configure the description for IPsec profile profile1 as CenterToA.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1] description CenterToA

display ipsec profile

Use display ipsec profile to display information about IPsec profiles.

Syntax

display ipsec profile [ profile-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPsec profiles.

Examples

# Display information about all IPsec profiles.

<Sysname> display ipsec profile

-----------------------------------------------

IPsec profile: profile

Mode: Manual

-----------------------------------------------

Transform set: prop1

Inbound AH setting:

AH SPI: 12345 (0x00003039)

AH string-key:

AH authentication hex key: ******

Inbound ESP setting:

ESP SPI: 23456 (0x00005ba0)

ESP string-key:

ESP encryption hex-key: ******

ESP authentication hex-key: ******

Outbound AH setting:

AH SPI: 12345 (0x00003039)

AH string-key:

AH authentication hex key: ******

Outbound ESP setting:

ESP SPI: 23456 (0x00005ba0)

ESP string-key:

ESP encryption hex key: ******

ESP authentication hex key: ******

Table 1 Command output

Field	Description
IPsec profile	IPsec profile name.
Mode	Negotiation mode used by the IPsec profile.
Description	Description of the IPsec profile.
Transform set	IPsec transform set used by the IPsec profile.

Related commands

ipsec profile

display ipsec sa

Use display ipsec sa to display information about IPsec SAs.

Syntax

display ipsec sa [ brief | count | interface interface-type interface-number | profile profile-name | remote [ ipv6 ] ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

brief: Displays brief information about all IPsec SAs.

count: Displays the number of IPsec SAs.

interface interface-type interface-number: Specifies an interface by its type and number.

profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

remote ip-address: Specifies an IPsec SA by its remote end IP address.

ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all IPsec SAs.

Examples

# Display brief information about IPsec SAs.

<Sysname> display ipsec sa brief

-----------------------------------------------------------------------

Interface/Global Dst Address SPI Protocol Status

-----------------------------------------------------------------------

Tunnel0 10.1.1.1 400 ESP Active

Tunnel1 255.255.255.255 4294967295 ESP Active

Tunnel2 100::1/64 500 AH Active

Global -- 600 ESP Active

Table 2 Command output

Field	Description
Interface/Global	Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile).
Dst Address	Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
SPI	IPsec SA SPI.
Protocol	Security protocol used by IPsec.
Status	Status of the IPsec SA, which can be Active only.

# Display the number of IPsec SAs.

<Sysname> display ipsec sa count

Total IPsec SAs count: 4

# Display detailed information about all IPsec SAs.

<Sysname> display ipsec sa

-------------------------------

Interface: Tunnel1

-------------------------------

-----------------------------

IPsec profile: profile

Mode: ISAKMP

-----------------------------

Tunnel id: 3

Encapsulation mode: tunnel

Perfect Forward Secrecy:

Path MTU: 1443

Tunnel:

local address: 2.2.2.2

remote address: 1.1.1.2

Flow:

sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

[Inbound ESP SAs]

SPI: 3564837569 (0xd47b1ac1)

Connection ID: 90194313219

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (kilobytes/sec): 4294967295/604800

SA remaining duration (kilobytes/sec): 1843200/2686

Max received sequence-number: 5

Anti-replay check enable: Y

Anti-replay window size: 32

UDP encapsulation used for NAT traversal: N

Status: Active

[Outbound ESP SAs]

SPI: 801701189 (0x2fc8fd45)

Connection ID: 64424509441

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (kilobytes/sec): 4294967295/604800

SA remaining duration (kilobytes/sec): 1843200/2686

Max sent sequence-number: 6

UDP encapsulation used for NAT traversal: N

Status: Active

-------------------------------

Global IPsec SA

-------------------------------

-----------------------------

IPsec profile: profile

Mode: Manual

-----------------------------

Encapsulation mode: transport

[Inbound AH SA]

SPI: 1234563 (0x0012d683)

Connection ID: 64426789452

Transform set: AH-SHA1

No duration limit for this SA

[Outbound AH SA]

SPI: 1234563 (0x002d683)

Connection ID: 64428999468

Transform set: AH-SHA1

No duration limit for this SA

Table 3 Command output

Field	Description
Interface	Interface where the IPsec SA belongs.
IPsec profile	Name of the IPsec profile.
Mode	Negotiation mode used by the IPsec profile: · Manual. · ISAKMP.
Tunnel id	IPsec tunnel ID.
Encapsulation mode	Encapsulation mode, transport or tunnel.
Perfect Forward Secrecy	Perfect Forward Secrecy (PFS) used by the IPsec profile for negotiation: · 768-bit Diffie-Hellman group (dh-group1). · 1024-bit Diffie-Hellman group (dh-group2). · 1536-bit Diffie-Hellman group (dh-group5). · 2048-bit Diffie-Hellman group (dh-group14). · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). · 256-bit ECP Diffie-Hellman group (dh-group19). · 384-bit ECP Diffie-Hellman group (dh-group20).
Path MTU	Path MTU of the IPsec SA.
Tunnel	Local and remote addresses of the IPsec tunnel.
local address	Local end IP address of the IPsec tunnel.
remote address	Remote end IP address of the IPsec tunnel.
Flow	Information about the data flow protected by the IPsec tunnel.
sour addr	Source IP address of the data flow.
dest addr	Destination IP address of the data flow.
port	Port number.
protocol	Protocol type: ip or ipv6.
SPI	SPI of the IPsec SA.
Connection ID	Identifier of the IPsec SA.
Transform set	Security protocol and algorithms used by the IPsec transform set.
SA duration (kilobytes/sec)	IPsec SA lifetime, in kilobytes or seconds.
SA remaining duration (kilobytes/sec)	Remaining IPsec SA lifetime, in kilobytes or seconds.
Max received sequence-number	Max sequence number in the received packets.
Max sent sequence-number	Max sequence number in the sent packets.
Anti-replay check enable	Whether anti-replay checking is enabled.
UDP encapsulation used for NAT traversal	Whether NAT traversal is used by the IPsec SA.
Status	Status of the IPsec SA: Active .
No duration limit for this SA	The manual IPsec SAs do not have lifetime.

Related commands

ipsec sa global-duration

reset ipsec sa

display ipsec statistics

Use display ipsec statistics to display IPsec packet statistics.

Syntax

display ipsec statistics [ tunnel-id tunnel-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.

Usage guidelines

If you do not specify any parameters, this command displays statistics for all IPsec packets.

Examples

# Display statistics for all IPsec packets.

<Sysname> display ipsec statistics

IPsec packet statistics:

Received/sent packets: 47/64

Received/sent bytes: 3948/5208

Dropped packets (received/sent): 0/45

Dropped packets statistics

No available SA: 0

Wrong SA: 0

Invalid length: 0

Authentication failure: 0

Encapsulation failure: 0

Decapsulation failure: 0

Replayed packets: 0

ACL check failure: 45

MTU check failure: 0

Loopback limit exceeded: 0

Crypto speed limit exceeded: 0

# Display statistics for the packets of IPsec tunnel 1.

<Sysname> display ipsec statistics tunnel-id 1

IPsec packet statistics:

Received/sent packets: 5124/8231

Received/sent bytes: 52348/64356

Dropped packets (received/sent): 0/0

Dropped packets statistics

No available SA: 0

Wrong SA: 0

Invalid length: 0

Authentication failure: 0

Encapsulation failure: 0

Decapsulation failure: 0

Replayed packets: 0

ACL check failure: 0

MTU check failure: 0

Loopback limit exceeded: 0

Crypto speed limit exceeded: 0

Table 4 Command output

Field	Description
Received/sent packets	Number of received/sent IPsec-protected packets.
Received/sent bytes	Number of bytes of received/sent IPsec-protected packets.
Dropped packets (received/sent)	Number of dropped IPsec-protected packets (received/sent).
No available SA	Number of packets dropped due to lack of available IPsec SA.
Wrong SA	Number of packets dropped due to wrong IPsec SA.
Invalid length	Number of packets dropped due to invalid packet length.
Authentication failure	Number of packets dropped due to authentication failure.
Encapsulation failure	Number of packets dropped due to encapsulation failure.
Decapsulation failure	Number of packets dropped due to decapsulation failure.
Replayed packets	Number of dropped replayed packets.
ACL check failure	Number of packets dropped due to ACL check failure.
MTU check failure	Number of packets dropped due to MTU check failure.
Loopback limit exceeded	Number of packets dropped due to loopback limit exceeded.
Crypto speed limit exceeded	Number of packets dropped due to crypto speed limit exceeded.

Related commands

reset ipsec statistics

display ipsec transform-set

Use display ipsec transform-set to display information about IPsec transform sets.

Syntax

display ipsec transform-set [ transform-set-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.

Examples

# Display information about all IPsec transform sets.

<Sysname> display ipsec transform-set

IPsec transform set: mytransform

State: incomplete

Encapsulation mode: tunnel

ESN: Disabled

PFS:

Transform: ESP

IPsec transform set: completeTransform

State: complete

Encapsulation mode: transport

ESN: Disabled

PFS:

Transform: AH-ESP

AH protocol:

Integrity: SHA1

ESP protocol:

Integrity: SHA1

Encryption: AES-CBC-128

Table 5 Command output

Field	Description
IPsec transform set	Name of the IPsec transform set.
State	Whether the IPsec transform set is complete.
Encapsulation mode	Encapsulation mode used by the IPsec transform set: transport or tunnel.
ESN	This field is not supported in the current software version. Whether Extended Sequence Number (ESN) is enabled.
PFS	Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1). · 1024-bit Diffie-Hellman group (dh-group2). · 1536-bit Diffie-Hellman group (dh-group5). · 2048-bit Diffie-Hellman group (dh-group14). · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). · 256-bit ECP Diffie-Hellman group (dh-group19). · 384-bit ECP Diffie-Hellman group (dh-group20).
Transform	Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	AH settings.
ESP protocol	ESP settings.
Integrity	Authentication algorithm used by the security protocol.
Encryption	Encryption algorithm used by the security protocol.

