For a manual or IKEv1-based IPsec policy, the first specified AH authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first AH authentication algorithm.

Examples

# Specify HMAC-SHA1 as the AH authentication algorithm for IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1

description

Use description to configure a description for an IPsec policy, IPsec profile, or IPsec policy template.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for an IPsec policy, IPsec profile, or IPsec policy template.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

You can configure different descriptions for IPsec policies, IPsec profiles, or IPsec policy templates to distinguish them.

Examples

# Configure the description for IPsec policy policy1 as CenterToA.

<Sysname> system-view

[Sysname] ipsec policy policy1 1 isakmp

[Sysname-ipsec-policy-isakmp-policy1-1] description CenterToA

display ipsec { ipv6-policy | policy }

Use display ipsec { ipv6-policy | policy } to display information about IPsec policies.

Syntax

display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6-policy: Displays information about IPv6 IPsec policies.

policy: Displays information about IPv4 IPsec policies.

policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPsec policies.

If you specify an IPsec policy name and a sequence number, this command displays information about the specified IPsec policy entry. If you specify an IPsec policy name without any sequence number, this command displays information about all IPsec policy entries with the specified name.

Examples

# Display information about all IPv4 IPsec policies.

<Sysname> display ipsec policy

-------------------------------------------

IPsec Policy: mypolicy

-------------------------------------------

-----------------------------

Sequence number: 1

Mode: Manual

-----------------------------

The policy configuration is incomplete:

ACL not specified

Incomplete transform-set configuration

Description: This is my first IPv4 manual policy

Security data flow:

Remote address: 2.5.2.1

Transform set: transform

Inbound AH setting:

AH SPI: 1200 (0x000004b0)

AH string-key: ******

AH authentication hex key:

Inbound ESP setting:

ESP SPI: 1400 (0x00000578)

ESP string-key:

ESP encryption hex key:

ESP authentication hex key:

Outbound AH setting:

AH SPI: 1300 (0x00000514)

AH string-key: ******

AH authentication hex key:

Outbound ESP setting:

ESP SPI: 1500 (0x000005dc)

ESP string-key: ******

ESP encryption hex key:

ESP authentication hex key:

-----------------------------

Sequence number: 2

Mode: ISAKMP

-----------------------------

The policy configuration is incomplete:

Remote-address not set

ACL not specified

Transform-set not set

Description: This is my first IPv4 Isakmp policy

Traffic Flow Confidentiality: Enabled

Security data flow:

Selector mode: standard

Local address:

Remote address:

Transform set:

IKE profile:

IKEv2 profile:

SA trigger mode: Auto

SA duration(time based): 3600 seconds

SA duration(traffic based): 1843200 kilobytes

SA soft-duration buffer(time based): 1000 seconds

SA soft-duration buffer(traffic based): 43200 kilobytes

SA idle time: 100 seconds

-------------------------------------------

IPsec Policy: mycompletepolicy

Interface: LoopBack2

-------------------------------------------

-----------------------------

Sequence number: 1

Mode: Manual

-----------------------------

Description: This is my complete policy

Security data flow: 3100

Remote address: 2.2.2.2

Transform set: completetransform

Inbound AH setting:

AH SPI: 5000 (0x00001388)

AH string-key: ******

AH authentication hex key:

Inbound ESP setting:

ESP SPI: 7000 (0x00001b58)

ESP string-key: ******

ESP encryption hex key:

ESP authentication hex key:

Outbound AH setting:

AH SPI: 6000 (0x00001770)

AH string-key: ******

AH authentication hex key:

Outbound ESP setting:

ESP SPI: 8000 (0x00001f40)

ESP string-key: ******

ESP encryption hex key:

ESP authentication hex key:

-----------------------------

Sequence number: 2

Mode: ISAKMP

-----------------------------

Description: This is my complete policy

Traffic Flow Confidentiality: Enabled

Security data flow: 3200

Selector mode: standard

Local address:

Remote address: 5.3.6.9

Transform set: completetransform

IKE profile:

IKEv2 profile:

SA trigger mode: Auto

SA duration(time based): 3600 seconds

SA duration(traffic based): 1843200 kilobytes

SA soft-duration buffer(time based): 1000 seconds

SA soft-duration buffer(traffic based): 43200 kilobytes

SA idle time: 100 seconds

# Display information about all IPv6 IPsec policies.

<Sysname> display ipsec ipv6-policy

-------------------------------------------

IPsec Policy: mypolicy

-------------------------------------------

-----------------------------

Sequence number: 1

Mode: Manual

-----------------------------

Description: This is my first IPv6 policy

Security data flow: 3600

Remote address: 1000::2

Transform set: mytransform

Inbound AH setting:

AH SPI: 1235 (0x000004d3)

AH string-key: ******

AH authentication hex key:

Inbound ESP setting:

ESP SPI: 1236 (0x000004d4)

ESP string-key: ******

ESP encryption hex key:

ESP authentication hex key:

Outbound AH setting:

AH SPI: 1237 (0x000004d5)

AH string-key: ******

AH authentication hex key:

Outbound ESP setting:

ESP SPI: 1238 (0x000004d6)

ESP string-key: ******

ESP encryption hex key:

ESP authentication hex key:

-----------------------------

Sequence number: 2

Mode: ISAKMP

-----------------------------

Description: This is my complete policy

Traffic Flow Confidentiality: Enabled

Security data flow: 3200

Selector mode: standard

Local address:

Remote address: 1000::2

Transform set: completetransform

IKE profile:

IKEv2 profile:

SA trigger mode: Auto

SA duration(time based): 3600 seconds

SA duration(traffic based): 1843200 kilobytes

SA soft-duration buffer(time based): 1000 seconds

SA soft-duration buffer(traffic based): 43200 kilobytes

SA idle time: 100 seconds

Table 1 Command output

Field	Description
IPsec Policy	IPsec policy name.
Interface	Interface applied with the IPsec policy.
Sequence number	Sequence number of the IPsec policy entry.
Mode	Negotiation mode of the IPsec policy: · Manual—Manual mode. · ISAKMP—IKE negotiation mode. · Template—IPsec policy template mode.
The policy configuration is incomplete	IPsec policy configuration incomplete. Possible causes include: · The ACL is not configured. · The IPsec transform set is not configured. · The ACL does not have any permit statements. · The IPsec transform set configuration is not complete. · The peer IP address of the IPsec tunnel is not specified. · The SPI and key of the IPsec SA do not match those in the IPsec policy.
Description	Description of the IPsec policy.
Traffic Flow Confidentiality	Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Security data flow	ACL used by the IPsec policy.
Selector mode	Data flow protection mode of the IPsec policy: standard, aggregation, or per-host.
Local address	Local end IP address of the IPsec tunnel (available only for the IKE-based IPsec policy).
Remote address	Remote end IP address or host name of the IPsec tunnel.
Transform set	Transform set used by the IPsec policy.
IKE profile	IKE profile used by the IPsec policy.
IKEv2 profile	IKEv2 profile used by the IPsec policy.
SA trigger mode	IPsec SA negotiation triggering mode: · Auto—Triggers SA negotiation when required IPsec configuration is complete. · Traffic-based—Triggers SA negotiation when traffic requires IPsec protection.
SA duration(time based)	Time-based IPsec SA lifetime, in seconds.
SA duration(traffic based)	Traffic-based IPsec SA lifetime, in Kilobytes.
SA soft-duration buffer(time based)	Time-based IPsec SA soft lifetime buffer, in seconds. If the time-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--).
SA soft-duration buffer(traffic based)	Traffic-based IPsec SA soft lifetime buffer, in Kilobytes. If the traffic-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--).
SA idle time	Idle timeout of the IPsec SA, in seconds. If the IPsec SA idle timeout is not configured, this field displays two consecutive hyphens (--).
AH string-key	AH string key. This field displays ****** if the key is configured and it is empty if the key is not configured.
AH authentication hex key	AH authentication hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured.
ESP string-key	ESP string key. This field displays ****** if the key is configured and it is empty if the key is not configured.
ESP encryption hex key	ESP encryption hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured.
ESP authentication hex key	ESP authentication hexadecimal key. This field displays ****** if the key is configured and it is empty if the key is not configured.

‌

Related commands

ipsec { ipv6-policy | policy }

display ipsec { ipv6-policy-template | policy-template }

Use display ipsec { ipv6-policy-template | policy-template } to display information about IPsec policy templates

Syntax

display ipsec { ipv6-policy-template | policy-template } [ template-name [ seq-number ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ipv6-policy-template: Displays information about IPv6 IPsec policy templates.

policy-template: Displays information about IPv4 IPsec policy templates.

template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies an IPsec policy template entry by its sequence number in the range of 1 to 65535.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPsec policy templates.

If you specify an IPsec policy template name and a sequence number, this command displays information about the specified IPsec policy template entry. If you specify an IPsec policy template name without any sequence number, this command displays information about all IPsec policy template entries with the specified name.

Examples

# Display information about all IPv4 IPsec policy templates.

<Sysname> display ipsec policy-template

-----------------------------------------------

IPsec Policy Template: template

-----------------------------------------------

---------------------------------

Sequence number: 1

---------------------------------

Description: This is policy template

Traffic Flow Confidentiality: Disabled

Security data flow :

Selector mode: standard

Local address:

IKE profile:

IKEv2 profile:

Remote address: 162.105.10.2

Transform set: testprop

IPsec SA local duration(time based): 3600 seconds

IPsec SA local duration(traffic based): 1843200 kilobytes

SA idle time: 100 seconds

# Display information about all IPv6 IPsec policy templates.

<Sysname> display ipsec ipv6-policy-template

-----------------------------------------------

IPsec Policy Template: template6

-----------------------------------------------

---------------------------------

Sequence number: 1

---------------------------------

Description: This is policy template

Traffic Flow Confidentiality: Disabled

Security data flow :

Selector mode: standard

Local address:

IKE profile:

IKEv2 profile:

Remote address: 200::1

Transform set: testprop

IPsec SA local duration(time based): 3600 seconds

IPsec SA local duration(traffic based): 1843200 kilobytes

SA idle time: 100 seconds

Table 2 Command output

Field	Description
IPsec Policy Template	IPsec policy template name.
Sequence number	Sequence number of the IPsec policy template entry.
Description	Description of the IPsec policy template.
Traffic Flow Confidentiality	Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Security data flow	ACL used by the IPsec policy template.
Selector mode	Data flow protection mode of the IPsec policy template: standard, aggregation, or per-host.
Local address	Local end IP address of the IPsec tunnel.
IKE profile	IKE profile used by the IPsec policy template.
IKEv2 profile	IKEv2 profile used by the IPsec policy template.
Remote address	Remote end IP address of the IPsec tunnel.
Transform set	Transform set used by the IPsec policy template.
IPsec SA local duration(time based)	Time-based IPsec SA lifetime, in seconds.
IPsec SA local duration(traffic based)	Traffic-based IPsec SA lifetime, in Kilobytes.
SA idle time	Idle timeout of the IPsec SA, in seconds. If the IPsec SA idle timeout is not configured, this field displays two consecutive hyphens (--).

‌

Related commands

ipsec { ipv6-policy | policy } isakmp template

display ipsec profile

Use display ipsec profile to display information about IPsec profiles.

Syntax

display ipsec profile [ profile-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPsec profiles.

Examples

# Display information about all IPsec profiles.

<Sysname> display ipsec profile

-------------------------------------------

IPsec profile: myprofile

Mode: isakmp

-------------------------------------------

Transform set: tran1

IKE profile: profile

SA duration(time based): 3600 seconds

SA duration(traffic based): 1843200 kilobytes

SA soft-duration buffer(time based): 1000 seconds

SA soft-duration buffer(traffic based): 43200 kilobytes

SA idle time: 100 seconds

-----------------------------------------------

IPsec profile: profile

Mode: manual

-----------------------------------------------

Transform set: prop1

Inbound AH setting:

AH SPI: 12345 (0x00003039)

AH string-key:

AH authentication hex key: ******

Inbound ESP setting:

ESP SPI: 23456 (0x00005ba0)

ESP string-key:

ESP encryption hex-key: ******

ESP authentication hex-key: ******

Outbound AH setting:

AH SPI: 12345 (0x00003039)

AH string-key:

AH authentication hex key: ******

Outbound ESP setting:

ESP SPI: 23456 (0x00005ba0)

ESP string-key:

ESP encryption hex key: ******

ESP authentication hex key: ******

-------------------------------------------

IPsec profile: myprofile

Mode: SDWAN

-------------------------------------------

Transform set: tran1

SA duration (time based): 3600 seconds

Table 3 Command output

Field	Description
IPsec profile	IPsec profile name.
Mode	Negotiation mode used by the IPsec profile. · Manual—Manual mode. · ISAKMP—IKE negotiation mode. · SDWAN—SDWAN mode.
Description	Description of the IPsec profile.
Transform set	IPsec transform set used by the IPsec profile.
IKE profile	IKE profile used by the IPsec profile.
SA duration(time based)	Time-based IPsec SA lifetime, in seconds.
SA duration(traffic based)	Traffic-based IPsec SA lifetime, in Kilobytes.
SA soft-duration buffer(time based)	Time-based IPsec SA soft lifetime buffer, in seconds. If the time-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--).
SA soft-duration buffer(traffic based)	Traffic-based IPsec SA soft lifetime buffer, in Kilobytes. If the traffic-based IPsec SA soft lifetime buffer is not configured, this field displays two consecutive hyphens (--).
SA idle time	IPsec SA idle timeout, in seconds. If the IPsec SA idle timeout is not configured, this field displays two consecutive hyphens (--).

‌

Related commands

ipsec profile

display ipsec sa

Use display ipsec sa to display information about IPsec SAs.