Related commands

ipsec transform-set

display ipsec tunnel

Use display ipsec tunnel to display information about IPsec tunnels.

Syntax

display ipsec tunnel { brief | count | tunnel-id tunnel-id }

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

brief: Displays brief information about IPsec tunnels.

count: Displays the number of IPsec tunnels.

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.

Usage guidelines

IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.

Examples

# Display brief information about all IPsec tunnels.

<Sysname> display ipsec tunnel brief

----------------------------------------------------------------------------

Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status

----------------------------------------------------------------------------

0 2.5.3.1 3.3.3.3 1000 2000 Active

2 3.2.4.1 5.5.5.5 3000 4000 Active

1 1.5.5.1 2.2.2.2 5000 6000 Active

4 5.2.6.1 6.6.6.6 7000 8000 Active

Table 6 Command output

Field	Description
Src Address	Source IP address of the IPsec tunnel.
Dst Address	Destination IP address of the IPsec tunnel.
Inbound SPI	Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines.
Outbound SPI	Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines.
Status	Status of the IPsec SA: Active.

# Display the number of IPsec tunnels.

<Sysname> display ipsec tunnel count

Total IPsec Tunnel Count: 2

# Display detailed information about all IPsec tunnels.

<Sysname> display ipsec tunnel

Tunnel ID: 0

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

outbound: 2000 (0x000007d0) [AH]

inbound: 1000 (0x000003e8) [AH]

outbound: 4000 (0x00000fa0) [ESP]

inbound: 3000 (0x00000bb8) [ESP]

Tunnel:

local address: 5.1.1.1

remote address: 5.1.1.2

Flow:

sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

Tunnel ID: 1

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

outbound: 6000 (0x00001770) [AH]

inbound: 5000 (0x00001388) [AH]

outbound: 8000 (0x00001f40) [ESP]

inbound: 7000 (0x00001b58) [ESP]

Tunnel:

local address: 1.2.3.1

remote address: 2.2.2.2

Flow:

sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

# Display detailed information about IPsec tunnel 1.

<Sysname> display ipsec tunnel tunnel-id 1

Tunnel ID: 1

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

outbound: 6000 (0x00001770) [AH]

inbound: 5000 (0x00001388) [AH]

outbound: 8000 (0x00001f40) [ESP]

inbound: 7000 (0x00001b58) [ESP]

Tunnel:

local address: 1.2.3.1

remote address: 2.2.2.2

Flow:

sour addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

dest addr: 0.0.0.0/0.0.0.0 port: 0 protocol: ip

Table 7 Command output

Field	Description
Tunnel ID	IPsec ID, used to uniquely identify an IPsec tunnel.
Status	Status of the IPsec SA: Active.
Perfect forward secrecy	Perfect Forward Secrecy (PFS) used by the IPsec profile for negotiation: · 768-bit Diffie-Hellman group (dh-group1). · 1024-bit Diffie-Hellman group (dh-group2). · 1536-bit Diffie-Hellman group (dh-group5). · 2048-bit Diffie-Hellman group (dh-group14). · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). · 256-bit ECP Diffie-Hellman group (dh-group19). · 384-bit ECP Diffie-Hellman group (dh-group20).
Inside vpn-instance	This field is not supported in the current software version. VPN instance where the IPsec-protected data flows belong.
SA's SPI	SPIs of the inbound and outbound SAs.
Tunnel	Local and remote addresses of the IPsec tunnel.
local address	Local end IP address of the IPsec tunnel.
remote address	Remote end IP address of the IPsec tunnel.
Flow	Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol.

encapsulation-mode

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Default

IP packets are encapsulated in tunnel mode.

Views

IPsec transform set view

Predefined user roles

network-admin

mdc-admin

Parameters

transport: Uses the transport mode for IP packet encapsulation.

tunnel: Uses the tunnel mode for IP packet encapsulation.

Usage guidelines

IPsec supports the following encapsulation modes:

· Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.

· Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.

The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.

Examples

# Configure IPsec transform set tran1 to use the transport mode for IP packet encapsulation.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport

Related commands

ipsec transform-set

esp authentication-algorithm

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to restore the default.

Syntax

esp authentication-algorithm { md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo esp authentication-algorithm

Default

ESP does not use any authentication algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

mdc-admin

Parameters

md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.

sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.

sm3: Specifies the HMAC-SM3 algorithm, which uses a 256-bit key. This keyword is available only for IKEv1.

Usage guidelines

You can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

For a manual or IKEv1-basedIPsec profile, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.

Examples

# Configure IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP authentication algorithm.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1

Related commands

ipsec transform-set

esp encryption-algorithm

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to restore the default.

Syntax

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null | sm4-cbc } *

undo esp encryption-algorithm

Default

ESP does not use any encryption algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

mdc-admin

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.

null: Specifies the NULL algorithm, which means encryption is not performed.

sm4-cbc: Specifies the SM4 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.

Usage guidelines

You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

For a manual or IKEv1-basedIPsec profile, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.

Examples

# Configure IPsec transform set tran1 to use the AES-CBC-128 algorithm as the ESP encryption algorithm.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

Related commands

ipsec transform-set

ike-profile

Use ike-profile to specify an IKE profile for an IPsec profile.

Use undo ike-profile to restore the default.

Syntax

ike-profile profile-name

undo ike-profile

Default

No IKE profile is specified for an IPsec profile.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If no IKE profile is specified for an IPsec profile, the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured in system view, the device uses the global IKE settings.

The IKE profile specified for an IPsec profile defines the parameters used for IKE negotiation.

You can specify only one IKE profile for an IPsec profile.

Examples

# Specify IKE profile profile1 for IPsec profile profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1] ike-profile profile1

Related commands

ike profile

ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.

Use undo ipsec anti-replay check to disable IPsec anti-replay checking.

Syntax

ipsec anti-replay check

undo ipsec anti-replay check

Default

IPsec anti-replay checking is enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.

In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.

Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect manually created IPsec SAs.

Examples

# Enable IPsec anti-replay checking.

<Sysname> system-view

[Sysname] ipsec anti-replay check

Related commands

ipsec anti-replay window

Use ipsec anti-replay window to set the anti-replay window size.

Use undo ipsec anti-replay window to restore the default.

Syntax

ipsec anti-replay window width

undo ipsec anti-replay window

Default

The anti-replay window size is 64.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, or 1024 packets.

Usage guidelines

Service data packets might be received in a very different order than their original order, and the IPsec anti-replay feature might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.

Changing the anti-replay window size affects only the IPsec SAs negotiated later.

Examples

# Set the size of the anti-replay window to 128.

<Sysname> system-view

[Sysname] ipsec anti-replay window 128

Related commands

ipsec anti-replay check

ipsec df-bit

Use ipsec df-bit to configure the DF bit for the outer IP header of IPsec packets on an interface.

Use undo ipsec df-bit to restore the default.

Syntax

ipsec df-bit { clear | copy | set }

undo ipsec df-bit

Default

The DF bit is not configured for the outer IP header of IPsec packets on an interface. The global DF bit setting is used.

Views

Interface view

Predefined user roles

network-admin

mdc-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command does not change the DF bit for the original IP header of IPsec packets.

If multiple interfaces use an IPsec profile that is bound to a source interface, you must use the same DF bit setting on these interfaces.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent the IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

Examples

# Set the DF bit in the outer IP header of IPsec packets on GigabitEthernet 1/2/0/2.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/2/0/2

[Sysname-GigabitEthernet1/2/0/2] ipsec df-bit set

Related commands

ipsec global-df-bit

ipsec fragmentation

Use ipsec fragmentation to configure the IPsec fragmentation feature.

Use undo ipsec fragmentation to restore the default.

Syntax

ipsec fragmentation before-encryption

undo ipsec fragmentation

Default

The device fragments packets before IPsec encapsulation.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

before-encryption: Fragments packets before IPsec encapsulation (prefragmentation).

Usage guidelines

If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface and the DF bit is not set, the device fragments the packet before encapsulation. If the packet's DF bit is set, the device drops the packet and sends an ICMP error message.

Examples

# Configure the device to fragment packets before IPsec encapsulation.

<Sysname>system-view

[Sysname] ipsec fragmentation before-encryption

ipsec global-df-bit

Use ipsec global-df-bit to configure the DF bit for the outer IP header of IPsec packets on all interfaces.

Use undo ipsec global-df-bit to restore the default.

Syntax

ipsec global-df-bit { clear | copy | set }

undo ipsec global-df-bit

Default

The DF bit setting of the original IP header is copied to the outer IP header for IPsec packets.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command does not change the DF bit for the original IP header of IPsec packets.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

Examples

# Set the DF bit in the outer IP header of IPsec packets on all interfaces.

<Sysname> system-view

[Sysname] ipsec global-df-bit set

Related commands

ipsec df-bit

ipsec limit max-tunnel

Use ipsec limit max-tunnel to set the maximum number of IPsec tunnels.

Use undo ipsec limit max-tunnel to restore the default.

Syntax

ipsec limit max-tunnel tunnel-limit

undo ipsec limit max-tunnel

Default

The number of IPsec tunnels is not limited.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

tunnel-limit: Specifies the maximum number of IPsec tunnels, in the range of 1 to 4294967295.

Usage guidelines

To maximize concurrent performance of IPsec when memory is sufficient, increase the maximum number of IPsec tunnels. To ensure service availability when memory is insufficient, decrease the maximum number of IPsec tunnels.

Examples

# Set the maximum number of IPsec tunnels to 5000.

<Sysname> system-view

[Sysname] ipsec limit max-tunnel 5000

Related commands

ike limit

ipsec logging packet enable

Use ipsec logging packet enable to enable logging for IPsec packets.

Use undo ipsec logging packet enable to disable logging for IPsec packets.

Syntax

ipsec logging packet enable

undo ipsec logging packet enable

Default

Logging for IPsec packets is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.

Examples

# Enable logging for IPsec packets.

<Sysname> system-view

[Sysname] ipsec logging packet enable

ipsec profile

Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.

Use undo ipsec profile to delete an IPsec profile.

Syntax

ipsec profile profile-name [ manual | isakmp ]

undo ipsec profile profile-name

Default

No IPsec profiles exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters.

manual: Specifies the IPsec SA setup mode as manual.

isakmp: Specifies the IPsec SA setup mode as IKE.

Usage guidelines

When you create an IPsec profile, you must specify the IPsec SA setup mode (manual or isakmp). When you enter the view of an existing IPsec profile, you do not need to specify the IPsec SA setup mode.

A manual IPsec profile is used exclusively for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng.

An IKE-based IPsec profile uses IKE negotiation to establish IPsec SAs to protect IPv4 and IPv6 application protocols. An IKE-based IPsec profile does not require you to specify the remote end address or an ACL.

Examples

# Create a manual IPsec profile named profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile-manual-profile1]

# Create an IKE-based IPsec profile named profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1]

Related commands

display ipsec profile

ipsec sa global-duration

Use ipsec sa global-duration to configure the global IPsec SA lifetime.

Use undo ipsec sa global-duration to restore the default.

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

Default

The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.

traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.

Usage guidelines

When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.

An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.

Examples

# Configure the global IPsec SA lifetime as 7200 seconds.

<Sysname> system-view

[Sysname] ipsec sa global-duration time-based 7200

# Configure the global IPsec SA lifetime as 10240 kilobytes.

[Sysname] ipsec sa global-duration traffic-based 10240

Related commands

display ipsec sa

sa duration

ipsec sa idle-time

Use ipsec sa idle-time to enable the global IPsec SA idle timeout feature and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.

Use undo ipsec sa idle-time to disable the global IPsec SA idle timeout feature.

Syntax

ipsec sa idle-time seconds

undo ipsec sa idle-time

Default

The global IPsec SA idle timeout feature is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.

Usage guidelines

This feature applies only to IPsec SAs negotiated by IKE.

The IPsec SA idle timeout can also be configured in IPsec profile view, which takes precedence over the global IPsec SA timeout.

Examples

# Enable the global IPsec SA idle timeout feature and set the IPsec SA idle timeout to 600 seconds.

<Sysname> system-view

[Sysname] ipsec sa idle-time 600

Related commands

display ipsec sa

sa idle-time

ipsec transform-set

Use ipsec transform-set to create an IPsec transform set and enter its view, or enter the view of an existing IPsec transform set.

Use undo ipsec transform-set to delete an IPsec transform set.

Syntax

ipsec transform-set transform-set-name

undo ipsec transform-set transform-set-name

Default

No IPsec transform sets exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IPsec transform set, part of an IPsec profile, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, authentication algorithms, and encapsulation mode.

Examples

# Create an IPsec transform set named tran1 and enter its view.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-transform-set-tran1]

Related commands

display ipsec transform-set

pfs

Use pfs to enable the Perfect Forward Secrecy (PFS) feature for an IPsec transform set.

Use undo pfs to restore the default.

Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group24 }

undo pfs

Default

The PFS feature is disabled for the IPsec transform set.

Views

IPsec transform set view

Predefined user roles

network-admin

mdc-admin

Parameters

dh-group1: Uses 768-bit Diffie-Hellman group.

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.

Usage guidelines

In terms of security and necessary calculation time, the following groups are in descending order: 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24), 2048-bit Diffie-Hellman group (dh-group14), 1536-bit Diffie-Hellman group (dh-group5), 1024-bit Diffie-Hellman group (dh-group2), and 768-bit Diffie-Hellman group (dh-group1).

If IKEv1 is used, the security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder.

The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end.

Examples

# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] pfs dh-group14

protocol

Use protocol to specify a security protocol for an IPsec transform set.

Use undo protocol to restore the default.

Syntax

protocol { ah | ah-esp | esp }

undo protocol

Default

The IPsec transform set uses the ESP protocol.

Views

IPsec transform set view

Predefined user roles

network-admin

mdc-admin

Parameters

ah: Specifies the AH protocol.

ah-esp: Specifies using the ESP protocol first and then using the AH protocol.

ah: Specifies the AH protocol.

Usage guidelines

The two tunnel ends must use the same security protocol in the IPsec transform set.

Examples

# Specify the AH protocol for the IPsec transform set.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] protocol ah

reset ipsec sa

Use reset ipsec sa to clear IPsec SAs.

Syntax

reset ipsec sa [ profile profile-name | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-insensitive string of 1 to 63 characters.

spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.

· ipv4-address: Specifies a remote IPv4 address.

· ipv6 ipv6-address: Specifies a remote IPv6 address.

· ah: Specifies the AH protocol.

· esp: Specifies the ESP protocol.

· spi-num: Specifies the security parameter index in the range of 256 to 4294967295.

Usage guidelines

If you do not specify any parameters, this command clears all IPsec SAs.

If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPsec SAs using the other security protocol (AH or ESP).

An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.

After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec profile. After IKE negotiated SAs are cleared, the system creates new SAs only when IKE negotiation is triggered by packets.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the inbound and outbound IPsec SAs for the triplet of SPI 256, remote IP address 10.1.1.2, and security protocol AH.

<Sysname> reset ipsec sa spi 10.1.1.2 ah 256

Related commands

display ipsec sa

reset ipsec statistics

Use reset ipsec statistics to clear IPsec packet statistics.

Syntax

reset ipsec statistics[ tunnel-id tunnel-id ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967295. If you do not specify this option, the command clears all IPsec packet statistics.

Examples

# Clear IPsec packet statistics.

<Sysname> reset ipsec statistics

Related commands

display ipsec statistics

sa duration

Use sa duration to set an SA lifetime.

Use undo sa duration to remove an SA lifetime.

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

Default

The SA lifetime of an IPsec profile is the current global SA lifetime.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.

traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 kilobytes.

Usage guidelines

IKE prefers the SA lifetime of the IPsec profile over the global SA lifetime configured by the ipsec sa global-duration command. If the IPsec profile is not configured with the SA lifetime, IKE uses the global SA lifetime for SA negotiation.

During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.

Examples

# Set the SA lifetime to 7200 seconds for IPsec profile profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1] sa duration time-based 7200

# Set the SA lifetime to 20 MB for IPsec profile profile1. The IPsec SA expires after transmitting 20480 kilobytes of traffic.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1] sa duration traffic-based 20480

Related commands

display ipsec sa

ipsec sa global-duration

sa hex-key authentication

Use sa hex-key authentication to configure an authentication key for a manual IPsec SA.

Use undo sa hex-key authentication to delete an authentication key for a manual IPsec SA.

Syntax

sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } string

undo sa hex-key authentication { inbound | outbound } { ah | esp }

Default

No hexadecimal authentication keys are configured for manual IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

inbound: Specifies a hexadecimal authentication key for the inbound SA.

outbound: Specifies a hexadecimal authentication key for the outbound SA.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is case insensitive and must be a 32-byte hexadecimal string for HMAC-SM3, a 20-byte hexadecimal string for HMAC-SHA1 and a 16-byte hexadecimal string for HMAC-MD5. Its encrypted form is a case-sensitive string of 1 to 85 characters.

Usage guidelines

This command applies only to manual IPsec profiles.

You must set an authentication key for both the inbound and outbound SAs.

The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same protocol and direction, the most recent configuration takes effect.

Examples

# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00

Related commands

display ipsec sa

sa string-key

sa hex-key encryption

Use sa encryption-hex to configure an encryption key for a manual IPsec SA.

Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA.

Syntax

sa hex-key encryption { inbound | outbound } esp { cipher | simple } string

undo sa hex-key encryption { inbound | outbound } esp

Default

No hexadecimal encryption keys are configured for manual IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

inbound: Specifies a hexadecimal encryption key for the inbound SA.

outbound: Specifies a hexadecimal encryption key for the outbound SA.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.

The following matrix shows the key length for the algorithms:

Algorithm	Key length (bytes)
DES-CBC	8
3DES-CBC	24
AES128-CBC	16
AES192-CBC	24
AES256-CBC	32
SM4128-CBC	16

Usage guidelines

This command applies only to manual IPsec profiles.