Syntax

display ipsec sa [ brief | count | interface interface-type interface-number | { ipv6-policy | policy } policy-name [ seq-number ] | profile profile-name | remote [ ipv6 ] ip-address ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief information about all IPsec SAs.

interface interface-type interface-number: Specifies an interface by its type and number.

ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6 IPsec policy.

policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec policy.

policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to 65535.

profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

remote ip-address: Specifies an IPsec SA by its remote end IP address.

ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all IPsec SAs.

Examples

# Display brief information about IPsec SAs.

<Sysname> display ipsec sa brief

-----------------------------------------------------------------------

Interface/Global Dst Address SPI Protocol Status

-----------------------------------------------------------------------

GE1/0/1 10.1.1.1 400 ESP Active

GE1/0/1 255.255.255.255 4294967295 ESP Active

GE1/0/1 100::1/64 500 AH Active

Global -- 600 ESP Active

Table 4 Command output

Field	Description
Interface/Global	Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile).
Dst Address	Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
SPI	IPsec SA SPI.
Protocol	Security protocol used by IPsec.
Status	Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.

‌

# Display the number of IPsec SAs.

<Sysname> display ipsec sa count

Total IPsec SAs count: 4

# Display detailed information about all IPsec SAs.

<Sysname> display ipsec sa

-------------------------------

Interface: GigabitEthernet0/0/1

-------------------------------

-----------------------------

IPsec policy: r2

Sequence number: 1

Mode: ISAKMP

-----------------------------

Tunnel id: 3

Encapsulation mode: tunnel

Perfect Forward Secrecy:

Inside VPN: vp1

Extended Sequence Numbers enable: Y

Traffic Flow Confidentiality enable: N

Path MTU: 1443

Tunnel:

local address: 2.2.2.2

remote address: 1.1.1.2

Flow:

sour addr: 192.168.2.0/255.255.255.0 port: 0 protocol: ip

dest addr: 192.168.1.0/255.255.255.0 port: 0 protocol: ip

[Inbound ESP SAs]

SPI: 3564837569 (0xd47b1ac1)

Connection ID: 90194313219

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (kilobytes/sec): 4294967295/604800

SA remaining duration (kilobytes/sec): 1843200/2686

Max received sequence-number: 5

Anti-replay check enable: Y

Anti-replay window size: 32

UDP encapsulation used for NAT traversal: N

Status: Active

[Outbound ESP SAs]

SPI: 801701189 (0x2fc8fd45)

Connection ID: 64424509441

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (kilobytes/sec): 4294967295/604800

SA remaining duration (kilobytes/sec): 1843200/2686

Max sent sequence-number: 6

UDP encapsulation used for NAT traversal: N

Status: Active

-------------------------------

Global IPsec SA

-------------------------------

-----------------------------

IPsec profile: profile

Mode: Manual

-----------------------------

Encapsulation mode: transport

[Inbound AH SA]

SPI: 1234563 (0x0012d683)

Connection ID: 64426789452

Transform set: AH-SHA1

No duration limit for this SA

[Outbound AH SA]

SPI: 1234563 (0x002d683)

Connection ID: 64428999468

Transform set: AH-SHA1

No duration limit for this SA

Table 5 Command output

Field	Description
Interface	Interface where the IPsec SA belongs.
IPsec policy	Name of the IPsec policy.
IPsec profile	Name of the IPsec profile.
Sequence number	Sequence number of the IPsec policy entry.
Mode	Negotiation mode used by the IPsec policy: · Manual—Manual mode. · ISAKMP—IKE negotiation mode. · Template—IPsec policy template mode.
Tunnel id	IPsec tunnel ID.
Encapsulation mode	Encapsulation mode, transport or tunnel.
Perfect Forward Secrecy	Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1). · 1024-bit Diffie-Hellman group (dh-group2). · 1536-bit Diffie-Hellman group (dh-group5). · 2048-bit Diffie-Hellman group (dh-group14). · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). · 256-bit ECP Diffie-Hellman group (dh-group19). · 384-bit ECP Diffie-Hellman group (dh-group20).
Extended Sequence Numbers enable	Whether Extended Sequence Number (ESN) is enabled.
Traffic Flow Confidentiality enable	Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Inside VPN	VPN instance to which the protected data flow belongs.
Path MTU	Path MTU of the IPsec SA.
Tunnel	Local and remote addresses of the IPsec tunnel.
local address	Local end IP address of the IPsec tunnel.
remote address	Remote end IP address of the IPsec tunnel.
Flow	Information about the data flow protected by the IPsec tunnel.
sour addr	Source IP address of the data flow.
dest addr	Destination IP address of the data flow.
port	Port number.
protocol	Protocol type: ip or ipv6.
SPI	SPI of the IPsec SA.
Connection ID	Identifier of the IPsec SA.
Transform set	Security protocol and algorithms used by the IPsec transform set.
SA duration (kilobytes/sec)	IPsec SA lifetime, in Kilobytes or seconds.
SA remaining duration (kilobytes/sec)	Remaining IPsec SA lifetime, in Kilobytes or seconds.
Max received sequence-number	Max sequence number in the received packets.
Max sent sequence-number	Max sequence number in the sent packets.
Anti-replay check enable	Whether anti-replay checking is enabled.
UDP encapsulation used for NAT traversal	Whether NAT traversal is used by the IPsec SA.
Status	Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.
No duration limit for this SA	The manual IPsec SAs do not have lifetime.

‌

Related commands

ipsec sa global-duration

reset ipsec sa

display ipsec sdwan-sa local

Use display ipsec sdwan-sa local to display information about local SDWAN IPsec SAs.

Syntax

display ipsec sdwan-sa local [ brief | count | interface tunnel tunnel-number | spi spi-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief:: Displays brief information about all local SDWAN IPsec SAs.

interface: Displays information about SDWAN IPsec SAs on an interface.

tunnel tunnel-number: Specifies an SDWAN tunnel interface by the tunnel interface number. The specified SDWAN tunnel interface must have been created.

spi spi-number: Displays information about SDWAN IPsec SA with the specified SPI number. The value range for the spi-number argument is 256 to 4294967295.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all local SDWAN IPsec SAs.

Examples

# Display detailed information about all local SDWAN IPsec SAs.

<Sysname> display ipsec sdwan-sa local

-------------------------------

Interface: Tunnel1

-------------------------------

-----------------------------

IPsec profile: abc

Mode: SDWAN

-----------------------------

Site ID: 1

Device ID: 1

Interface ID: 1

Link ID: 273(0x111)

Encapsulation mode: transport

Local address: 10.1.1.1

[Inbound ESP SAs]

SPI: 2701952073 (0xa10c8449)

SA index: 0

Connection ID: 4294967296

Transform set: ESP-ENCRYPT-AES-CBC-128 ESP-AUTH-SHA1

SA duration (sec): 3600

SA remaining duration (sec): 3180

Anti-replay check enable: Y

Anti-replay window size: 4096

Status: Active

[Inbound AH SAs]

SPI: 2701952073 (0xa10c8449)

SA index: 1

Connection ID: 4294967296

Transform set: AH-AUTH-SHA1

SA duration (sec): 3600

SA remaining duration (sec): 3180

Anti-replay check enable: Y

Anti-replay window size: 4096

Status: Active

# Display detailed information about the local SDWAN IPsec SA with a specific SPI.

<Sysname> display ipsec sdwan-sa local spi 1968608062

-------------------------------

Interface: Tunnel0

-------------------------------

-----------------------------

IPsec profile: 2644

Mode: SDWAN

-----------------------------

Site ID: 10

Device ID: 20

Interface ID: 30

Link ID: 660510 (0xa141e)

Encapsulation mode: transport

Local address: 200.200.200.10

[Inbound ESP SAs]

SPI: 1968608062 (0x7556933e)

SA index: 1

Connection ID: 12884901889

Transform set: ESP-ENCRYPT- ESP-AUTH-SHA384

SA duration (sec): 3600

SA remaining duration (sec): 1712

Anti-replay check enable: Y

Anti-replay window size: 64

Status: Active

# Display detailed information about the local SDWAN IPsec SA on a specific interface.

<Sysname> display ipsec sdwan-sa local interface tunnel 2

-------------------------------

Interface: Tunnel2

-------------------------------

-----------------------------

IPsec profile: 2644

Mode: SDWAN

-----------------------------

Site ID: 10

Device ID: 20

Interface ID: 30

Link ID: 660510 (0xa141e)

Encapsulation mode: transport

Local address: 200.200.200.10

[Inbound ESP SAs]

SPI: 1968 (0x7b0)

SA index: 1

Connection ID: 12884901889

Transform set: ESP-ENCRYPT- ESP-AUTH-SHA384

SA duration (sec): 3600

SA remaining duration (sec): 1712

Anti-replay check enable: Y

Anti-replay window size: 64

Status: Active

Table 6 Command output

Field	Description
Interface	SDWAN tunnel interface where the IPsec SA resides.
IPsec profile	Name of the IPsec profile used by the tunnel interface.
Mode	Negotiation mode used by the IPsec profile. · Manual—Manual mode. · ISAKMP—IKE negotiation mode. · SDWAN—SDWAN mode. · Template—IKE-based IPsec policy template mode. · GDOI—GDOI mode.
Link ID	Link index, which uniquely identifies an SDWAN tunnel. A link ID comprises a site ID, a device ID, and an interface ID.
Encapsulation mode	IPsec packet encapsulation mode, transport or tunnel.
Local address	Local IP address of the IPsec tunnel.
Inbound ESP SAs	ESP IPsec SA information in inbound direction.
Inbound AH SAs	AH IPsec SA information in inbound direction.
SPI	Security parameter index of the local IPsec SA, a globally unique value defined by protocol.
SA index	Index of the local IPsec SA.
Connection ID	Connection ID of the IPsec SA.
Transform set	Security protocols and algorithms used by the IPsec transform set.
SA duration (sec)	Lifetime of the IPsec SA, in seconds. If the lifetime is not configured, this field displays two hyphens (--).
SA remaining duration	Remaining lifetime of the IPsec SA, in seconds. If the lifetime is not configured, this field displays two hyphens (--).
Anti-replay check enable	Indicates whether the anti-replay feature is enabled.
Status	Status of the IPsec SA. · In a VSRP scenario, this field displays either Active or Standby. · In standalone mode, this field always displays Active.

‌

# Display brief information about all local SDWAN IPsec SAs.

<Sysname> display ipsec sdwan-sa local brief

----------------------------------------------------------------------------------------

Site ID Device ID Interface ID Link ID Local address SPI Protocol Status

----------------------------------------------------------------------------------------

10 20 30 660510 200.200.200.10 1968 ESP Active

# Displays the number of local SDWAN IPsec SAs.

<Sysname> display ipsec sdwan-sa local count

Total IPsec Sdwan Local SAs count: 1

Table 7 Command output

Field	Description
Link ID	Link index, which uniquely identifies an SDWAN tunnel. A link ID comprises a site ID, a device ID, and an interface ID.
Local address	Local IP address of the IPsec tunnel.
SPI	Security parameter index of the local IPsec SA, a globally unique value defined by protocol.
Protocol	Security protocol, AH or ESP.
Status	Status of the IPsec SA. · In a VSRP scenario, this field displays either Active or Standby. · In standalone mode, this field always displays Active.
Total IPsec Sdwan Local SAs count	Total number of local SDWAN IPsec SAs.

‌

Related commands

reset ipsec sdwan-sa local

display ipsec sdwan-sa remote

Use display ipsec sdwan-sa remote to display information about remote SDWAN IPsec SAs.

Syntax

display ipsec sdwan-sa remote [ brief | count ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief:: Displays brief information about all remote SDWAN IPsec SAs.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all remote SDWAN IPsec SAs.

Examples

# Display detailed information about all remote SDWAN IPsec SAs.

<Sysname> display ipsec sdwan-sa remote

-------------------------------

Mode: SDWAN

-----------------------------

Site ID: 20

Device ID: 20

Interface ID: 35

Link ID: 1315875 (0x141423)

Encapsulation mode: transport

Remote address: 200.200.200.20

[Outbound ESP SAs]

SPI: 2360 (0x936)

SA index: 0

Connection ID: 4294967296

Transform set: ESP-ENCRYPT- ESP-AUTH-SHA384

Status: Active

-------------------------------

Mode: SDWAN

-----------------------------

Site ID: 30

Device ID: 30

Interface ID: 30

Link ID: 1973790 (0x1e1e1e)

Encapsulation mode: transport

Remote address: 200.200.200.30

[Outbound ESP SAs]

SPI: 4137 (0x1029)

SA index: 3

Connection ID: 4294967299

Transform set: ESP-ENCRYPT- ESP-AUTH-SHA384

Status: Active

Table 8 Command output

Field	Description
Mode	Negotiation mode used by the IPsec profile. · Manual—Manual mode. · ISAKMP—IKE negotiation mode. · SDWAN—SDWAN mode. · Template—IKE-based IPsec policy template mode. · GDOI—GDOI mode.
Site ID	Site identity
Device ID	Device identity
Interface ID	Interface index.
Link ID	Link index, which uniquely identifies an SDWAN tunnel. A link ID comprises a site ID, a device ID, and an interface ID.
Encapsulation mode	IPsec packet encapsulation mode, transport or tunnel.
Remote address	Remote IP address of the IPsec tunnel.
Outbound ESP SAs	ESP IPsec SA information in outbound direction.
Outbound AH SAs	AH IPsec SA information in outbound direction.
SPI	Security parameter index of the local IPsec SA, a globally unique value defined by protocol.
SA index	Local IPsec SA index
Connection ID	Connection ID of the IPsec SA.
Transform set	Security protocols and algorithms used by the IPsec transform set.
Status	Status of the IPsec SA. · In a VSRP scenario, this field displays either Active or Standby. · In standalone mode, this field always displays Active.