You must set an encryption key for both the inbound and outbound SAs.

The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same direction, the most recent configuration takes effect.

Examples

# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234

Related commands

display ipsec sa

sa string-key

sa idle-time

Use sa idle-time to set the IPsec SA idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.

Use undo sa idle-time to restore the default.

Syntax

sa idle-time seconds

undo sa idle-time

Default

An IPsec profile uses the global IPsec SA idle timeout.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.

Usage guidelines

This feature applies only to IPsec SAs negotiated by IKE and takes effect after the ipsec sa idle-time command is configured.

The IPsec SA idle timeout configured by this command takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command. If the IPsec profile is not configured with the SA idle timeout, IKE uses the global SA idle timeout.

Examples

# Set the IPsec SA idle timeout to 600 seconds for IPsec profile profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1] sa idle-time 600

Related commands

display ipsec sa

ipsec sa idle-time

sa spi

Use sa spi to configure an SPI for IPsec SAs.

Use undo sa spi to remove the SPI.

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Default

No SPI is configured for IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

inbound: Specifies an SPI for inbound SAs.

outbound: Specifies an SPI for outbound SAs.

ah: Uses AH.

esp: Uses ESP.

spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.

Usage guidelines

This command applies only to manual IPsec profiles.

You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.

The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.

When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:

· The local inbound and outbound SAs must use the same SPI.

· The IPsec SAs on the devices in the same scope must have the same SPI. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP4+, the scope consists of BGP4+ peers or a BGP4+ peer group.

Examples

# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000

[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000

Related commands

display ipsec sa

sa string-key

Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.

Use undo sa string-key to remove the key string.

Syntax

sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string

undo sa string-key { inbound | outbound } { ah | esp }

Default

No key string is configured for manual IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

inbound: Sets a key string for inbound IPsec SAs.

outbound: Sets a key string for outbound IPsec SAs.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key string in encrypted form.

simple: Specifies a key string in plaintext form. For security purposes, the key string specified in plaintext form will be stored in encrypted form.

string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system automatically generates keys for the authentication algorithm and encryption algorithm.

Usage guidelines

This command applies only to manual IPsec profiles.

You must set a key for both inbound and outbound SAs.

The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:

· The local inbound and outbound SAs must use the same key.

· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the inbound and outbound SAs that use AH to use plaintext keys abcdef and efcdab, respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab

# In an IPv6 IPsec policy, configure the inbound and outbound SAs that use AH to use plaintext key abcdef.

<Sysname> system-view

[Sysname] ipsec ipv6-policy policy1 100 manual

[Sysname-ipsec-ipv6-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-ipv6-policy-manual-policy1-100] sa string-key outbound ah simple abcdef

Related commands

display ipsec sa

sa hex-key

snmp-agent trap enable ipsec

Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.

Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.

Syntax

Default

All SNMP notifications for IPsec are disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

auth-failure: Specifies notifications about authentication failures.

decrypt-failure: Specifies notifications about decryption failures.

encrypt-failure: Specifies notifications about encryption failures.

global: Specifies notifications globally.

invalid-sa-failure: Specifies notifications about invalid-SA failures.

no-sa-failure: Specifies notifications about SA-not-found failures.

policy-add: Specifies notifications about events of adding IPsec profiles.

policy-attach: Specifies notifications about events of applying IIPsec profiles to interfaces.

policy-delete: Specifies notifications about events of deleting IPsec profiles.

policy-detach: Specifies notifications about events of removing IPsec profiles from interfaces.

tunnel-start: Specifies notifications about events of creating IPsec tunnels.

tunnel-stop: Specifies notifications about events of deleting IPsec tunnels.

Usage guidelines

If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.

To generate and output SNMP notifications for a specific IPsec failure type or event type, perform the following tasks:

1. Enable SNMP notifications for IPsec globally.

2. Enable SNMP notifications for the failure type or event type.

Examples

# Enable SNMP notifications for IPsec globally.

<Sysname> system-view

[Sysname] snmp-agent trap enable ipsec global

# Enable SNMP notifications for events of creating IPsec tunnels.

[Sysname] snmp-agent trap enable ipsec tunnel-start

transform-set

Use transform-set to specify an IPsec transform set for an IPsec profile.

Use undo transform-set to remove the IPsec transform set specified for an IPsec profile.

Syntax

transform-set transform-set-name&<1-6>

undo transform-set [ transform-set-name ]

Default

No IPsec transform set is specified for an IPsec profile.

Views

IPsec profile view

Predefined user roles

network-admin

mdc-admin

Parameters

transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify only one IPsec transform set for a manual IPsec profile. If you execute this command multiple times, the most recent configuration takes effect.

You can specify a maximum of six IPsec transform sets for an IKE-based IPsec profile. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.

If you do not specify the transform-set-name argument, the undo transform-set command removes all IPsec transform sets specified for the IPsec policy, IPsec policy template, or IPsec profile.

Examples

# Specify IPsec transform set prop1 for IPsec profile profile1.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] quit

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1] transform-set prop1

Related commands

ipsec profile

ipsec transform-set

tunnel protection ipsec

Use tunnel protection ipsec to apply an IPsec profile to a tunnel interface.

Use undo tunnel protection ipsec to restore the default.

Syntax

tunnel protection ipsec profile profile-name

undo tunnel protection ipsec profile

Default

No IPsec profile is applied to a tunnel interface.

Views

Tunnel interface view

Predefined user roles

network-admin

mdc-admin

Parameters

profile profile-name: Specify an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. The specified IPsec profile must be an IKE-based IPsec profile.

Usage guidelines

After an IPsec profile is applied to a tunnel interface, the peers negotiate an IPsec tunnel through IKE to protect data transmitted through the tunnel interface.

Examples

# Apply IPsec profile prf1 to tunnel interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode gre

[Sysname-Tunnel1]tunnel protection ipsec profile prf1

Related commands

interface tunnel (Layer 3—IP Services Command Reference)

display interface tunnel (Layer 3—IP Services Command Reference)

ipsec profile

IKE commands

authentication-algorithm

Use authentication-algorithm to specify an authentication algorithm for an IKE proposal.

Use undo authentication-algorithm to restore the default.

Syntax

authentication-algorithm { md5 | sha | sha256 | sha384 | sha512 | sm3 }

undo authentication-algorithm

Default

The IKE proposal uses the HMAC-SHA1 authentication algorithm.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

md5: Specifies the HMAC-MD5 algorithm.

sha: Specifies the HMAC-SHA1 algorithm.

sha256: Specifies the HMAC-SHA256 algorithm.

sha384: Specifies the HMAC-SHA384 algorithm.

sha512: Specifies the HMAC-SHA512 algorithm.

sm3: Specifies the HMAC-SM3 algorithm.

Examples

# Specify HMAC-SHA1 as the authentication algorithm for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] authentication-algorithm sha

Related commands

display ike proposal

authentication-method

Use authentication-method to specify an authentication method to be used in an IKE proposal.

Use undo authentication-method to restore the default.

Syntax

authentication-method { dsa-signature | pre-share | rsa-de | rsa-signature | sm2-de }

undo authentication-method

Default

The IKE proposal uses the pre-shared key as the authentication method.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

dsa-signature: Specifies the DSA signature authentication method.

pre-share: Specifies the pre-shared key authentication method.

rsa-de: Specifies the RSA digital envelope authentication method.

rsa-signature: Specifies the RSA signature authentication method.

sm2-de: Specifies the SM2 digital envelope authentication method.

Usage guidelines

Pre-shared key authentication does not require certificates as signature authentication does, and it is usually used in a simple network. Signature authentication provides higher security, and it is usually deployed in a large-scale network, such as a network with many branches. In a network with many branches, using pre-shared key authentication requires the headquarters to configure a pre-shared key for each branch. Using signature authentication only requires the headquarters to configure one PKI domain.

Authentication methods configured on both IKE ends must match.

If you specify RSA or DSA signatures, you must configure the IKE peer to obtain certificates from a CA.

If you specify pre-shared keys, you must configure these pre-shared keys on both IKE ends.

Examples

# Specify the pre-shared key authentication method for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] authentication-method pre-share

Related commands

display ike proposal

ike keychain

pre-shared-key

certificate domain

Use certificate domain to specify a PKI domain for signature authentication.

Use undo certificate domain to remove a PKI domain for signature authentication.

Syntax

certificate domain domain-name

undo certificate domain domain-name

Default

No PKI domains are specified for signature authentication.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

domain-name: Specifies the name of a PKI domain, a case-insensitive string of 1 to 31 characters.

Usage guidelines

You can specify a maximum of six PKI domains for an IKE profile by executing this command multiple times.

IKE uses the specified PKI domains for enrollment, authentication, certificate issuing, validation, and signature. If you do not specify any PKI domains, IKE uses all PKI domains configured on the device.

Follow these restrictions and guidelines for the device to obtain the CA certificate during IKE negotiation:

· On the initiator:

¡ If the IKE profile has a PKI domain and the automatic certificate request mode is configured for the PKI domain, the initiator automatically obtains the CA certificate.

¡ If the IKE profile has no PKI domain, you must manually obtain the CA certificate.

· On the responder:

¡ If main mode is used in IKE phase 1, the responder does not automatically obtain the CA certificate. You must manually obtain the CA certificate.

¡ If aggressive mode is used in IKE phase 1, the responder automatically obtains the CA certificate if the following conditions are met:

- A matching IKE profile is found.