‌

# Display brief information about all remote SDWAN IPsec SAs.

<Sysname> display ipsec sdwan-sa remote brief

----------------------------------------------------------------------------------------

Site ID Device ID Interface ID Link ID Remote address SPI Protocol Status

----------------------------------------------------------------------------------------

20 20 35 1315875 200.200.200.20 2360 ESP Active

30 30 30 1973790 200.200.200.30 4137 ESP Active

# Displays the number of all remote SDWAN IPsec SAs.

<Sysname> display ipsec sdwan-sa remote count

Total IPsec Sdwan Remote SAs count: 1

Table 9 Command output

Field	Description
Link ID	Link index, which uniquely identifies an SDWAN tunnel. A link ID comprises a site ID, a device ID, and an interface ID.
Remote address	Remote IP address of the IPsec tunnel.
SPI	Security parameter index of the local IPsec SA, a globally unique value defined by protocol.
Protocol	Security protocol, AH or ESP.
Status	Status of the IPsec SA. · In a VSRP scenario, this field displays either Active or Standby. · In standalone mode, this field always displays Active.
Total IPsec Sdwan Remote SAs count	Total number of remote SDWAN IPsec SAs.

‌

Related commands

reset ipsec sdwan-sa remote

display ipsec sdwan-statistics

Use display ipsec sdwan-statistics to display packet statistics on SDWAN IPsec tunnels.

Syntax

display ipsec sdwan-statistics [ tunnel-id tunnel-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

tunnel-id tunnel-id: Specifies an IPsec tunnel by the tunnel ID. The value range for the tunnel-id argument is 0 to 4294967294. If you do not specify an IPsec tunnel, this command displays packet statistics on all SDWAN IPsec tunnels.

Examples

# Display packet statistics on all SDWAN IPsec tunnels.

<Sysname> display ipsec sdwan-statistics

IPsec packet statistics:

Received/sent packets: 47/64

Received/sent bytes: 3948/5208

Dropped packets (received/sent): 0/45

Dropped packets statistics

No available SA: 0

Wrong SA:

Invalid length: 0

Authentication failure: 0

Encapsulation failure: 0

Decapsulation failure: 0

Replayed packets: 0

MTU check failure: 0

Loopback limit exceeded: 0

Crypto speed limit exceeded: 0

# Display packet statistics on SDWAN IPsec tunnel 1.

<Sysname> display ipsec sdwan-statistics tunnel-id 1

IPsec packet statistics:

Received/sent packets: 47/64

Received/sent bytes: 3948/5208

Dropped packets (received/sent): 0/45

Dropped packets statistics

No available SA: 0

Wrong SA:

Invalid length: 0

Authentication failure: 0

Encapsulation failure: 0

Decapsulation failure: 0

Replayed packets: 0

MTU check failure: 0

Loopback limit exceeded: 0

Crypto speed limit exceeded: 0

Table 10 Command output

Field	Description
Received/sent packets	Number of received/sent IPsec-protected packets.
Received/sent bytes	Number of bytes of received/sent IPsec-protected packets.
Dropped packets (received/sent)	Number of dropped IPsec-protected packets (received/sent).
No available SA	Number of packets dropped due to lack of available IPsec SA.
Wrong SA	Number of packets dropped due to wrong IPsec SA.
Invalid length	Number of packets dropped due to invalid packet length.
Authentication failure	Number of packets dropped due to authentication failure.
Encapsulation failure	Number of packets dropped due to encapsulation failure.
Decapsulation failure	Number of packets dropped due to decapsulation failure.
Replayed packets	Number of dropped replayed packets.
MTU check failure	Number of packets dropped due to MTU check failure.
Loopback limit exceeded	Number of packets dropped due to loopback limit exceeded.
Crypto speed limit exceeded	Number of packets dropped due to crypto speed limit exceeded.

‌

Related commands

reset ipsec sdwan-statistics

display ipsec sdwan-tunnel

Use display ipsec sdwan-tunnel to display information about SDWAN IPsec tunnels.

Syntax

display ipsec sdwan-tunnel [ brief | count | tunnel-id tunnel-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief:: Displays brief information about SDWAN IPsec tunnels.

tunnel-id tunnel-id: Specifies an IPsec tunnel by the tunnel ID. The value range for the tunnel-id argument is 0 to 4294967294.

Usage guidelines

In an SDWAN network, IPsec establishes tunnels between SDWAN devices to protect data transmitted in between. Such IPsec tunnels are referred to as SDWAN IPsec tunnels.

If you do not specify any parameters, this command displays detailed information about all SDWAN IPsec tunnels.

Examples

# Display brief information about all SDWAN IPsec tunnels.

<Sysname> display ipsec sdwan-tunnel brief

----------------------------------------------------------------------------

Tunnel-ID Src Address Dst Address Inbound SPI Outbound SPI

----------------------------------------------------------------------------

1 1.2.3.1 2.2.2.2 5000 6000

Table 11 Command output

Field	Description
Tunnel-ID	ID of the IPsec tunnel.
Src Address	Source IP address of the IPsec tunnel.
Dst Address	Destination IP address of the IPsec tunnel.
Inbound SPI	Valid inbound SPI in the IPsec tunnel.
Outbound SPI	Valid outbound SPI in the IPsec tunnel.

‌

# Displays the number of all SDWAN IPsec tunnels.

<Sysname> display ipsec sdwan-tunnel count

Total SDWAN IPsec tunnels: 2

# Display detailed information about all SDWAN IPsec tunnels.

<Sysname> display ipsec sdwan-tunnel

Tunnel ID: 1

Status: Active

SA's SPI:

Outbound: 1091054028 (0x410829cc) [ESP]

Inbound: 2400381837 (0x8f12eb8d) [ESP]

Tunnel:

Local address: 11.1.2.1

Remote address: 11.1.3.1

# Display detailed information about the SDWAN IPsec tunnel with tunnel ID of 1.

<Sysname> display ipsec sdwan-tunnel tunnel-id 1

Tunnel ID: 1

Status: Active

SA's SPI:

Outbound: 1091054028 (0x410829cc) [ESP]

Inbound: 2400381837 (0x8f12eb8d) [ESP]

Tunnel:

Local address: 11.1.2.1

Remote address: 11.1.3.1

Table 12 Command output

Field	Description
Tunnel ID	ID of the IPsec tunnel.
Status	Status of the IPsec tunnel. · In a VSRP scenario, this field displays either Active or Standby. · In standalone mode, this field always displays Active.
SA's SPI	SPIs of the inbound and outbound IPsec SAs.
outbound	Valid outbound SPI in the IPsec tunnel.
inbound	Valid inbound SPI in the IPsec tunnel.
Tunnel	Addresses of the local and remote ends of the IPsec tunnel.
local address	Local IP address of the IPsec tunnel.
remote address	Remote IP address of the IPsec tunnel.

‌

Related commands

reset ipsec sdwan-tunnel

display ipsec statistics

Use display ipsec statistics to display IPsec packet statistics.

Syntax

display ipsec statistics [ tunnel-id tunnel-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967294.. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.

Usage guidelines

If you do not specify any parameters, this command displays statistics for all IPsec packets.

Examples

# Display statistics for all IPsec packets.

<Sysname> display ipsec statistics

IPsec packet statistics:

Received/sent packets: 47/64

Received/sent bytes: 3948/5208

Dropped packets (received/sent): 0/45

Dropped packets statistics

No available SA: 0

Wrong SA: 0

Invalid length: 0

Authentication failure: 0

Encapsulation failure: 0

Decapsulation failure: 0

Replayed packets: 0

ACL check failure: 45

MTU check failure: 0

Loopback limit exceeded: 0

Crypto speed limit exceeded: 0

# Display statistics for the packets of IPsec tunnel 1.

<Sysname> display ipsec statistics tunnel-id 1

IPsec packet statistics:

Received/sent packets: 5124/8231

Received/sent bytes: 52348/64356

Dropped packets (received/sent): 0/0

Dropped packets statistics

No available SA: 0

Wrong SA: 0

Invalid length: 0

Authentication failure: 0

Encapsulation failure: 0

Decapsulation failure: 0

Replayed packets: 0

ACL check failure: 0

MTU check failure: 0

Loopback limit exceeded: 0

Crypto speed limit exceeded: 0

Table 13 Command output

Field	Description
Received/sent packets	Number of received/sent IPsec-protected packets.
Received/sent bytes	Number of bytes of received/sent IPsec-protected packets.
Dropped packets (received/sent)	Number of dropped IPsec-protected packets (received/sent).
No available SA	Number of packets dropped due to lack of available IPsec SA.
Wrong SA	Number of packets dropped due to wrong IPsec SA.
Invalid length	Number of packets dropped due to invalid packet length.
Authentication failure	Number of packets dropped due to authentication failure.
Encapsulation failure	Number of packets dropped due to encapsulation failure.
Decapsulation failure	Number of packets dropped due to decapsulation failure.
Replayed packets	Number of dropped replayed packets.
ACL check failure	Number of packets dropped due to ACL check failure.
MTU check failure	Number of packets dropped due to MTU check failure.
Loopback limit exceeded	Number of packets dropped due to loopback limit exceeded.
Crypto speed limit exceeded	Number of packets dropped due to crypto speed limit exceeded.

‌

Related commands

reset ipsec statistics

display ipsec transform-set

Use display ipsec transform-set to display information about IPsec transform sets.

Syntax

display ipsec transform-set [ transform-set-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.

Examples

# Display information about all IPsec transform sets.

<Sysname> display ipsec transform-set

IPsec transform set: mytransform

State: incomplete

Encapsulation mode: tunnel

ESN: Enabled

PFS:

Transform: ESP

IPsec transform set: completeTransform

State: complete

Encapsulation mode: transport

ESN: Enabled

PFS:

Transform: AH-ESP

AH protocol:

Integrity: SHA1

ESP protocol:

Integrity: SHA1

Encryption: AES-CBC-128

Table 14 Command output

Field	Description
IPsec transform set	Name of the IPsec transform set.
State	Whether the IPsec transform set is complete.
Encapsulation mode	Encapsulation mode used by the IPsec transform set: transport or tunnel.
ESN	Whether Extended Sequence Number (ESN) is enabled.
PFS	Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1). · 1024-bit Diffie-Hellman group (dh-group2). · 1536-bit Diffie-Hellman group (dh-group5). · 2048-bit Diffie-Hellman group (dh-group14). · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). · 256-bit ECP Diffie-Hellman group (dh-group19). · 384-bit ECP Diffie-Hellman group (dh-group20).
Transform	Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	AH settings.
ESP protocol	ESP settings.
Integrity	Authentication algorithm used by the security protocol.
Encryption	Encryption algorithm used by the security protocol.

‌

Related commands

ipsec transform-set

display ipsec tunnel

Use display ipsec tunnel to display information about IPsec tunnels.

Syntax

display ipsec tunnel { brief | count | tunnel-id tunnel-id }

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief information about all IPsec tunnels.

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967295.

Usage guidelines

IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.

Examples

# Display brief information about all IPsec tunnels.

<Sysname> display ipsec tunnel brief

----------------------------------------------------------------------------

Tunn-id Src Address Dst Address Inbound SPI Outbound SPI Status

----------------------------------------------------------------------------

0 -- -- 1000 2000 Active

3000 4000

1 1.2.3.1 2.2.2.2 5000 6000 Active

7000 8000

Table 15 Command output

Field	Description
Src Address	Source IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
Dst Address	Destination IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
Inbound SPI	Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines.
Outbound SPI	Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines.
Status	Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.

‌

# Display the number of IPsec tunnels.

<Sysname> display ipsec tunnel count

Total IPsec Tunnel Count: 2

# Display detailed information about all IPsec tunnels.

<Sysname> display ipsec tunnel

Tunnel ID: 0

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

outbound: 2000 (0x000007d0) [AH]

inbound: 1000 (0x000003e8) [AH]

outbound: 4000 (0x00000fa0) [ESP]

inbound: 3000 (0x00000bb8) [ESP]

Tunnel:

local address:

remote address:

Flow:

Tunnel ID: 1

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

outbound: 6000 (0x00001770) [AH]

inbound: 5000 (0x00001388) [AH]

outbound: 8000 (0x00001f40) [ESP]

inbound: 7000 (0x00001b58) [ESP]

Tunnel:

local address: 1.2.3.1

remote address: 2.2.2.2

Flow:

as defined in ACL 3100

# Display detailed information about IPsec tunnel 1.

<Sysname> display ipsec tunnel tunnel-id 1

Tunnel ID: 1

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

outbound: 6000 (0x00001770) [AH]

inbound: 5000 (0x00001388) [AH]

outbound: 8000 (0x00001f40) [ESP]

inbound: 7000 (0x00001b58) [ESP]

Tunnel:

local address: 1.2.3.1

remote address: 2.2.2.2

Flow:

as defined in ACL 3100

Table 16 Command output

Field	Description
Tunnel ID	IPsec ID, used to uniquely identify an IPsec tunnel.
Status	IPsec tunnel status: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.
Perfect forward secrecy	Perfect Forward Secrecy (PFS) used by the IPsec policy for negotiation: · 768-bit Diffie-Hellman group (dh-group1). · 1024-bit Diffie-Hellman group (dh-group2). · 1536-bit Diffie-Hellman group (dh-group5). · 2048-bit Diffie-Hellman group (dh-group14). · 2048-bit and 256_bit subgroup Diffie-Hellman group (dh-group24). · 256-bit ECP Diffie-Hellman group (dh-group19). · 384-bit ECP Diffie-Hellman group (dh-group20).
Inside vpn-instance	Name of the VPN instance to which the IPsec-protected data belongs.
SA's SPI	SPIs of the inbound and outbound SAs.
Tunnel	Local and remote addresses of the IPsec tunnel.
local address	Local end IP address of the IPsec tunnel.
remote address	Remote end IP address of the IPsec tunnel.
Flow	Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol.
as defined in ACL 3001	Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001.

‌

encapsulation-mode

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Default

IP packets are encapsulated in tunnel mode.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

transport: Uses the transport mode for IP packet encapsulation.

tunnel: Uses the tunnel mode for IP packet encapsulation.

Usage guidelines

IPsec supports the following encapsulation modes:

· Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.

· Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.

The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.

Examples

# Configure IPsec transform set tran1 to use the transport mode for IP packet encapsulation.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport

Related commands

ipsec transform-set

esn enable

Use esn enable to enable the Extended Sequence Number (ESN) feature.

Use undo esn enable to disable the ESN feature.

Syntax

esn enable [ both ]

undo esn enable

Default

The ESN feature is disabled.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number.

Usage guidelines

The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.

This feature must be enabled at both the initiator and the responder.

Examples

# Enable the ESN feature in IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esn enable

Related commands

display ipsec transform-set

esp authentication-algorithm

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to restore the default.

Syntax

esp authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo esp authentication-algorithm

Default

ESP does not use any authentication algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

md5: Specifies the HMAC-MD5-96 algorithm, which uses a 128-bit key.

sha1: Specifies the HMAC-SHA1-96 algorithm, which uses a 160-bit key.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.

sm3: Specifies the HMAC-SM3-96 algorithm, which uses a 256-bit key.

Usage guidelines

You can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

For a manual or IKEv1-based IPsec policy, the first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.

Examples

# Configure IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP authentication algorithm.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1

Related commands

ipsec transform-set

esp encryption-algorithm

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to restore the default.

Syntax

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | aes-ctr-128 | aes-ctr-192 | aes-ctr-256 | camellia-cbc-128 | camellia-cbc-192 | camellia-cbc-256 | des-cbc | gmac-128 | gmac-192 | gmac-256 | gcm-128 | gcm-192 | gcm-256 | null | sm1-cbc-128 | sm4-cbc } *

undo esp encryption-algorithm

Default

ESP does not use any encryption algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.

aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.

aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.

aes-ctr-128: Specifies the AES algorithm in CTR mode, which uses a 128-bit key. This keyword is available only for IKEv2.

aes-ctr-192: Specifies the AES algorithm in CTR mode, which uses a 192-bit key. This keyword is available only for IKEv2.

aes-ctr-256: Specifies the AES algorithm in CTR mode, which uses a 256-bit key. This keyword is available only for IKEv2.

camellia-cbc-128: Specifies the Camellia algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv2.

camellia-cbc-192: Specifies the Camellia algorithm in CBC mode, which uses a 192-bit key. This keyword is available only for IKEv2.

camellia-cbc-256: Specifies the Camellia algorithm in CBC mode, which uses a 256-bit key. This keyword is available only for IKEv2.

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.

gmac-128: Specifies the GMAC algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

gmac-192: Specifies the GMAC algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.

gmac-256: Specifies the GMAC algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

gcm-128: Specifies the GCM algorithm, which uses a 128-bit key. This keyword is available only for IKEv2.

gcm-192: Specifies the GCM algorithm, which uses a 192-bit key. This keyword is available only for IKEv2.

gcm-256: Specifies the GCM algorithm, which uses a 256-bit key. This keyword is available only for IKEv2.

null: Specifies the NULL algorithm, which means encryption is not performed.

sm1-cbc-128: Specifies the SM1 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.

sm4-cbc: Specifies the SM4 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.

Usage guidelines

You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

For a manual or IKEv1-based IPsec policy, the first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.

GCM and GMAC algorithms are combined mode algorithms. GCM algorithms provide encryption and authentication services. GMAC algorithms only provide authentication service. Combined mode algorithms can be used only when ESP is used alone without AH. Combined mode algorithms cannot be used together with ordinary ESP authentication algorithms.

Examples

# Configure IPsec transform set tran1 to use the AES-CBC-128 algorithm as the ESP encryption algorithm.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

Related commands

ipsec transform-set

ike-profile

Use ike-profile to specify an IKE profile for an IPsec policy, IPsec profile, or IPsec policy template.

Use undo ike-profile to restore the default.

Syntax

ike-profile profile-name

undo ike-profile

Default

No IKE profile is specified.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

profile-name: Specifies an IKE profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If no IKE profile is specified for an IPsec policy, IPsec profile, or IPsec policy template, the device selects an IKE profile configured in system view for negotiation. If no IKE profile is configured in system view, the device uses the global IKE settings.

The IKE profile specified for an IPsec policy, IPsec profile, or IPsec policy template defines the parameters used for IKE negotiation.

You can specify only one IKE profile for an IPsec policy, IPsec profile, or IPsec policy template.

Examples

# Specify IKE profile profile1 for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ike-profile profile1

Related commands

ike profile

ikev2-profile

Use ikev2-profile to specify an IKEv2 profile for an IPsec policy, IPsec profile, or IPsec policy template.

Use undo ikev2-profile to restore the default.

Syntax

ikev2-profile profile-name

undo ikev2-profile

Default

No IKEv2 profile is specified.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

profile-name: Specifies an IKEv2 profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

The IKEv2 profile specified for an IPsec policy, IPsec profile, or IPsec policy template defines the parameters used for IKEv2 negotiation.

You can specify only one IKEv2 profile for an IPsec policy, IPsec profile, or IPsec policy template. On the initiator, an IKEv2 profile is required. On the responder, an IKEv2 profile is optional. If you do not specify an IKEv2 profile, the responder can use any IKEv2 profile for negotiation.

Examples

# Specify IKEv2 profile profile1 for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] ikev2-profile profile1

Related commands

display ipsec ipv6-policy

display ipsec policy

ikev2 profile

ipsec { ipv6-policy | policy }

Use ipsec { ipv6-policy | policy } to create an IPsec policy entry and enter its view, or enter the view of an existing IPsec policy entry.

Use undo ipsec { ipv6-policy | policy } to delete an IPsec policy.

Syntax

ipsec { ipv6-policy | policy } policy-name seq-number [ gdoi | isakmp | manual ]

undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]

Default

No IPsec policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-policy: Specifies an IPv6 IPsec policy.

policy: Specifies an IPv4 IPsec policy.

policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies a sequence number for the IPsec policy entry, in the range of 1 to 65535.

gdoi: Establishes IPsec SAs through Group Domain of Interpretation (GDOI) negotiation.

isakmp: Establishes IPsec SAs through IKE negotiation.

manual: Establishes IPsec SAs manually.

Usage guidelines

When you create an IPsec policy, you must specify the SA setup mode (gdoi, isakmp or manual). When you enter the view of an existing IPsec policy, you do not need to specify the SA setup mode.

You cannot change the SA setup mode of an existing IPsec policy.

An IPsec policy is a set of IPsec policy entries that have the same name but different sequence numbers. In the same IPsec policy, an IPsec policy entry with a smaller sequence number has a higher priority.

If you specify the seq-number argument, the undo command deletes the specified IPsec policy entry. If you do not specify this argument, the undo command deletes the specified IPsec policy.

An IPv4 IPsec policy and IPv6 IPsec policy can have the same name.

Examples

# Create an IKE-based IPsec policy entry and enter the IPsec policy view. The policy name is policy1 and the sequence number is 100.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100]

# Create a GDOI IPsec policy entry and enter the IPsec policy view. The policy name is policygdoi and the sequence number is 100.

<Sysname> system-view

[Sysname] ipsec policy policygdoi 100 gdoi

[Sysname-ipsec-policy-gdoi-policygdoi-100]

# Create a manual IPsec policy entry and enter the IPsec policy view. The policy name is policy1 and the sequence number is 101.

<Sysname> system-view

[Sysname] ipsec policy policy1 101 manual

[Sysname-ipsec-policy-manual-policy1-101]

Related commands

display ipsec { ipv6-policy | policy }

ipsec apply

ipsec { ipv6-policy | policy } isakmp template

Use ipsec { ipv6-policy | policy } isakmp template to create an IKE-based IPsec policy entry by using an IPsec policy template.

Use undo ipsec { ipv6-policy | policy } to delete an IPsec policy.

Syntax

ipsec { ipv6-policy | policy } policy-name seq-number isakmp template template-name

undo ipsec { ipv6-policy | policy } policy-name [ seq-number ]

Default

No IPsec policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-policy: Specifies an IPv6 IPsec policy.

policy: Specifies an IPv4 IPsec policy.

policy-name: Specifies a name for the IPsec policy, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies a sequence number for the IPsec policy, in the range of 1 to 65535. A smaller number indicates a higher priority.

isakmp template template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you specify the seq-number argument, the undo command deletes the specified IPsec policy entry. If you do not specify this argument, the undo command deletes the specified IPsec policy.

An interface applied with an IPsec policy that is configured by using an IPsec policy template cannot initiate an SA negotiation, but it can respond to a negotiation request. The parameters not defined in the template are determined by the initiator. When the remote end's information (such as the IP address) is unknown, this method allows the remote end to initiate negotiations with the local end.

Examples

# Create an IPsec policy entry by using IPsec policy template temp1, and specify the IPsec policy name as policy2 and the sequence number as 200.

<Sysname> system-view

[Sysname] ipsec policy policy2 200 isakmp template temp1

Related commands

display ipsec { ipv6-policy | policy }

ipsec { ipv6-policy-template | policy-template }

ipsec { ipv6-policy | policy } local-address

Use ipsec { ipv6-policy | policy } local-address to bind an IPsec policy to a source interface.

Use undo ipsec { ipv6-policy | policy } local-address to remove the binding between an IPsec policy and a source interface.

Syntax

ipsec { ipv6-policy | policy } policy-name local-address interface-type interface-number

undo ipsec { ipv6-policy | policy } policy-name local-address

Default

No IPsec policy is bound to a source interface.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-policy: Specifies an IPv6 IPsec policy.

policy: Specifies an IPv4 IPsec policy.

policy-name: Specifies an IPsec policy name, a case-insensitive string of 1 to 63 characters.

local-address interface-type interface-number: Specifies the shared source interface by its type and number.

Usage guidelines

For high availability, two interfaces can operate in backup mode. After an IPsec policy is applied to the two interfaces, they negotiate with their peers to establish IPsec SAs separately. When one interface fails and a link failover occurs, the other interface needs to take some time to renegotiate SAs, resulting in service interruption.

To solve these problems, bind a source interface to an IPsec policy and apply the policy to both interfaces. This enables the two physical interfaces to use the same source interface to negotiate IPsec SAs. As long as the source interface is up, the negotiated IPsec SAs will not be removed and will keep working, regardless of link failover.

After an IPsec policy is applied to a service interface and IPsec SAs have been established, if you bind the IPsec policy to a source interface, the existing IPsec SAs are deleted.

Only an IKE-based IPsec policy can be bound to a source interface.

An IPsec policy can be bound to only one source interface. If you execute this command multiple times, the most recent configuration takes effect.

A source interface can be bound to multiple IPsec policies.

As a best practice, use a stable interface, such as a Loopback interface, as a source interface.

Examples

# Bind IPsec policy map to source interface Loopback 11.

<Sysname> system-view

[Sysname] ipsec policy map local-address loopback 11

Related commands

ipsec { ipv6-policy | policy }

ipsec { ipv6-policy-template | policy-template }

Use ipsec { ipv6-policy-template | policy-template } to create an IPsec policy template entry and enter its view, or enter the view of an existing IPsec policy template entry.

Use undo ipsec { ipv6-policy-template | policy-template } to delete an IPsec policy template.

Syntax

ipsec { ipv6-policy-template | policy-template } template-name seq-number

undo ipsec { ipv6-policy-template | policy-template } template-name [ seq-number ]

Default

No IPsec policy templates exist.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-policy-template: Specifies an IPv6 IPsec policy template.

policy-template: Specifies an IPv4 IPsec policy template.

template-name: Specifies a name for the IPsec policy template, a case-insensitive string of 1 to 63 characters.

seq-number: Specifies a sequence number for the IPsec policy template entry, in the range of 1 to 65535. A smaller number indicates a higher priority.

Usage guidelines

The configurable parameters for an IPsec policy template are similar to the parameters that you use when you configure an IKE-based IPsec policy. However, all parameters except for the IPsec transform sets and the IKE peer are optional for an IPsec policy template.

An IPsec policy template is a set of IPsec policy template entries that have the same name but different sequence numbers.

With the seq-number argument specified, the undo command deletes an IPsec policy template entry.

An IPv4 IPsec policy template and an IPv6 IPsec policy template can have the same name.

Examples

# Create an IPsec policy template entry and enter the IPsec policy template view. The template name is template1 and the sequence number is 100.

<Sysname> system-view

[Sysname] ipsec policy-template template1 100

[Sysname-ipsec-policy-template-template1-100]

Related commands

display ipsec { ipv6-policy-template | policy-template }

ipsec { ipv6-policy | policy }

ipsec { ipv6-policy | policy } isakmp template

ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.

Use undo ipsec anti-replay check to disable IPsec anti-replay checking.

Syntax

ipsec anti-replay check

undo ipsec anti-replay check

Default

IPsec anti-replay checking is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.

In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.

Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect manually created IPsec SAs.

Examples

# Enable IPsec anti-replay checking.

<Sysname> system-view

[Sysname] ipsec anti-replay check

Related commands

ipsec anti-replay window

Use ipsec anti-replay window to set the anti-replay window size.

Use undo ipsec anti-replay window to restore the default.