- An PKI domain is specified in the IKE profile.

- The automatic certificate request mode is configured for the PKI domain.

If the conditions are not met, you must manually obtain the CA certificate.

IKE first automatically obtains the CA certificate, and then requests a local certificate. If the CA certificate already exists locally, IKE automatically requests a local certificate.

Examples

# Specify PKI domain abc for IKE profile 1.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] certificate domain abc

Related commands

authentication-method

pki domain

description

Use description to configure a description for an IKE proposal.

Use undo description to restore the default.

Syntax

description text

undo description

Default

An IKE proposal does not have a description.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

text: Specifies the description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

When multiple IKE proposals exist, you configure different descriptions for them to distinguish them.

Examples

# Configure a description of test for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] description test

dh

Use dh to specify the DH group to be used for key negotiation in IKE phase 1.

Use undo dh to restore the default.

Syntax

dh { group1 | group14 | group2 | group24 | group5 }

undo dh

Default

The 768-bit Diffie-Hellman group (group1), is used.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

group1: Uses the 768-bit Diffie-Hellman group.

group14: Uses the 2048-bit Diffie-Hellman group.

group2: Uses the 1024-bit Diffie-Hellman group.

group24: Uses the 2048-bit Diffie-Hellman group with the 256-bit prime order subgroup.

group5: Uses the 1536-bit Diffie-Hellman group.

Usage guidelines

A DH group with a higher group number provides higher security but needs more time for processing. To achieve the best trade-off between processing performance and security, choose a proper Diffie-Hellman group for your network.

Examples

# Specify the 2048-bit Diffie-Hellman group group1 to be used for key negotiation in IKE phase 1 in IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] dh group14

Related commands

display ike proposal

Use display ike proposal to display configuration information about all IKE proposals.

Syntax

display ike proposal

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Usage guidelines

This command displays the configuration information about all IKE proposals in descending order of proposal priorities. If no IKE proposal is configured, this command displays the default IKE proposal.

Examples

# Display the configuration information about all IKE proposals.

<Sysname> display ike proposal

Priority Authentication Authentication Encryption Diffie-Hellman Duration

method algorithm algorithm group (seconds)

----------------------------------------------------------------------------

1 RSA-SIG SHA1 DES-CBC Group 1 5000

11 PRE-SHARED-KEY SHA1 DES-CBC Group 1 50000

default PRE-SHARED-KEY SHA1 DES-CBC Group 1 86400

Table 8 Command output

Field	Description
Priority	Priority of the IKE proposal
Authentication method	Authentication method used by the IKE proposal: · PRE-SHARED-KEY—Pre-shared key. · RSA-SIG—RSA signature. · DSA-SIG—DSA signature. · RSA-DE—RSA digital envelope. · SM2-DE—SM2 digital envelope.
Authentication algorithm	Authentication algorithm used in the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. · SM3—HMAC-SM3 algorithm.
Encryption algorithm	Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. · SM4-CBC—128-bit SM4 algorithm in CBC mode.
Diffie-Hellman group	DH group used in IKE negotiation phase 1.
Duration (seconds)	IKE SA lifetime (in seconds) of the IKE proposal

Related commands

ike proposal

display ike sa

Use display ike sa to display information about IKE SAs.

Syntax

display ike sa [ verbose [ connection-id connection-id [ vpn-instance vpn-instance-name ] ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Parameters

verbose: Displays detailed information.

connection-id connection-id: Displays detailed information about IKE SAs by connection ID in the range of 1 to 2000000000.

vpn-instance vpn-instance-name: Displays detailed information about IKE SAs in an MPLS L3VPN instance. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays detailed information about IKE SAs for the public network.

Usage guidelines

If you do not specify any parameters, this command displays summary information about all IKE SAs.

Examples

# Display summary information about all IKE SAs.

<Sysname> display ike sa

Connection-ID Remote Flag DOI

----------------------------------------------------------

1 202.38.0.2 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

Table 9 Command output

Field	Description
Connection-ID	Identifier of the IKE SA.
Remote	Remote IP address of the SA.
Flags	Status of the SA: · RD--READY—The SA has been established. · RL--REPLACED—The SA has been replaced by a new one and will be deleted later. · FD-FADING—The SA is in use, but it is about to expire and will be deleted soon. · RK-REKEY—The SA is a Rekey SA. · Unknown—The SA status is unknown.
DOI	Interpretation domain to which the SA belongs. IPsec—The SA belongs to an IPsec DOI.

# Display detailed information about all IKE SAs.

<Sysname> display ike sa verbose

---------------------------------------------

Connection ID: 2

Outside VPN:

Inside VPN:

Profile: prof1

Transmitting entity: Initiator

---------------------------------------------

Local IP: 4.4.4.4

Local ID type: IPV4_ADDR

Local ID: 4.4.4.4

Remote IP: 4.4.4.5

Remote ID type: IPV4_ADDR

Remote ID: 4.4.4.5

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: SHA1

Encryption-algorithm: AES-CBC-128

Life duration(sec): 86400

Remaining key duration(sec): 86379

Exchange-mode: Main

Diffie-Hellman group: Group 1

NAT traversal: Not detected

Extend authentication: Disabled

Assigned IP address:

Table 10 Command output

Field	Description
Connection ID	Identifier of the IKE SA.
Outside VPN	This field is not supported in the current software version. VPN instance name of the MPLS L3VPN to which the receiving interface belongs.
Inside VPN	VPN instance name of the MPLS L3VPN to which the protected data belongs.
Profile	Name of the matching IKE profile found in the IKE SA negotiation. If no matching profile is found, this field displays nothing.
Transmitting entity	Role of the IKE negotiation entity: Initiator or Responder.
Local IP	IP address of the local gateway.
Local ID type	This field is not supported in the current software version. Identifier type of the local gateway.
Local ID	This field is not supported in the current software version. Identifier of the local gateway.
Remote IP	This field is not supported in the current software version. IP address of the remote gateway.
Remote ID type	This field is not supported in the current software version. Identifier type of the remote gateway.
Remote ID	This field is not supported in the current software version. Identifier of the remote security gateway.
Authentication-method	Authentication method used by the IKE proposal: · PRE-SHARED-KEY—Preshared key. · RSA-SIG—RSA signature. · DSA-SIG—DSA signature. · RSA-DE—RSA digital envelope. · SM2-DE—SM2 digital envelope.
Authentication-algorithm	Authentication algorithm used by the IKE proposal: · MD5—HMAC-MD5 algorithm. · SHA1—HMAC-SHA1 algorithm. · SHA256—HMAC-SHA256 algorithm. · SHA384—HMAC-SHA384 algorithm. · SHA512—HMAC-SHA512 algorithm. · SM3—HMAC-SM3 algorithm.
Encryption-algorithm	Encryption algorithm used by the IKE proposal: · 3DES-CBC—168-bit 3DES algorithm in CBC mode. · AES-CBC-128—128-bit AES algorithm in CBC mode. · AES-CBC-192—192-bit AES algorithm in CBC mode. · AES-CBC-256—256-bit AES algorithm in CBC mode. · DES-CBC—56-bit DES algorithm in CBC mode. · SM1-CBC-128—128-bit SM1 algorithm in CBC mode. · SM4-CBC—128-bit SM4 algorithm in CBC mode.
Life duration(sec)	Lifetime of the IKE SA in seconds.
Remaining key duration(sec)	Remaining lifetime of the IKE SA in seconds.
Exchange-mode	IKE negotiation mode in phase 1: Main or Aggressive.
Diffie-Hellman group	DH group used for key negotiation in IKE phase 1.
NAT traversal	Whether a NAT gateway is detected.
Extend authentication	Whether extended authentication for clients is enabled.
Assigned IP address	IP address assigned to the remote peer. This field is not displayed if no IP address is assigned.

display ike statistics

Use display ike statistics to display IKE statistics.

Syntax

display ike statistics

Views

Any view

Predefined user roles

network-admin

network-operator

mdc-admin

mdc-operator

Examples

# Display IKE statistics.

<Sysname> display ike statistics

IKE statistics:

No matching proposal: 0

Invalid ID information: 0

Unavailable certificate: 0

Unsupported DOI: 0

Unsupported situation: 0

Invalid proposal syntax: 0

Invalid SPI: 0

Invalid protocol ID: 0

Invalid certificate: 0

Authentication failure: 0

Invalid flags: 0

Invalid message id: 0

Invalid cookie: 0

Invalid transform ID: 0

Malformed payload: 0

Invalid key information: 0

Invalid hash information: 0

Unsupported attribute: 0

Unsupported certificate type: 0

Invalid certificate authority: 0

Invalid signature: 0

Unsupported exchange type: 0

No available SA: 1

Retransmit timeout: 0

Not enough memory: 0

Enqueue fails: 0

Related commands

reset ike statistics

dpd

Use dpd to configure IKE DPD.

Use undo dpd to disable IKE DPD.

Syntax

dpd interval interval [ retry seconds ] { on-demand | periodic }

undo dpd interval

Default

IKE DPD is disabled.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.

retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodic triggering mode, which consumes more bandwidth and CPU.

When DPD settings are configured in both IKE profile view and system view, the DPD settings in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system view apply.

It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.

Examples

# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] dpd interval 10 retry 5 on-demand

Related commands

ike dpd

encryption-algorithm

Use encryption-algorithm to specify an encryption algorithm for an IKE proposal.

Use undo encryption-algorithm to restore the default.

Syntax

encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | sm4-cbc }

undo encryption-algorithm

Default

An IKE proposal uses the 56-bit DES encryption algorithm in CBC mode.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode. The 3DES algorithm uses a 168-bit key for encryption.

aes-cbc-128: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 128-bit key for encryption.

aes-cbc-192: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 192-bit key for encryption.

aes-cbc-256: Specifies the AES algorithm in CBC mode. The AES algorithm uses a 256-bit key for encryption.

des-cbc: Specifies the DES algorithm in CBC mode. The DES algorithm uses a 56-bit key for encryption.

sm4-cbc: Specifies the SM4 algorithm in CBC mode. The SM4 algorithm uses a 128-bit key for encryption.

Examples

# Use the 128-bit AES algorithm in CBC mode as the encryption algorithm for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] encryption-algorithm aes-cbc-128

Related commands

display ike proposal

exchange-mode

Use exchange-mode to select an IKE negotiation mode for phase 1.

Use undo exchange-mode to restore the default.

Syntax

exchange-mode { aggressive | main }

undo exchange-mode

Default

Main mode is used for phase 1.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

aggressive: Specifies the aggressive mode.

main: Specifies the main mode.

Usage guidelines

As a best practice, specify the aggressive mode at the local end if the following conditions are met:

· The local end, for example, a dialup user, obtains an IP address automatically.

· Pre-shared key authentication is used.

Examples

# Specify that IKE negotiation operates in main mode.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] exchange-mode main

Related commands

display ike proposal

ike dpd

Use ike dpd to configure global IKE DPD.

Use undo ike dpd to disable global IKE DPD.

Syntax

ike dpd interval interval [ retry seconds ] { on-demand | periodic }

undo ike dpd interval

Default

Global IKE DPD is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval interval: Specifies a DPD triggering interval in the range of 1 to 300 seconds.

retry seconds: Specifies the DPD retry interval in the range of 1 to 60 seconds. The default is 5 seconds.

on-demand: Triggers DPD on demand. The device triggers DPD if it has IPsec traffic to send and has not received any IPsec packets from the peer for the specified interval.

periodic: Triggers DPD at regular intervals. The device triggers DPD at the specified interval.

Usage guidelines

DPD is triggered periodically or on-demand. As a best practice, use the on-demand mode when the device communicates with a large number of IKE peers. For an earlier detection of dead peers, use the periodical triggering mode, which consumes more bandwidth and CPU.

It is a good practice to set the triggering interval longer than the retry interval so that a DPD detection does not occur during a DPD retry.

Examples

# Configure DPD to be triggered every 10 seconds and every 5 seconds between retries if the peer does not respond.

<Sysname> system-view

[Sysname] ike dpd interval 10 retry 5 on-demand

Related commands

dpd

ike identity

Use ike identity to specify the global identity used by the local end during IKE negotiations.

Use undo ike identity to restore the default.

Syntax

ike identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

undo ike identity

Default

The IP address of the interface where the IPsec profile applies is used as the IKE identity.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the identity.

dn: Uses the DN in the digital signature as the identity.

fqdn fqdn-name: Uses the FQDN name as the identity. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.

user-fqdn user-fqdn-name: Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.

Usage guidelines

The global local identity can be used for all IKE SA negotiations. The local identity (set by the local-identity command for an IKE profile) can be used only for IKE SA negotiations that use the IKE profile.

If the local authentication method is signature authentication, you can set an identity of any type. If the local authentication method is pre-shared key authentication, you cannot set the DN as the identity.

The ike signature-identity from-certificate command sets the local device to always use the identity information obtained from the local certificate for signature authentication. If the ike signature-identity from-certificate command is not set, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.

Examples

# Specify IP address 2.2.2.2 as the identity.

<sysname> system-view

[sysname] ike identity address 2.2.2.2

Related commands

local-identity

ike signature-identity from-certificate

ike invalid-spi-recovery enable

Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.

Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery.

Syntax

ike invalid-spi-recovery enable

undo ike invalid-spi-recovery enable

Default

Invalid SPI recovery is disabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.

The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.

Use caution when you enable the invalid SPI recovery feature, because using this feature can result in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.

Examples

# Enable invalid SPI recovery.

<Sysname> system-view

[Sysname] ike invalid-spi-recovery enable

ike keepalive interval

Use ike keepalive interval to set the IKE keepalive interval.

Use undo ike keepalive interval to restore the default.

Syntax

ike keepalive interval interval

undo ike keepalive interval

Default

No IKE keepalives are sent.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

interval: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800.

Usage guidelines

To detect the status of the peer, configure IKE DPD instead of the IKE keepalive feature, unless IKE DPD is not supported on the peer.

The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.

Examples

# Set the keepalive interval to 200 seconds

<Sysname> system-view

[Sysname] ike keepalive interval 200

Related commands

ike keepalive timeout

Use ike keepalive timeout to set the IKE keepalive timeout time.

Use undo ike keepalive timeout to restore the default.

Syntax

ike keepalive timeout seconds

undo ike keepalive timeout

Default

The IKE keepalive timeout time is not set.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the number of seconds between IKE keepalives. The value range for this argument is 20 to 28800.

Usage guidelines

If the local end receives no keepalive packets from the peer during the timeout time, the IKE SA is deleted along with the IPsec SAs it negotiated.

The keepalive timeout time configured at the local end must be longer than the keepalive interval configured at the peer. Because more than three consecutive packets are rarely lost on a network, you can set the keepalive timeout time to three times as long as the keepalive interval.

Examples

# Set the keepalive timeout time to 20 seconds.

<Sysname> system-view

[Sysname] ike keepalive timeout 20

Related commands

ike keepalive interval

ike keychain

Use ike keychain to create an IKE keychain and enter its view, or enter the view of an existing IKE keychain.

Use undo ike keychain to delete an IKE keychain.

Syntax

ike keychain keychain-name [ vpn-instance vpn-instance-name ]

undo ike keychain keychain-name [ vpn-instance vpn-instance-name ]

Default

No IKE keychains exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IKE keychain belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. To create an IKE keychain for the public network, do not specify this option.

Usage guidelines

To use pre-shared key authentication, you must create and specify an IKE keychain for the IKE profile.

Examples

# Create IKE keychain key1 and enter its view.

<Sysname> system-view

[Sysname] ike keychain key1

[Sysname-ike-keychain-key1]

Related commands

authentication-method

pre-shared-key

ike limit

Use ike limit to set the maximum number of half-open or established IKE SAs.

Use undo ike limit to restore the default.

Syntax

ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }

undo ike limit { max-negotiating-sa | max-sa }

Default

The maximum number of half-open IKE SAs and IPsec SAs is 200. The number of established IKE SAs is not limited.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs and IPsec SAs. The value range for the negotiation-limit argument is 2 to 99999.

max-sa sa-limit: Specifies the maximum number of established IKE SAs. The value range for the sa-limit argument is 1 to 99999.

Usage guidelines

The supported maximum number of half-open IKE SAs depends on the device's processing capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's processing capability without affecting the IKE SA negotiation efficiency.

The supported maximum number of established IKE SAs depends on the device's memory space. Adjust the maximum number of established IKE SAs to make full use of the device's memory space without affecting other applications in the system.

Examples

# Set the maximum number of half-open IKE SAs and IPsec SAs to 200.

<Sysname> system-view

[Sysname] ike limit max-negotiating-sa 200

# Set the maximum number of established IKE SAs to 5000.

<Sysname> system-view

[Sysname] ike limit max-sa 5000

ike nat-keepalive

Use ike nat-keepalive to set the NAT keepalive interval.

Use undo ike nat-keepalive to restore the default.

Syntax

ike nat-keepalive seconds

undo ike nat-keepalive

Default

The NAT keepalive interval is 20 seconds.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the NAT keepalive interval in seconds, in the range of 5 to 300.

Usage guidelines

This command takes effect only for a device that resides in the private network behind a NAT gateway. The device behind the NAT gateway needs to send NAT keepalives to its peer to keep the NAT session alive, so that the peer can access the device.

The NAT keepalive interval must be shorter than the NAT session lifetime. For information about how to display the lifetime of NAT sessions, see Layer 3–IP Services Command Reference.

Examples

# Set the NAT keepalive interval to 5 seconds.

<Sysname> system-view

[Sysname] ike nat-keepalive 5

ike profile

Use ike profile to create an IKE profile and enter its view, or enter the view of an existing IKE profile.

Use undo ike profile to delete an IKE profile.

Syntax

ike profile profile-name

undo ike profile profile-name

Default

No IKE profiles exist.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

profile-name: Specifies an IKE profile name, a case-insensitive string of 1 to 63 characters.

Examples

# Create IKE profile 1 and enter its view.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1]

ike proposal

Use ike proposal to create an IKE proposal and enter its view, or enter the view of an existing IKE proposal.

Use undo ike proposal to delete an IKE proposal.

Syntax

ike proposal proposal-number

undo ike proposal proposal-number

Default

An IKE proposal exists, which has the lowest priority and uses the following settings:

· Encryption algorithm—DES-CBC.

· Authentication algorithm—HMAC-SHA1.

· Authentication method—Pre-shared key authentication.

· DH group—Group1.

· IKE SA lifetime—86400 seconds.

You cannot change the settings of the default IKE proposal.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

proposal-number: Specifies an IKE proposal number in the range of 1 to 65535. The lower the number, the higher the priority of the IKE proposal.