Syntax

ipsec anti-replay window width

undo ipsec anti-replay window

Default

The anti-replay window size is 64.

Views

System view

Predefined user roles

network-admin

Parameters

width: Specifies the size for the anti-replay window. It can be 64, 128, 256, 512, 1024, 2048, or 4096 packets.

Usage guidelines

Service data packets might be received in a very different order than their original order, and the IPsec anti-replay feature might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.

Changing the anti-replay window size affects only the IPsec SAs negotiated later.

Examples

# Set the size of the anti-replay window to 128.

<Sysname> system-view

[Sysname] ipsec anti-replay window 128

Related commands

ipsec anti-replay check

ipsec apply

Use ipsec apply to apply an IPsec policy to an interface.

Use undo ipsec apply to remove an IPsec policy application from an interface.

Syntax

ipsec apply { ipv6-policy | policy } policy-name

undo ipsec apply { ipv6-policy | policy }

Default

No IPsec policy is applied to an interface.

Views

Interface view

Predefined user roles

network-admin

Parameters

ipv6-policy: Specifies an IPv6 IPsec policy.

policy: Specifies an IPv4 IPsec policy.

policy-name: Specifies an IPsec policy name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

On an interface, you can apply a maximum of two IPsec policies: one IPv4 IPsec policy and one IPv6 IPsec policy.

An IKE-based IPsec policy that is bound to a source interface can be applied to multiple interfaces. A manual IPsec policy can be applied to only one interface.

Examples

# Apply IPsec policy policy1 to GigabitEthernet 0/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] ipsec apply policy policy1

Related commands

display ipsec { ipv6-policy | policy }

ipsec { ipv6-policy | policy }

ipsec decrypt-check enable

Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets.

Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets.

Syntax

ipsec decrypt-check enable

undo ipsec decrypt-check enable

Default

ACL checking for de-encapsulated IPsec packets is enabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security.

Examples

# Enable ACL checking for de-encapsulated IPsec packets.

<Sysname> system-view

[Sysname] ipsec decrypt-check enable

ipsec df-bit

Use ipsec df-bit to configure the DF bit for the outer IP header of IPsec packets on an interface.

Use undo ipsec df-bit to restore the default.

Syntax

ipsec df-bit { clear | copy | set }

undo ipsec df-bit

Default

The DF bit is not configured for the outer IP header of IPsec packets on an interface. The global DF bit setting is used.

Views

Interface view

Predefined user roles

network-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command does not change the DF bit for the original IP header of IPsec packets.

If multiple interfaces use an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent the IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

Examples

# Set the DF bit in the outer IP header of IPsec packets on GigabitEthernet 0/0/2.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/2

[Sysname-GigabitEthernet0/0/2] ipsec df-bit set

Related commands

ipsec global-df-bit

ipsec fragmentation

Use ipsec fragmentation to configure the IPsec fragmentation feature.

Use undo ipsec fragmentation to restore the default.

Syntax

ipsec fragmentation { after-encryption | before-encryption }

undo ipsec fragmentation

Default

The device fragments packets before IPsec encapsulation.

Views

System view

Predefined user roles

network-admin

Parameters

after-encryption: Fragments packets after IPsec encapsulation.

before-encryption: Fragments packets before IPsec encapsulation.

Usage guidelines

If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface and the DF bit is not set, the device fragments the packet before encapsulation. If the packet's DF bit is set, the device drops the packet and sends an ICMP error message.

If you configure the device to fragment packets after IPsec encapsulation, the device directly encapsulates the packets and fragments the encapsulated packets in subsequent service modules.

Examples

# Configure the device to fragment packets after IPsec encapsulation.

<Sysname>system-view

[Sysname] ipsec fragmentation after-encryption

ipsec global-df-bit

Use ipsec global-df-bit to configure the DF bit for the outer IP header of IPsec packets on all interfaces.

Use undo ipsec global-df-bit to restore the default.

Syntax

ipsec global-df-bit { clear | copy | set }

undo ipsec global-df-bit

Default

The DF bit setting of the original IP header is copied to the outer IP header for IPsec packets.

Views

System view

Predefined user roles

network-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command does not change the DF bit for the original IP header of IPsec packets.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

Examples

# Set the DF bit in the outer IP header of IPsec packets on all interfaces.

<Sysname> system-view

[Sysname] ipsec global-df-bit set

Related commands

ipsec df-bit

ipsec limit max-tunnel

Use ipsec limit max-tunnel to set the maximum number of IPsec tunnels.

Use undo ipsec limit max-tunnel to restore the default.

Syntax

ipsec limit max-tunnel tunnel-limit

undo ipsec limit max-tunnel

Default

Views

System view

Predefined user roles

network-admin

Parameters

tunnel-limit: Specifies the maximum number of IPsec tunnels, in the range of 1 to 4294967295.

Usage guidelines

To maximize concurrent performance of IPsec when memory is sufficient, increase the maximum number of IPsec tunnels. To ensure service availability when memory is insufficient, decrease the maximum number of IPsec tunnels.

Examples

# Set the maximum number of IPsec tunnels to 5000.

<Sysname> system-view

[Sysname] ipsec limit max-tunnel 5000

Related commands

ike limit

ipsec logging negotiation enable

Use ipsec logging negotiation enable to enable logging for IPsec negotiation.

Use undo ipsec logging negotiation packet enable to disable logging for IPsec negotiation.

Syntax

ipsec logging negotiation enable

undo ipsec logging negotiation enable

Default

Logging for IPsec negotiation is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This command enables the device to output logs for the IPsec negotiation process.

Examples

# Enable logging for IPsec negotiation.

<Sysname> system-view

[Sysname] ipsec logging negotiation enable

ipsec logging packet enable

Use ipsec logging packet enable to enable logging for IPsec packets.

Use undo ipsec logging packet enable to disable logging for IPsec packets.

Syntax

ipsec logging packet enable

undo ipsec logging packet enable

Default

Logging for IPsec packets is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.

Examples

# Enable logging for IPsec packets.

<Sysname> system-view

[Sysname] ipsec logging packet enable

ipsec no-nat-process enable

Use ipsec no-nat-process enable to enable the IPsec no NAT feature.

Use undo ipsec no-nat-process enable to restore the default.

Syntax

ipsec no-nat-process enable

undo ipsec no-nat-process enable

Default

The IPsec no NAT feature is disabled.

Views

Interface view

Predefined user roles

network-admin

vsys-admin

Usage guidelines

CAUTION:

This feature affects NAT processing. Use it with caution.

‌

On an interface where both IPsec and NAT are configured, the device performs NAT processing before IPsec processing for outgoing packets. Packets after NAT cannot be identified by IPsec. For packets to be protected by IPsec correctly on the interface, you need to deploy complicated configuration to identify traffic for NAT and that for IPsec.

After the IPsec no NAT feature is enabled, the device does not perform NAT for the traffic to be processed by IPsec. So, you do not need to distinguish traffic for NAT and IPsec, reducing the configuration complexity.

Examples

# Enable the IPsec no NAT feature on interface GigabitEthernet 0/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 0/0/1

[Sysname-GigabitEthernet0/0/1] ipsec no-nat-process enable

ipsec profile

Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.

Use undo ipsec profile to delete an IPsec profile.

Syntax

ipsec profile profile-name [ isakmp | manual | sdwan ]

undo ipsec profile profile-name

Default

No IPsec profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters.

isakmp: Specifies the IPsec SA setup mode as IKE.

manual: Specifies the IPsec SA setup mode as manual.

sdwan: Specifies the IPsec SA setup mode as SDWAN.

Usage guidelines

When you create an IPsec profile, you must specify the IPsec SA setup mode (manual or isakmp). When you enter the view of an existing IPsec profile, you do not need to specify the IPsec SA setup mode.

A manual IPsec profile is similar to a manual IPsec policy. It is used exclusively for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng.

An IKE-based IPsec profile is similar to an IKE-based IPsec policy. It uses IKE negotiation to establish IPsec SAs to protect IPv4 and IPv6 application protocols, such as ADVPN. An IKE-based IPsec profile does not require you to specify the remote end address or an ACL.

An SDWAN IPsec profile is used to generate IPsec SAs on SDWAN devices. It is applied to an SDWAN tunnel interface to protect all the traffic routed to the interface. You do not need to specify the remote end address or an ACL.

Examples

# Create a manual IPsec profile named profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile-manual-profile1]

# Create an IKE-based IPsec profile named profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 isakmp

[Sysname-ipsec-profile-isakmp-profile1]

# Create an SDWAN IPsec profile named profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 sdwan

[Sysname-ipsec-profile-sdwan-profile1]

Related commands

display ipsec profile

ipsec redundancy enable

Use ipsec redundancy enable to enable IPsec redundancy.

Use undo ipsec redundancy enable to disable IPsec redundancy.

Syntax

ipsec redundancy enable

undo ipsec redundancy enable

Default

IPsec redundancy is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With IPsec redundancy enabled, the system synchronizes the following information from the active device to the standby device at configurable intervals:

· Lower bound values of the IPsec anti-replay window for inbound packets.

· IPsec anti-replay sequence numbers for outbound packets.

The synchronization ensures uninterrupted IPsec traffic forwarding and anti-replay protection when the active device fails.

To configure synchronization intervals, use the redundancy replay-interval command.

Examples

# Enable IPsec redundancy.

<Sysname> system-view

[Sysname] ipsec redundancy enable

Related commands

redundancy replay-interval

ipsec sa global-duration

Use ipsec sa global-duration to configure the global IPsec SA lifetime.

Use undo ipsec sa global-duration to restore the default.

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

Default

The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 Kilobytes.

Views

System view

Predefined user roles

network-admin

Parameters

time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.

traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 Kilobytes. When traffic on an SA reaches this value, the SA expires.

Usage guidelines

You can also configure IPsec SA lifetimes in IPsec policy view or IPsec policy template view. The device prefers the IPsec SA lifetimes configured in IPsec policy view or IPsec policy template view over the global IPsec SA lifetimes.

When IKE negotiates IPsec SAs, it uses the local lifetime settings or those proposed by the peer, whichever are smaller.

An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires. Before the IPsec SA expires, IKE negotiates a new IPsec SA, which takes over immediately after its creation.

Examples

# Configure the global IPsec SA lifetime as 7200 seconds.

<Sysname> system-view

[Sysname] ipsec sa global-duration time-based 7200

# Configure the global IPsec SA lifetime as 10240 Kilobytes.

[Sysname] ipsec sa global-duration traffic-based 10240

Related commands

display ipsec sa

sa duration

ipsec sa global-soft-duration buffer

Use ipsec sa global-soft-duration buffer to set the global time-based or traffic-based IPsec SA soft lifetime buffer.

Use undo ipsec sa global-soft-duration buffer to restore the default.

Syntax

ipsec sa global-soft-duration buffer { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-soft-duration buffer { time-based | traffic-based }

Default

The global time-based and traffic-based IPsec SA soft lifetime buffers are not configured.

Views

System view

Predefined user roles

network-admin

Parameters

time-based seconds: Specifies the time-based IPsec SA soft lifetime buffer, in seconds. The value range is 20 to 201600.

traffic-based kilobytes: Specifies the traffic-based IPsec SA soft lifetime buffer, in Kilobytes. The value range is 1000 to 4294901760.

Usage guidelines

This command takes effect only when IKEv1 is used.

The IPsec SA soft lifetime buffers are used to determine the IPsec SA soft lifetimes.

If no IPsec SA soft lifetime buffers are configured, the system calculates a default time-based and a default traffic-based IPsec SA soft lifetime.

If IPsec SA soft lifetime buffers are configured, the system calculates IPsec SA soft lifetimes as follows:

· Time-based IPsec SA soft lifetime = time-based IPsec SA lifetime – time-based IPsec SA soft lifetime buffer.

If the calculated time-based IPsec SA soft lifetime is shorter than or equal to 20 seconds, the system uses the default time-based IPsec SA soft lifetime.

· Traffic-based IPsec SA soft lifetime = traffic-based IPsec SA lifetime – traffic-based IPsec SA soft lifetime buffer.

If the calculated traffic-based IPsec SA soft lifetime is smaller than or equal to 1000 Kilobytes, the system uses the default traffic-based IPsec SA soft lifetime.

You can also configure IPsec SA soft lifetime buffers in IPsec policy view or IPsec profile view. The device prefers the IPsec SA lifetime buffers configured in IPsec policy view or IPsec profile view over the global lifetime buffers configured in system view.

Examples

# Set the global time-based IPsec SA soft lifetime buffer to 600 seconds.

<Sysname> system-view

[Sysname] ipsec sa global-soft-duration buffer time-based 600

# Set the global traffic-based IPsec SA soft lifetime buffer to 10000 Kilobytes.

<Sysname> system-view

[Sysname] ipsec sa global-soft-duration buffer traffic-based 10000

Related commands

sa soft-duration buffer

ipsec sa idle-time

Use ipsec sa idle-time to enable the global IPsec SA idle timeout feature and set the idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.

Use undo ipsec sa idle-time to disable the global IPsec SA idle timeout feature.

Syntax

ipsec sa idle-time seconds

undo ipsec sa idle-time

Default

The global IPsec SA idle timeout feature is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.

Usage guidelines

This feature applies only to IPsec SAs negotiated by IKE.

The IPsec SA idle timeout can also be configured in IPsec policy view, IPsec profile view, or IPsec policy template view, which takes precedence over the global IPsec SA timeout.

Examples

# Enable the global IPsec SA idle timeout feature and set the IPsec SA idle timeout to 600 seconds.

<Sysname> system-view

[Sysname] ipsec sa idle-time 600

Related commands

display ipsec sa

sa idle-time

ipsec transform-set

Use ipsec transform-set to create an IPsec transform set and enter its view, or enter the view of an existing IPsec transform set.