Usage guidelines

During IKE negotiation:

· The initiator sends its IKE proposals to the peer.

¡ If the initiator is using an IPsec profile with an IKE profile, the initiator sends all IKE proposals specified for the IKE profile to the peer. An IKE proposal specified earlier for the IKE profile has a higher priority.

¡ If the initiator is using no IKE profile, the initiator sends all its IKE proposals to the peer. An IKE proposal with a smaller number has a higher priority.

· The peer searches its own IKE proposals for a match. The search starts from the IKE proposal with the highest priority and proceeds in descending order of priority until a match is found. The matching IKE proposals are used to establish the IKE SA. If all user-defined IKE proposals are mismatched, the two peers use their default IKE proposals to establish the IKE SA.

Examples

# Create IKE proposal 1 and enter its view.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1]

Related commands

display ike proposal

ike signature-identity from-certificate

Use ike signature-identity from-certificate to configure the local device to obtain the identity information from the local certificate for signature authentication.

Use undo ike signature-identity from-certificate to restore the default.

Syntax

ike signature-identity from-certificate

undo ike signature-identity from-certificate

Default

The local end uses the identity information specified by local-identity or ike identity for signature authentication.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

This command requires the local device to always use the identity information in the local certificate for signature authentication, regardless of the local-identity or ike identity configuration.

Configure this command when the aggressive mode and signature authentication are used and the device interconnects with a Comware 5-based peer device. Comware 5 supports only DN for signature authentication.

If the ike signature-identity from-certificate command is not configured, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration.

Examples

# Configure the local device to always obtain the identity information from the local certificate for signature authentication.

<Sysname> system-view

[sysname] ike signature-identity from-certificate

Related commands

local-identity

ike identity

keychain

Use keychain to specify an IKE keychain for pre-shared key authentication.

Use undo keychain to remove an IKE keychain.

Syntax

keychain keychain-name

undo keychain keychain-name

Default

No IKE keychain is specified for pre-shared key authentication.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

keychain-name: Specifies an IKE keychain name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority.

Examples

# Specify IKE keychain abc for IKE profile 1.

<Sysname> system-view

[Sysname] ike profile 1

[Sysname-ike-profile-1] keychain abc

Related commands

ike keychain

local-identity

Use local-identity to configure the local ID, the ID that the device uses to identify itself to the peer during IKE negotiation.

Use undo local-identity to restore the default.

Syntax

local-identity { address { ipv4-address | ipv6 ipv6-address } | dn | fqdn [ fqdn-name ] | user-fqdn [ user-fqdn-name ] }

undo local-identity

Default

No local ID is configured for an IKE profile. An IKE profile uses the local ID configured in system view by using the ike identity command. If the local ID is not configured in system view, the IKE profile uses the IP address of the interface to which the IPsec profile is applied as the local ID.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

address { ipv4-address | ipv6 ipv6-address }: Uses an IPv4 or IPv6 address as the local ID.

dn: Uses the DN in the local certificate as the local ID.

fqdn fqdn-name: Uses an FQDN as the local ID. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com. If you do not specify this argument, the device name configured by using the sysname command is used as the local FQDN.

user-fqdn user-fqdn-name: Uses a user FQDN as the local ID. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN.

Usage guidelines

For digital signature authentication, the device can use any type of ID. For pre-shared key authentication, the device can use any type of ID other than the DN.

In digital signature authentication, if the local ID is an IP address that is different from the IP address in the local certificate, the device uses its FQDN instead. The FQDN is the device name configured by using the sysname command.

The initiator uses the local ID to identify itself to the responder. The responder compares the initiator's ID with the peer IDs configured by the match remote command to look for a matching IKE profile.

An IKE profile can have only one local ID.

An IKE profile with no local ID specified uses the local ID configured by using the ike identity command in system view.

Examples

# Set the local ID to IP address 2.2.2.2.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] local-identity address 2.2.2.2

Related commands

match remote

ike identity

match local address (IKE keychain view)

Use match local address to specify a local interface or IP address to which an IKE keychain can be applied.

Use undo match local address to restore the default.

Syntax

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address }[ vpn-instance vpn-instance-name ] }

undo match local address

Default

An IKE keychain can be applied to any local interface or IP address.

Views

IKE keychain view

Predefined user roles

network-admin

mdc-admin

Parameters

interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the IPv4 or IPv6 address belongs. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the IPv4 or IPv6 address is a public address, do not specify this option.

Usage guidelines

Use this command to specify which address or interface can use the IKE keychain for IKE negotiation. Specify the local address configured in IPsec profile view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec profile.

You can specify a maximum of six IKE keychains for an IKE profile. An IKE keychain specified earlier has a higher priority. To give an IKE keychain a higher priority, you can configure this command for the keychain. For example, suppose you specified IKE keychain A before specifying IKE keychain B, and you configured the peer ID 2.2.0.0/16 for IKE keychain A and the peer ID 2.2.2.0/24 for IKE keychain B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE keychain A is preferred because IKE keychain A was specified earlier. To use IKE keychain B, you can use this command to restrict the application scope of IKE keychain B to address 3.3.3.3.

Examples

# Create IKE keychain key1.

<Sysname> system-view

[Sysname] ike keychain key1

# Apply IKE keychain key1 to the interface with IP address 2.2.2.1.

[sysname-ike-keychain-key1] match local address 2.2.2.1

# Apply IKE keychain key1 to the interface with IP address 2.2.2.2 in VPN instance vpn1.

[sysname-ike-keychain-key1] match local address 2.2.2.2 vpn-instance vpn1

match local address (IKE profile view)

Use match local address to specify a local interface or IP address to which an IKE profile can be applied.

Use undo match local address to restore the default.

Syntax

match local address { interface-type interface-number | { ipv4-address | ipv6 ipv6-address }[ vpn-instance vpn-instance-name ] }

undo match local address

Default

An IKE profile can be applied to any local interface or IP address.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

interface-type interface-number: Specifies a local interface. It can be any Layer 3 interface.

ipv4-address: Specifies the IPv4 address of a local interface.

ipv6 ipv6-address: Specifies the IPv6 address of a local interface.

Usage guidelines

Use this command to specify which address or interface can use the IKE profile for IKE negotiation. Specify the local address configured in IPsec profile view (using the local-address command) for this command. If no local address is configured, specify the IP address of the interface that uses the IPsec profile.

An IKE profile configured earlier has a higher priority. To give an IKE profile that is configured later a higher priority, you can configure this command for the profile. For example, suppose you configured IKE profile A before configuring IKE profile B, and you configured the match remote identity address range 2.2.2.1 2.2.2.100 command for IKE profile A and the match remote identity address range 2.2.2.1 2.2.2.10 command for IKE profile B. For the local interface with the IP address 3.3.3.3 to negotiate with the peer 2.2.2.6, IKE profile A is preferred because IKE profile A was configured earlier. To use IKE profile B, you can use this command to restrict the application scope of IKE profile B to address 3.3.3.3.

Examples

# Create IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

# Apply IKE profile prof1 to the interface with IP address 2.2.2.1.

[sysname-ike-profile-prof1] match local address 2.2.2.1

# Apply IKE profile prof1 to the interface with IP address 2.2.2.2 in VPN instance vpn1.

[sysname-ike-profile-prof1] match local address 2.2.2.2 vpn-instance vpn1

match remote

Use match remote to configure a peer ID for IKE profile matching.

Use undo match remote to delete a peer ID for IKE profile matching.

Syntax

match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }

undo match remote { certificate policy-name | identity { address { { ipv4-address [ mask | mask-length ] | range low-ipv4-address high-ipv4-address } | ipv6 { ipv6-address [ prefix-length ] | range low-ipv6-address high-ipv6-address } } [ vpn-instance vpn-instance-name ] | fqdn fqdn-name | user-fqdn user-fqdn-name } }

Default

No peer ID is configured for IKE profile matching.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

certificate policy-name: Uses the DN in the peer's digital certificate as the peer ID for IKE profile matching. The policy-name argument is a string of 1 to 31 characters.

identity: Uses the specified information as the peer ID for IKE profile matching. The specified information is configured on the peer by using the local-identity command.

· address ipv4-address [ mask | mask-length ]: Uses an IPv4 host address or an IPv4 subnet address as the peer ID for IKE profile matching. The value range for the mask-length argument is 0 to 32, and the default is 32.

· address range low-ipv4-address high-ipv4-address: Uses a range of IPv4 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.

· address ipv6 ipv6-address [ prefix-length ]: Uses an IPv6 host address or an IPv6 subnet address as the peer ID for IKE profile matching. The value range for the prefix-length argument is 0 to 128, and the default is 128.

· address ipv6 range low-ipv6-address high-ipv6-address: Uses a range of IPv6 addresses as the peer ID for IKE profile matching. The end address must be higher than the start address.

· fqdn fqdn-name: Uses the peer's FQDN as the peer ID for IKE profile matching. The fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as www.test.com.

· user-fqdn user-fqdn-name: Uses the peer's user FQDN as the peer ID for IKE profile matching. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, such as [email protected].

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the specified address or addresses belong. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If the address or addresses belong to the public network, do not specify this option.

Usage guidelines

The responder compares the initiator's ID received with the peer IDs of its local IKE profiles. If a match is found, the responder uses the IKE profile with the matching peer ID for IKE negotiation with the initiator.