Use undo ipsec transform-set to delete an IPsec transform set.

Syntax

ipsec transform-set transform-set-name

undo ipsec transform-set transform-set-name

Default

No IPsec transform sets exist.

Views

System view

Predefined user roles

network-admin

Parameters

transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IPsec transform set, part of an IPsec policy, defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, authentication algorithms, and encapsulation mode.

Examples

# Create an IPsec transform set named tran1 and enter its view.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-transform-set-tran1]

Related commands

display ipsec transform-set

local-address

Use local-address to configure the local IP address for the IPsec tunnel.

Use undo local-address to restore the default.

Syntax

local-address { ipv4-address | ipv6 ipv6-address }

undo local-address

Default

The primary IPv4 address of the interface to which the IPsec policy is applied is used as the local IPv4 address. The first IPv6 address of the interface to which the IPsec policy is applied is used as the local IPv6 address.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

ipv4-address: Specifies the local IPv4 address for the IPsec tunnel.

ipv6 ipv6-address: Specifies the local IPv6 address for the IPsec tunnel.

Usage guidelines

The remote IP address on the IKE negotiation initiator must be the same as the local address on the IKE negotiation responder.

In a VRRP network, the local IP address must be the virtual IP address of the VRRP group to which the IPsec-applied interface belongs.

Examples

# Configure local address 1.1.1.1 for the IPsec tunnel.

<Sysname> system-view

[Sysname] ipsec policy map 1 isakmp

[Sysname-ipsec-policy-isakmp-map-1] local-address 1.1.1.1

Related commands

remote-address

pfs

Use pfs to enable the Perfect Forward Secrecy (PFS) feature for an IPsec transform set.

Use undo pfs to restore the default.

Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group24 }

undo pfs

Default

The PFS feature is disabled for the IPsec transform set.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

dh-group1: Uses 768-bit Diffie-Hellman group.

dh-group2: Uses 1024-bit Diffie-Hellman group.

dh-group5: Uses 1536-bit Diffie-Hellman group.

dh-group14: Uses 2048-bit Diffie-Hellman group.

dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.

dh-group19: Uses 256-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

dh-group20: Uses 384-bit ECP Diffie-Hellman group. This keyword is available only for IKEv2.

dh-group24: Uses 2048-bit and 256-bit subgroup Diffie-Hellman group.

Usage guidelines

In terms of security and required calculation time, the following groups are in descending order:

· 384-bit ECP Diffie-Hellman group (dh-group20).

· 256-bit ECP Diffie-Hellman group (dh-group19).

· 2048-bit and 256-bit subgroup Diffie-Hellman group (dh-group24).

· 2048-bit Diffie-Hellman group (dh-group14).

· 1536-bit Diffie-Hellman group (dh-group5).

· 1024-bit Diffie-Hellman group (dh-group2).

· 768-bit Diffie-Hellman group (dh-group1).

If IKEv1 is used, the security level of the Diffie-Hellman group of the initiator must be higher than or equal to that of the responder. This restriction does not apply to IKEv2.

The end without the PFS feature performs IKE negotiation according to the PFS requirements of the peer end.

Examples

# Enable PFS using 2048-bit Diffie-Hellman group for IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] pfs dh-group14

policy enable

Use policy enable to enable an IPsec policy entry or IPsec policy template entry.

Use undo policy enable to disable an IPsec policy entry or IPsec policy template entry.

Syntax

policy enable

undo policy enable

Default

An IPsec policy entry or IPsec policy template entry is enabled.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Usage guidelines

This command applies only to IKE-based IPsec policies and IKE-based IPsec policy templates.

You can use this command to disable an IPsec policy entry or IPsec policy template entry without deleting the entry. Disabling an IPsec policy entry or IPsec policy template entry will delete all IPsec SAs established based on that entry. A disabled IPsec policy entry or IPsec policy template entry cannot be used for SA negotiation until it is enabled.

Examples

# Disable the IPsec policy entry whose name is policy1 and sequence number is 10.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] undo policy enable

protocol

Use protocol to specify a security protocol for an IPsec transform set.

Use undo protocol to restore the default.

Syntax

protocol { ah | ah-esp | esp }

undo protocol

Default

The IPsec transform set uses the ESP protocol.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

ah: Specifies the AH protocol.

ah-esp: Specifies using the ESP protocol first and then using the AH protocol.

ah: Specifies the AH protocol.

Usage guidelines

The two tunnel ends must use the same security protocol in the IPsec transform set.

Examples

# Specify the AH protocol for the IPsec transform set.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] protocol ah

qos pre-classify

Use qos pre-classify to enable the QoS pre-classify feature.

Use undo qos pre-classify to disable the QoS pre-classify feature.

Syntax

qos pre-classify

undo qos pre-classify

Default

The QoS pre-classify feature is disabled. QoS uses the new IP header of IPsec packets to perform traffic classification.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Usage guidelines

The QoS pre-classify feature enables QoS to classify packets by using the IP header of the original IP packets.

Examples

# Enable the QoS pre-classify feature.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] qos pre-classify

redundancy replay-interval

Use redundancy replay-interval to set the anti-replay window lower bound value synchronization interval for inbound packets and the sequence number synchronization interval for outbound packets.

Use undo redundancy replay-interval to restore the default.

Syntax

redundancy replay-interval inbound inbound-interval outbound outbound-interval

undo redundancy replay-interval

Default

The active device synchronizes the anti-replay window lower bound value every time it receives 1000 packets and synchronizes the sequence number every time it sends 100000 packets.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

inbound inbound-interval: Specifies the interval at which the active device synchronizes the lower bound value of the IPsec anti-replay window to the standby device. This interval is expressed in the number of received packets, in the range of 0 to 1000. If you set the value to 0, the lower bound value of the anti-replay window will not be synchronized.

outbound outbound-interval: Specifies the interval at which the active device synchronizes the IPsec anti-replay sequence number to the standby device. This interval is expressed in the number of sent packets, in the range of 1000 to 100000.

Usage guidelines

The intervals take effect only after you enable IPsec redundancy by using the ipsec redundancy enable command.

A short interval improves the anti-replay information consistency between the active device and the standby device, but it sacrifices the forwarding performance of the devices.

Examples

# Set the anti-replay window lower bound value synchronization interval for inbound packets to 800. Set the sequence number synchronization interval for outbound packets to 50000.

<Sysname> system-view

[Sysname] ipsec policy test 1 manual

[sysname-ipsec-policy-manual-test-1] redundancy replay-interval inbound 800 outbound 50000

Related commands

ipsec anti-replay check

ipsec anti-replay window

ipsec redundancy enable

remote-address

Use remote-address to configure the remote IP address for the IPsec tunnel.

Use undo remote-address to restore the default.

Syntax

remote-address { [ ipv6 ] host-name | ipv4-address | ipv6 ipv6-address }

undo remote-address

Default

No remote IP address is configured for the IPsec tunnel.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies the remote address or host name of an IPv6 IPsec tunnel. To specify the remote address or host name of an IPv4 IPsec tunnel, do not specify this keyword.

hostname: Specifies the remote host name, a case-insensitive string of 1 to 253 characters. The host name can be resolved to an IP address by the DNS server.

ipv4-address: Specifies a remote IPv4 address.

ipv6-address: Specifies a remote IPv6 address.

Usage guidelines

This remote IP address configuration is required on the IKE negotiation initiator and optional on the responder if the responder uses an IPsec policy template.

A manual IPsec policy does not support DNS. Therefore, you must specify a remote IP address rather than a remote host name for the manual IPsec policy.

If you configure a remote host name, make sure the local end can always resolve the host name into the latest IP address of the remote end.

· If a DNS server is used for resolution, the local end queries the remote IP address again from the DNS server after the previously cached remote IP address expires. This mechanism ensures that the local end can always obtain the latest remote IP address.

· If a static DNS entry is used for resolution, you must reconfigure the remote-address command whenever the remote IP address changes. Without the reconfiguration, the local end cannot obtain the latest remote IP address.

For example, the local end has a static DNS entry which maps the host name test to the IP address 1.1.1.1. Configure the following commands:

# Configure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.

[Sysname] ipsec policy policy1 1 isakmp

[Sysname-ipsec-policy-isakmp-policy1-1] remote-address test

# Change the IP address for the host test to 2.2.2.2.

[Sysname] ip host test 2.2.2.2

In this case, you must reconfigure the remote host name for the IPsec policy policy1 so that the local end can obtain the latest IP address of the remote host.

# Reconfigure the remote host name to test for the IPsec tunnel in the IPsec policy policy1.

[Sysname] ipsec policy policy1 1 isakmp

[Sysname -ipsec-policy-isakmp-policy1-1] remote-address test

Examples

# Specify remote IP address 10.1.1.2 for the IPsec tunnel.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 manual

[Sysname-ipsec-policy-manual-policy1-10] remote-address 10.1.1.2

Related commands

ip host (Layer 3—IP Services Command Reference)

local-address

reset ipsec sa

Use reset ipsec sa to clear IPsec SAs.

Syntax

reset ipsec sa [ { ipv6-policy | policy } policy-name [ seq-number ] | profile policy-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]

Views

User view

Predefined user roles

network-admin

Parameters

{ ipv6-policy | policy } policy-name [ seq-number ]: Clears IPsec SAs for the specified IPsec policy.

· ipv6-policy: Specifies an IPv6 IPsec policy.

· policy: Specifies an IPv4 IPsec policy.

· policy-name: Specifies the name of the IPsec policy, a case-insensitive string of 1 to 63 characters.

· seq-number: Specifies the sequence number of an IPsec policy entry, in the range of 1 to 65535. If you do not specify this argument, all the entries in the IPsec policy are specified.

profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-insensitive string of 1 to 63 characters.

remote: Clears IPsec SAs for the specified remote address.

ipv4-address: Specifies a remote IPv4 address.

ipv6 ipv6-address: Specifies a remote IPv6 address.

spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.

· ipv4-address: Specifies a remote IPv4 address.

· ipv6 ipv6-address: Specifies a remote IPv6 address.

· ah: Specifies the AH protocol.

· esp: Specifies the ESP protocol.

spi-num: Specifies the security parameter index in the range of 256 to 4294967295.

Usage guidelines

If you do not specify any parameters, this command clears all IPsec SAs.

If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPsec SAs using the other security protocol (AH or ESP).

An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.

After a manual IPsec SA is cleared, the system automatically creates a new SA based on the parameters of the IPsec policy. After IKE negotiated SAs are cleared, the system creates new SAs only when IKE negotiation is triggered by packets.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the inbound and outbound IPsec SAs for the triplet of SPI 256, remote IP address 10.1.1.2, and security protocol AH.

<Sysname> reset ipsec sa spi 10.1.1.2 ah 256

# Clear all IPsec SAs for remote IP address 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

# Clear all IPsec SAs for entry 10 of IPsec policy policy1.

<Sysname> reset ipsec sa policy policy1 10

# Clear all IPsec SAs for IPsec policy policy1.

<Sysname> reset ipsec sa policy policy1

Related commands

display ipsec sa

reset ipsec sdwan-sa

Use reset ipsec sdwan-sa to clear SDWAN IPsec SAs.

Syntax

reset ipsec sdwan-sa [ local [ interface tunnel tunnel-number ] | remote ]

Views

User view

Predefined user roles

network-admin

Parameters

local: Clears local SDWAN IPsec SAs.

interface: Clears SDWAN IPsec SAs on an interface.

tunnel tunnel-number: Specifies an SDWAN tunnel interface by the tunnel interface number.

remote: Clears remote SDWAN IPsec SAs.

Usage guidelines

If you do not specify any parameters, this command clears all SDWAN IPsec SAs.

After the local SDWAN IPsec SAs are cleared, the device will regenerate the SDWAN IPsec SAs according to the IPsec configuration and synchronize them to the remote device.

After the remote SDWAN IPsec SAs saved locally are cleared, the device will re-obtain the SDWAN IPsec SAs from the remote device.

Examples

# Clear all local SDWAN IPsec SAs.

<RouterA> reset ipsec sdwan-sa local

# Clear local SDWAN IPsec SAs on tunnel 1.

<RouterA> reset ipsec sdwan-sa local interface tunnel 1

# Clear all remote SDWAN IPsec SAs.

<RouterA> reset ipsec sdwan-sa remote

Related commands

display ipsec sdwan-sa

reset ipsec sdwan-statistics

Use reset ipsec sdwan-statistics to clear packet statistics on SDWAN IPsec SA tunnels.

Syntax

reset ipsec sdwan-statistics [ tunnel-id tunnel-id ]

Views

User view

Predefined user roles

network-admin

Parameters

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967294. If you do not specify an IPsec tunnel, this command clears packet statistics on all SDWAN IPsec tunnels.

Examples

# Clear packet statistics on all SDWAN IPsec tunnels.

<RouterA> reset ipsec sdwan-statictics

Related commands

display ipsec sdwan-statistics

reset ipsec sdwan-tunnel

Use reset ipsec sdwan-tunnel to clear information about SDWAN IPsec tunnels.

Syntax

reset ipsec sdwan-tunnel [ tunnel-id tunnel-id ]

Views

User view

Predefined user roles

network-admin

Parameters

tunnel-id tunnel-id: Specifies an IPsec tunnel by the tunnel ID. The value range for the tunnel-id argument is 0 to 4294967294. If you do not specify an IPsec tunnel, this command clears information about all SDWAN IPsec tunnels.

Usage guidelines

In an SDWAN network, IPsec establishes tunnels between SDWAN devices to protect data transmitted in between. Such IPsec tunnels are referred to as SDWAN IPsec tunnels.

Examples

# Clear information about SDWAN IPsec tunnel 1.

<Sysname> reset ipsec sdwan-tunnel tunnel-id 1

Related commands

display ipsec sdwan-tunnel

reset ipsec statistics

Use reset ipsec statistics to clear IPsec packet statistics.

Syntax

reset ipsec statistics[ tunnel-id tunnel-id ]

Views

User view

Predefined user roles

network-admin

Parameters

tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967294.. If you do not specify this option, the command clears all IPsec packet statistics.

Examples

# Clear IPsec packet statistics.

<Sysname> reset ipsec statistics

Related commands

display ipsec statistics

reverse-route dynamic

Use reverse-route dynamic to enable IPsec reverse route inject (RRI).

Use undo reverse-route dynamic to disable IPsec RRI.

Syntax

reverse-route [ next-hop [ ipv6 ] ip-address ] dynamic

undo reverse-route dynamic

Default

IPsec RRI is disabled.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

next-hop: Specifies a next hop IP address for the IPsec RRI-created static route. If you do not specify a next hop IP address, the static route uses the remote IP address of the IPsec tunnel as the next hop IP address.

ipv6: Specifies an IPv6 address.

ip-address: Specifies the next hop IPv4 or IPv6 address.

Usage guidelines

IPsec RRI is usually used on a gateway device at the headquarters side in an IPsec VPN. After IPsec RRI is enabled for an IPsec policy or an IPsec policy template on a gateway device, the gateway device automatically creates a static route upon IPsec SA creation according to this IPsec policy or IPsec policy template. By default, the static route uses the protected peer private network as the destination IP address and the remote IP address of the IPsec tunnel as the next hop address. If there are multiple paths to the remote tunnel end, you can use the next-hop keyword to specify a next hop IP address for the static route.

When you enable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created according to this IPsec policy. Upon IPsec SAs are renegotiated, the static routes are created.

When you disable IPsec RRI for an IPsec policy, the device deletes all IPsec SAs that are created according to this IPsec policy, and the associated static routes.

To display the static routes created by RRI, use the display ip routing-table command.

Examples

# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified IPsec policy. The destination IP address is the protected peer private network 3.0.0.0/24, and the next hop is the IP address (1.1.1.2) of the remote tunnel interface.

<Sysname> system-view

[Sysname] ipsec policy 1 1 isakmp

[Sysname-ipsec-policy-isakmp-1-1] reverse-route dynamic

[Sysname-ipsec-policy-isakmp-1-1] quit

# Display the routing table. You can see a created static route. (Other information is not shown.)

[Sysname] display ip routing-table

Destination/Mask Proto Pre Cost NextHop Interface

3.0.0.0/24 Static 60 0 1.1.1.2 GE0/0/1

# Enable IPsec RRI to create a static route according to the IPsec SA negotiated by the specified IPsec policy. Set the next hop IP address of the static route to 2.2.2.3.

<Sysname> system-view

[Sysname] ipsec policy 1 1 isakmp

[Sysname-ipsec-policy-isakmp-1-1] reverse-route next-hop 2.2.2.3 dynamic

[Sysname-ipsec-policy-isakmp-1-1] quit

# Display the routing table. You can see a created static route. (Other information is not shown.)

[Sysname] display ip routing-table

Destination/Mask Proto Pre Cost NextHop Interface

4.0.0.0/24 Static 60 0 2.2.2.3 GE0/0/1

Related commands

display ip routing-table (Layer 3—IP Routing Command Reference)

ipsec policy

ipsec policy-template

reverse-route preference

Use reverse-route preference to set the preference of the static routes created by IPsec RRI.

Use undo reverse-route preference to restore the default.

Syntax

reverse-route preference number

undo reverse-route preference

Default

The preference for the static routes created by IPsec RRI is 60.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

number: Specifies a preference value. The value range is 1 to 255. A smaller value represents a higher preference.

Usage guidelines

When you change this preference in an IPsec policy, the device deletes all IPsec SAs created according to this IPsec policy, and the associated static routes.

Examples

# Change the preference to 100 for static routes created by IPsec RRI.

<Sysname> system-view

[Sysname] ipsec policy 1 1 isakmp

[Sysname-ipsec-policy-isakmp-1-1] reverse-route preference 100

Related commands

ipsec policy

ipsec policy-template

reverse-route tag

Use reverse-route tag to set a route tag for the static routes created by IPsec RRI.

Use undo reverse-route tag to restore the default.

Syntax

reverse-route tag tag-value

undo reverse-route tag

Default

The route tag value is 0 for the static routes created by IPsec RRI.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

tag-value: Specifies a tag value. The value range is 1 to 4294967295.

Usage guidelines

The tag value set by this command helps in implementing flexible route control through routing policies.

When you change this tag value in an IPsec policy, the device deletes all IPsec SAs created by this IPsec policy, and all associated static routes.

Examples

# Set the tag value to 50 for the static routes created by IPsec RRI.

<Sysname>system-view

[Sysname] ipsec policy 1 1 isakmp

[Sysname-ipsec-policy-isakmp-1-1] reverse-route tag 50

Related commands

ipsec policy

ipsec policy-template

sa df-bit

Use sa df-bit to configure the DF bit for the outer IP header of IPsec packets.

Use undo sa df-bit to restore the default.

Syntax

sa df-bit { clear | copy | set }

undo sa df-bit

Default

The DF bit is not configured for the outer IP header of IPsec packets. The interface-specific or global DF bit setting is used.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command is supported only when the IKE negotiation mode is used for IPsec SA setup.

This command does not change the DF bit for the original IP header of IPsec packets.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. If the DF bit is set, make sure the path MTU is larger than the IPsec packet size to prevent the IPsec packets from being discarded. Clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

If the DF bit setting is not configured in the IPsec policy, IPsec profile, or IPsec policy template, the interface-specific DF bit setting is used. If the interface-specific DF bit setting is not configured either, the global DF bit setting is used.

Examples

# Set the DF bit in the outer IP header of IPsec packets in IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa df-bit set

Related commands

ipsec df-bit

ipsec global-df-bit

sa duration

Use sa duration to set an SA lifetime.

Use undo sa duration to remove an SA lifetime.

Syntax

sa duration { time-based seconds | traffic-based kilobytes }

undo sa duration { time-based | traffic-based }

Default

The SA lifetime of an IPsec policy, IPsec profile, or IPsec policy template is the current global SA lifetime.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

time-based seconds: Specifies the time-based SA lifetime in the range of 180 to 604800 seconds.

traffic-based kilobytes: Specifies the traffic-based SA lifetime in the range of 2560 to 4294967295 Kilobytes. An SDWAN IPsec profile does not support this option.

Usage guidelines

IKE prefers the SA lifetime of the IPsec policy, IPsec profile, or IPsec policy template over the global SA lifetime configured by the ipsec sa global-duration command. If the IPsec policy, IPsec profile, or IPsec policy template is not configured with the SA lifetime, IKE uses the global SA lifetime for SA negotiation.

During SA negotiation, IKE selects the shorter SA lifetime between the local SA lifetime and the remote SA lifetime.

Examples

# Set the SA lifetime to 7200 seconds for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration time-based 7200

# Set the SA lifetime to 20 MB for IPsec policy policy1. The IPsec SA expires after transmitting 20480 Kilobytes.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 isakmp

[Sysname-ipsec-policy-isakmp-policy1-100] sa duration traffic-based 20480

# Set the SA lifetime to 500 seconds for SDWAN IPsec profile profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 sdwan

[Sysname-ipsec-profile-sdwan-profile1] sa duration time-based 500

Related commands

display ipsec sa

ipsec sa global-duration

sa hex-key authentication

Use sa hex-key authentication to configure a hexadecimal authentication key for manual IPsec SAs.

Use undo sa hex-key authentication to remove the hexadecimal authentication key.

Syntax

sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } string

undo sa hex-key authentication { inbound | outbound } { ah | esp }

Default

No hexadecimal authentication key is configured for manual IPsec SAs.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Specifies a hexadecimal authentication key for the inbound SA.

outbound: Specifies a hexadecimal authentication key for the outbound SA.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its plaintext form is a case-insensitive hexadecimal string, which is 16 bytes for HMAC-MD5, 32 bytes for HMAC-SM3, and a 20 bytes for HMAC-SHA1. Its encrypted form is a case-sensitive string of 1 to 85 characters.

Usage guidelines

This command applies only to manual IPsec policies and IPsec profiles.

You must set an authentication key for both the inbound and outbound SAs.

The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same protocol and direction, the most recent configuration takes effect.

Examples

# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00

Related commands

display ipsec sa

sa string-key

sa hex-key encryption

Use sa encryption-hex configure a hexadecimal encryption key for manual IPsec SAs.

Use undo sa encryption-hex remove the hexadecimal encryption key.

Syntax

sa hex-key encryption { inbound | outbound } esp { cipher | simple } string

undo sa hex-key encryption { inbound | outbound } esp

Default

No hexadecimal encryption key is configured for manual IPsec SAs.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Specifies a hexadecimal encryption key for the inbound SA.

outbound: Specifies a hexadecimal encryption key for the outbound SA.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.

The following matrix shows the key length for the algorithms:

Algorithm	Key length (bytes)
DES-CBC	8
3DES-CBC	24
AES128-CBC	16
AES192-CBC	24
AES256-CBC	32
SM1128-CBC	16
SM4128-CBC	16

‌

Usage guidelines

This command applies only to manual IPsec policies and IPsec profiles.

You must set an encryption key for both the inbound and outbound SAs.

The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same direction, the most recent configuration takes effect.

Examples

# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption inbound esp simple 1234567890abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa hex-key encryption outbound esp simple abcdefabcdef1234

Related commands

display ipsec sa

sa string-key

sa idle-time

Use sa idle-time to set the IPsec SA idle timeout. If no traffic matches an IPsec SA within the idle timeout interval, the IPsec SA is deleted.

Use undo sa idle-time to restore the default.

Syntax

sa idle-time seconds

undo sa idle-time

Default

An IPsec policy, IPsec profile, or IPsec policy template uses the global IPsec SA idle timeout.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

seconds: Specifies the IPsec SA idle timeout in the range of 60 to 86400 seconds.

Usage guidelines

This feature applies only to IPsec SAs negotiated by IKE and takes effect after the ipsec sa idle-time command is configured.

The IPsec SA idle timeout configured by this command takes precedence over the global IPsec SA timeout configured by the ipsec sa idle-time command. If the IPsec policy, IPsec profile, or IPsec policy template is not configured with the SA idle timeout, IKE uses the global SA idle timeout.

Examples

# Set the IPsec SA idle timeout to 600 seconds for IPsec policy map.

<Sysname> system-view

[Sysname] ipsec policy map 100 isakmp

[Sysname-ipsec-policy-isakmp-map-100] sa idle-time 600

Related commands

display ipsec sa

ipsec sa idle-time

sa soft-duration buffer

Use sa soft-duration buffer to set the time-based or traffic-based IPsec SA soft lifetime buffer.

Use undo sa soft-duration buffer to restore the default.

Syntax

sa soft-duration buffer { time-based seconds | traffic-based kilobytes }

undo sa soft-duration buffer { time-based | traffic-based }

Default

The time-based and traffic-based IPsec SA soft lifetime buffers are not configured.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

Parameters

time-based seconds: Specifies the time-based IPsec SA soft lifetime buffer in seconds. The value range is 20 to 201600.

traffic-based kilobytes: Specifies the traffic-based IPsec SA soft lifetime buffer in Kilobytes. The value range is 1000 to 4294901760.

Usage guidelines

This command takes effect only when IKEv1 is used.

The IPsec SA soft lifetime buffers are used to determine the IPsec SA soft lifetimes.

If no IPsec SA soft lifetime buffers are configured, the system calculates a default time-based and a default traffic-based IPsec SA soft lifetime.

If IPsec SA soft lifetime buffers are configured, the system calculates IPsec SA soft lifetimes as follows:

· Time-based IPsec SA soft lifetime = time-based IPsec SA lifetime – time-based IPsec SA soft lifetime buffer.

If the calculated time-based IPsec SA soft lifetime is shorter than or equal to 20 seconds, the system uses the default time-based IPsec SA soft lifetime.

· Traffic-based IPsec SA soft lifetime = traffic-based IPsec SA lifetime – traffic-based IPsec SA soft lifetime buffer.

If the calculated traffic-based IPsec SA soft lifetime is smaller than or equal to 1000 Kilobytes, the system uses the default traffic-based IPsec SA soft lifetime.

Examples

# Set the time-based IPsec SA soft lifetime buffer to 600 seconds in IPsec policy example 1.

<Sysname> system-view

[Sysname] ipsec policy example 1 isakmp

[Sysname-ipsec-policy-isakmp-example-1] sa soft-duration buffer time-based 600

# Set the traffic-based IPsec SA soft lifetime buffer to 10000 Kilobytes in IPsec policy example 1.

<Sysname> system-view

[Sysname] ipsec policy example 1 isakmp

[Sysname-ipsec-policy-isakmp-example-1] sa soft-duration buffer traffic-based 10000

Related commands

ipsec sa global-soft-duration buffer

sa spi

Use sa spi to configure an SPI for IPsec SAs.

Use undo sa spi to remove the SPI.

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Default

No SPI is configured for IPsec SAs.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Specifies an SPI for inbound SAs.

outbound: Specifies an SPI for outbound SAs.

ah: Uses AH.

esp: Uses ESP.

spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.

Usage guidelines

This command applies only to manual IPsec policies and IPsec profiles.

You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.

The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.

When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:

· The local inbound and outbound SAs must use the same SPI.

· The IPsec SAs on the devices in the same scope must have the same SPI. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP4+, the scope consists of BGP4+ peers or a BGP4+ peer group.