On the responder, each IKE profile must have at least one peer ID configured. To make sure only one IKE profile is matched for a peer, do not configure the same peer ID for two or more IKE profiles. If you configure the same peer ID for two or more IKE profiles, which IKE profile is selected for IKE negotiation is unpredictable.

For an IKE profile, you can configure multiple peer IDs. A peer ID configured earlier has a higher priority.

Examples

# Create IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

# Configure a peer ID with the identity type of FQDN and the value of www.test.com.

[Sysname-ike-profile-prof1] match remote identity fqdn www.test.com

# Configure a peer ID with the identity type of IP address and the value of 10.1.1.1.

[Sysname-ike-profile-prof1] match remote identity address 10.1.1.1

Related commands

local-identity

pre-shared-key

Use pre-shared-key to configure a pre-shared key.

Use undo pre-shared-key to delete a pre-shared key.

Syntax

pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name } key { cipher | simple } string

undo pre-shared-key { address { ipv4-address [ mask | mask-length ] | ipv6 ipv6-address [ prefix-length ] } | hostname host-name }

Default

No pre-shared key is configured.

Views

IKE keychain view

Predefined user roles

network-admin

mdc-admin

Parameters

address: Specifies a peer by its address.

ipv4-address: Specifies the IPv4 address of the peer.

mask: Specifies the mask in dotted decimal notation. The default mask is 255.255.255.255.

mask-length: Specifies the mask length in the range of 0 to 32. The default mask length is 32.

ipv6: Specifies an IPv6 peer.

ipv6-address: Specifies the IPv6 address of the peer.

prefix-length: Specifies the prefix length in the range of 0 to 128. The default prefix length is 128.

hostname host-name: Specifies a peer by its hostname, a case-sensitive string of 1 to 255 characters.

key: Specifies a pre-shared key.

cipher: Specifies a pre-shared key in encrypted form.

simple: Specifies a pre-shared key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the pre-shared key. The key is case sensitive. Its plaintext form is a string of 1 to 128 characters and its encrypted form is a string of 1 to 201 characters.

Usage guidelines

The address option or the hostname option specifies the peer with which the device can use the pre-shared key to perform IKE negotiation.

Two peers must be configured with the same pre-shared key to pass pre-shared key authentication.

If you do not specify the cipher string option, you specify a plaintext pre-shared key in interactive mode. The key is a case-sensitive string of 15 to 128 characters, and it must contain uppercase and lowercase letters, digits, and special characters other than the question mark (?).

Examples

# Create IKE keychain key1 and enter IKE keychain view.

<Sysname> system-view

[Sysname] ike keychain key1

# Set the pre-shared key to be used for IKE negotiation with peer 1.1.1.2 to 123456TESTplat&!.

[Sysname-ike-keychain-key1] pre-shared-key address 1.1.1.2 255.255.255.255 key simple 123456TESTplat&!

Related commands

authentication-method

keychain

priority (IKE keychain view)

Use priority to specify a priority for an IKE keychain.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKE keychain is 100.

Views

IKE keychain view

Predefined user roles

network-admin

mdc-admin

Parameters

priority priority: Specifies a priority number in the range of 1 to 65535. The lower the priority number, the higher the priority.

Usage guidelines

To determine the priority of an IKE keychain, the device examines the existence of the match local address command before examining the priority number. An IKE keychain with the match local address command configured has a higher priority than an IKE keychain that does not have the match local address command configured.

Examples

# Set the priority to 10 for IKE keychain key1.

<Sysname> system-view

[Sysname] ike keychain key1

[Sysname-ike-keychain-key1] priority 10

priority (IKE profile view)

Use priority to specify a priority for an IKE profile.

Use undo priority to restore the default.

Syntax

priority priority

undo priority

Default

The priority of an IKE profile is 100.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

priority priority: Specifies a priority number in the range of 1 to 65535. The smaller the priority number, the higher the priority.

Usage guidelines

To determine the priority of an IKE profile, the device examines the existence of the match local address command before examining the priority number. An IKE profile with the match local address command configured has a higher priority than an IKE profile that does not have the match local address command configured.

Examples

# Set the priority to 10 for IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] priority 10

proposal

Use proposal to specify IKE proposals for an IKE profile.

Use undo proposal to restore the default.

Syntax

proposal proposal-number&<1-6>

undo proposal

Default

No IKE proposals are specified for an IKE profile and the IKE proposals configured in system view are used for IKE negotiation.

Views

IKE profile view

Predefined user roles

network-admin

mdc-admin

Parameters

proposal-number&<1-6>: Specifies a space-separated list of up to six IKE proposals by their numbers in the range of 1 to 65535. An IKE proposal specified earlier has a higher priority.

Usage guidelines

When acting as the initiator, the device sends the specified IKE proposals to its peer for IKE negotiation. When acting as the responder, the device uses the IKE proposals configured in system view to match the IKE proposals received from the initiator.

Examples

# Specify IKE proposal 10 for IKE profile prof1.

<Sysname> system-view

[Sysname] ike profile prof1

[Sysname-ike-profile-prof1] proposal 10

Related commands

ike proposal

reset ike sa

Use reset ike sa to delete IKE SAs.

Syntax

reset ike sa [ connection-id connection-id ]

Views

User view

Predefined user roles

network-admin

mdc-admin

Parameters

connection-id connection-id: Specifies the connection ID of the IKE SA to be cleared, in the range of 1 to 2000000000.

Usage guidelines

When you delete an IKE SA, the device automatically sends a notification to the peer.

Examples

# Display the current IKE SAs.

<Sysname> display ike sa

Connection-ID Remote Flag DOI

----------------------------------------------------------

1 202.38.0.2 RD IPsec

2 202.38.0.3 RD IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

# Delete the IKE SA with the connection ID 2.

<Sysname> reset ike sa connection-id 2

# Display the current IKE SAs.

<Sysname> display ike sa

Total IKE SAs: 1

Connection-ID Remote Flag DOI

----------------------------------------------------------

1 202.38.0.2 RD|ST IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

reset ike statistics

Use reset ike statistics command to clear IKE MIB statistics.

Syntax

reset ike statistics

Views

User view

Predefined user roles

network-admin

mdc-admin

Examples

# Clears IKE MIB statistics.

<Sysname> reset ike statistics

Related commands

snmp-agent trap enable ike

sa duration

Use sa duration to set the IKE SA lifetime for an IKE proposal.

Use undo sa duration to restore the default.

Syntax

sa duration seconds

undo sa duration

Default

The IKE SA lifetime is 86400 seconds for an IKE proposal.

Views

IKE proposal view

Predefined user roles

network-admin

mdc-admin

Parameters

seconds: Specifies the IKE SA lifetime in seconds, in the range of 60 to 604800.

Usage guidelines

Before an IKE SA expires, IKE negotiates a new SA. The new SA takes effect immediately after it is negotiated. The old IKE SA will be cleared when it expires.

If the communicating peers are configured with different IKE SA lifetime settings, the smaller setting takes effect.

Examples

# Set the IKE SA lifetime to 600 seconds for IKE proposal 1.

<Sysname> system-view

[Sysname] ike proposal 1

[Sysname-ike-proposal-1] sa duration 600

Related commands

display ike proposal

snmp-agent trap enable ike

Use snmp-agent trap enable ike command to enable SNMP notifications for IKE.

Use undo snmp-agent trap enable ike to disable SNMP notifications for IKE.

Syntax

Default

All SNMP notifications for IKE are enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Parameters

attr-not-support: Specifies notifications about attribute-unsupported failures.

auth-failure: Specifies notifications about authentication failures.

cert-type-unsupport: Specifies notifications about certificate-type-unsupported failures.

cert-unavailable: Specifies notifications about certificate-unavailable failures.

decrypt-failure: Specifies notifications about decryption failures.

encrypt-failure: Specifies notifications about encryption failures.

global: Specifies notifications globally.

invalid-cert-auth: Specifies notifications about invalid-certificate-authentication failures.

invalid-cookie: Specifies notifications about invalid-cookie failures.

invalid-id: Specifies notifications about invalid-ID failures.

invalid-proposal: Specifies notifications about invalid-IKE-proposal failures.

invalid-protocol: Specifies notifications about invalid-protocol failures.

invalid-sign: Specifies notifications about invalid-signature failures.

no-sa-failure: Specifies notifications about SA-not-found failures.

proposal-add: Specifies notifications about events of adding IKE proposals.

proposal-delete: Specifies notifications about events of deleting IKE proposals.

tunnel-start: Specifies notifications about events of creating IKE tunnels.

tunnel-stop: Specifies notifications about events of deleting IKE tunnels.

unsupport-exch-type: Specifies notifications about negotiation-type-unsupported failures.

Usage guidelines

If you do not specify any keywords, this command enables or disables all SNMP notifications for IKE.

To generate and output SNMP notifications for a specific IKE failure type or event type, perform the following tasks:

1. Enable SNMP notifications for IKE globally.

2. Enable SNMP notifications for the failure type or event type.

Examples

# Enable SNMP notifications for IKE globally.

<Sysname> system-view

[Sysname] snmp-agent trap enable ike global

# Enable SNMP notifications for events of creating IKE tunnels.

[Sysname] snmp-agent trap enable ike tunnel-start

12-Security Command Reference

IPsec commands

ipsec transform-set

reset ipsec sa

encryption-algorithm

ike limit

priority (IKE keychain view)

proposal

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us