Examples

# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa spi inbound ah 10000

[Sysname-ipsec-policy-manual-policy1-100] sa spi outbound ah 20000

Related commands

display ipsec sa

sa string-key

Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.

Use undo sa string-key to remove the key string.

Syntax

sa string-key { inbound | outbound } { ah | esp } [ cipher | simple ] string

undo sa string-key { inbound | outbound } { ah | esp }

Default

No key string is configured for manual IPsec SAs.

Views

IPsec policy view

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Sets a key string for inbound IPsec SAs.

outbound: Sets a key string for outbound IPsec SAs.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key string in encrypted form.

simple: Specifies a key string in plaintext form. For security purposes, the key string specified in plaintext form will be stored in encrypted form.

string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system automatically generates keys for the authentication algorithm and encryption algorithm.

Usage guidelines

This command applies only to manual IPsec policies and IPsec profiles.

You must set a key for both inbound and outbound SAs.

The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:

· The local inbound and outbound SAs must use the same key.

· The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For BGP, the scope consists of BGP peers or a BGP peer group.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the inbound and outbound SAs that use AH to use plaintext keys abcdef and efcdab, respectively.

<Sysname> system-view

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-policy-manual-policy1-100] sa string-key outbound ah simple efcdab

# In an IPv6 IPsec policy, configure the inbound and outbound SAs that use AH to use plaintext key abcdef.

<Sysname> system-view

[Sysname] ipsec ipv6-policy policy1 100 manual

[Sysname-ipsec-ipv6-policy-manual-policy1-100] sa string-key inbound ah simple abcdef

[Sysname-ipsec-ipv6-policy-manual-policy1-100] sa string-key outbound ah simple abcdef

Related commands

display ipsec sa

sa hex-key

sa trigger-mode

Use sa trigger-mode to set the IPsec SA negotiation triggering mode.

Use undo sa trigger-mode to restore the default.

Syntax

sa trigger-mode { auto | traffic-based }

undo sa trigger-mode

Default

IPsec SA negotiation is triggered when traffic requires IPsec protection.

Views

IPsec policy view

Predefined user roles

network-admin

Parameters

auto: Triggers IPsec SA negotiation when required IPsec configuration is complete.

traffic-based: Triggers IPsec SA negotiation when traffic requires IPsec protection.

Usage guidelines

You can specify the IPsec SA negotiation triggering mode only for IKE-based IPsec policies.

Compared to the auto mode, the traffic-based mode is more economical in terms of resource usage because it triggers IPsec SA negotiation only when traffic requires IPsec protection. However, the traffic-based mode leaves traffic unprotected before IPsec SAs are successfully established.

The IPsec SA negotiation triggering modes on the local and remote ends of an IPsec tunnel can be different.

Modifying the IPsec SA negotiation triggering mode does not affect existing IPsec SAs.

If the IPsec SA negotiation triggering mode is set to auto, change the mode to traffic-based as a best practice after IPsec SA establishment is complete.

Examples

# Set the IPsec SA negotiation triggering mode to auto for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] sa trigger-mode auto

security acl

Use security acl to specify an ACL for an IPsec policy or IPsec policy template.

Use undo security acl to restore the default.

Syntax

security acl [ ipv6 ] { acl-number | name acl-name } [ aggregation | per-host ]

undo security acl

Default

An IPsec policy or IPsec policy template does not use any ACL.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Parameters

ipv6: Specifies an IPv6 ACL.

acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

aggregation: Specifies the data protection mode as aggregation. The device does not support protecting IPv6 data flows in aggregation mode.

per-host: Specifies the data protection mode as per-host.

Usage guidelines

An IKE-based IPsec policy supports the following data flow protection modes:

· Standard mode—One IPsec tunnel protects one data flow. The data flow permitted by an ACL rule is protected by one IPsec tunnel that is established solely for it. The standard mode is used if you do not specify the aggregation or the per-host mode.

· Aggregation mode—One IPsec tunnel protects all data flows permitted by all the rules of an ACL. This mode is only used to communicate with old-version devices.

· Per-host mode—One IPsec tunnel protects one host-to-host data flow. One host-to-host data flow is identified by one ACL rule and protected by one IPsec tunnel established solely for it. This mode consumes more system resources when multiple data flows exist between two subnets to be protected.

A manual IPsec policy supports only the aggregation mode.

If the specified ACL does not exist or does not contain rules, the IPsec policy does not take effect.

If the vpn-instance keyword is specified in an ACL rule, the rule applies only to VPN packets. If the vpn-instance keyword is not specified in an ACL rule, the rule applies only to public network packets.

Examples

# Specify IPv4 advanced ACL 3001 for IPsec policy policy1.

<Sysname> system-view

[Sysname] acl advanced 3001

[Sysname-acl-ipv4-adv-3001] rule permit tcp source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255

[Sysname-acl-ipv4-adv-3001] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] security acl 3001

# Specify IPv4 advanced ACL 3002 for IPsec policy policy2 and specify the data protection mode as aggregation.

<Sysname> system-view

[Sysname] acl advanced 3002

[Sysname-acl-ipv4-adv-3002] rule 0 permit ip source 10.1.2.1 0.0.0.255 destination 10.1.2.2 0.0.0.255

[Sysname-acl-ipv4-adv-3002] rule 1 permit ip source 10.1.3.1 0.0.0.255 destination 10.1.3.2 0.0.0.255

[Sysname-acl-ipv4-adv-3002] quit

[Sysname] ipsec policy policy2 1 isakmp

[Sysname-ipsec-policy-isakmp-policy2-1] security acl 3002 aggregation

Related commands

display ipsec sa

display ipsec tunnel

snmp-agent trap enable ipsec

Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.

Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.

Syntax

Default

All SNMP notifications for IPsec are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

auth-failure: Specifies notifications about authentication failures.

connection-start: Specifies notifications about successful establishment of the first IPsec tunnel under IPsec policy entries with the same description.

connection-stop: Specifies notifications about successful removal of the last IPsec tunnel under IPsec policy entries with the same description.

decrypt-failure: Specifies notifications about decryption failures.

encrypt-failure: Specifies notifications about encryption failures.

global: Specifies notifications globally.

invalid-sa-failure: Specifies notifications about invalid-SA failures.

no-sa-failure: Specifies notifications about SA-not-found failures.

policy-add: Specifies notifications about events of adding IPsec policies.

policy-attach: Specifies notifications about events of applying IPsec policies to interfaces.

policy-delete: Specifies notifications about events of deleting IPsec policies.

policy-detach: Specifies notifications about events of removing IPsec policies from interfaces.

tunnel-start: Specifies notifications about events of creating IPsec tunnels.

tunnel-stop: Specifies notifications about events of deleting IPsec tunnels.

Usage guidelines

If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.

To generate and output SNMP notifications for a specific IPsec failure type or event type, perform the following tasks:

1. Enable SNMP notifications for IPsec globally.

2. Enable SNMP notifications for the failure type or event type.

Examples

# Enable SNMP notifications for IPsec globally.

<Sysname> system-view

[Sysname] snmp-agent trap enable ipsec global

# Enable SNMP notifications for events of creating IPsec tunnels.

[Sysname] snmp-agent trap enable ipsec tunnel-start

tfc enable

Use tfc enable to enable Traffic Flow Confidentiality (TFC) padding.

Use undo tfc enable to disable TFC padding.

Syntax

tfc enable

undo tfc enable

Default

TFC padding is disabled.

Views

IPsec policy view

IPsec policy template view

Predefined user roles

network-admin

Usage guidelines

TFC padding applies only to IPsec SAs negotiated by IKEv2.

TFC padding can hide the length of the original packet, and might affect the packet encapsulation and de-encapsulation performance. This feature takes effect on UDP packets encapsulated by ESP in transport mode and on original IP packets encapsulated by ESP in tunnel mode.

Examples

# Enable TFC padding for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec policy policy1 10 isakmp

[Sysname-ipsec-policy-isakmp-policy1-10] tfc enable

Related commands

display ipsec ipv6-policy

display ipsec policy

transform-set

Use transform-set to specify an IPsec transform set for an IPsec policy, IPsec profile, or IPsec policy template.

Use undo transform-set to remove the IPsec transform set specified for an IPsec policy, IPsec profile, or IPsec policy template.

Syntax

transform-set transform-set-name&<1-6>

undo transform-set [ transform-set-name ]

Default

No IPsec transform set is specified for an IPsec policy, IPsec profile, or IPsec policy template.

Views

IPsec policy view

IPsec policy template view

IPsec profile view

Predefined user roles

network-admin

Parameters

transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets. The specified transform set names must be different. A transform set name is a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify only one IPsec transform set for a manual IPsec policy. If you execute this command multiple times, the most recent configuration takes effect.

You can specify a maximum of six IPsec transform sets for an IKE-based IPsec policy. During an IKE negotiation, IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match is found, no SA can be set up, and the packets expecting to be protected will be dropped.

If you do not specify the transform-set-name argument, the undo transform-set command removes all IPsec transform sets specified for the IPsec policy, IPsec profile, or IPsec policy template.

Examples

# Specify IPsec transform set prop1 for IPsec policy policy1.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] quit

[Sysname] ipsec policy policy1 100 manual

[Sysname-ipsec-policy-manual-policy1-100] transform-set prop1

Related commands

ipsec { ipv6-policy | policy }

ipsec profile

ipsec transform-set

tunnel protection ipsec

Use tunnel protection ipsec to apply an IPsec profile to a tunnel interface.

Use undo tunnel protection ipsec to restore the default.

Syntax

tunnel protection ipsec profile profile-name [ acl [ ipv6 ] { acl-number | name acl-name } ]

undo tunnel protection ipsec profile

Default

No IPsec profile is applied to a tunnel interface.

Views

Tunnel interface view

Predefined user roles

network-admin

Parameters

profile profile-name: Specify an IPsec profile by its name, a case-insensitive string of 1 to 63 characters. The specified IPsec profile must be an IKE-based IPsec profile.

ipv6: Specifies an IPv6 ACL. To specify an IPv4 ACL, do not specify this keyword.

acl-number: Specifies an ACL by its number in the range of 3000 to 3999.

name acl-name: Specifies an ACL by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

After an IPsec profile is applied to a tunnel interface, the peers negotiate an IPsec tunnel through IKE to protect data transmitted through the tunnel interface.

If you specify an ACL when applying an IPsec profile to a tunnel interface, only the ACL-permitted data on the tunnel interface can be protected by IPsec. To protect the traffic of a VPN instance on the tunnel interface, do not specify the VPN instance in the ACL. If you do so, the IPsec profile cannot initiate IPsec negotiation. Instead, you should bind the VPN instance to the tunnel interface. Therefore, the VPN instance of the IPsec SAs negotiated by using the IPsec profile is the VPN instance bound to the tunnel interface.

Specify an IPv4 ACL if the IPsec profile is applied to an IPv4 tunnel interface.

Specify an IPv6 ACL if the IPsec profile is applied to an IPv6 tunnel interface.

After an SDWAN IPsec profile is applied to an SDWAN tunnel interface on an SDWAN device, if the IPsec profile configuration is complete, the SDWAN device creates a local IPsec SA and advertises the IPsec SA to the remote SDWAN device through the SDWAN tunnel. The IPsec SA then is the remote IPsec SA on the remote device. The remote device must use this remote IPsec SA to encrypt the packets sent to the local device. The local device uses the local IPsec SA to decrypt the received packets and discards those unencrypted.

IPsec SAs are unidirectional. Packet encryption and decryption use different IPsec SAs. Typically, the device uses local IPsec SAs for encryption and remote IPsec SAs for decryption.

SDWAN tunnel interfaces do not support specifying the ACL parameters in this command.

Examples

# Apply IPsec profile prf1 to tunnel interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode advpn gre

[Sysname-Tunnel1]tunnel protection ipsec profile prf1

# Apply IPsec profile prf1 to IPv4 tunnel interface Tunnel 1 and use IPv4 ACL 3000 to filter the data to be protected by IPsec on the tunnel interface.

<Sysname> system-view

[Sysname] acl advanced 3000

[Sysname-acl-ipv4-adv-3000] rule 0 permit ip source 1.0.0.0 0.0.0.255 destination 2.0.0.0 0.0.0.255

[Sysname-acl-ipv4-adv-3000] quit

[Sysname] interface tunnel 1 mode ipsec

[Sysname-Tunnel1] tunnel protection ipsec profile prf1 acl 3000

# Apply IPsec profile prf1 to IPv6 tunnel interface Tunnel 1 and use IPv6 ACL 3000 to filter the data to be protected by IPsec on the tunnel interface.

<Sysname> system-view

[Sysname] acl ipv6 advanced 3000

[Sysname-acl-ipv6-adv-3000] rule 0 permit ipv6 source 1:1::/64 destination 2:2::/64

[Sysname-acl-ipv6-adv-3000] quit

[Sysname] interface tunnel 1 mode ipsec ipv6

[Sysname-Tunnel1] tunnel protection ipsec profile prf1 acl ipv6 3000

# Apply SDWAN IPsec profile profile1 to SDWAN tunnel interface Tunnel 1.

<Sysname> system-view

[Sysname] interface tunnel 1 mode sdwan

[Sysname-Tunnel1] tunnel protection ipsec profile profile1

Related commands

interface tunnel (Interface Command Reference)

display interface tunnel (Interface Command Reference)

ipsec profile

16-IP Tunneling and Security VPN Command Reference

display ipsec { ipv6-policy | policy }

ipsec { ipv6-policy | policy }

ipsec { ipv6-policy-template | policy-template }

ipsec sa global-soft-duration buffer

ipsec transform-set

redundancy replay-interval

sa soft-duration buffer

tunnel protection ipsec

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us