Contents

IPsec commands· 2

ah authentication-algorithm·· 2

description· 2

display ipsec history-error 3

display ipsec profile· 4

display ipsec sa· 5

display ipsec statistics· 6

display ipsec transform-set 8

display ipsec tunnel 9

encapsulation-mode· 12

esn enable· 13

esp authentication-algorithm·· 14

esp encryption-algorithm·· 15

ipsec df-bit 15

ipsec fragmentation· 16

ipsec global-df-bit 17

ipsec limit max-tunnel 18

ipsec logging packet enable· 18

ipsec profile· 19

ipsec sa global-duration· 20

ipsec transform-set 20

protocol 21

reset ipsec history-error 22

reset ipsec sa· 22

reset ipsec statistics· 23

sa hex-key authentication· 24

sa hex-key encryption· 25

sa spi 26

sa string-key· 27

snmp-agent trap enable ipsec· 28

transform-set 30

 

IPsec commands

ah authentication-algorithm

Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.

Use undo ah authentication-algorithm to restore the default.

Syntax

ah authentication-algorithm { md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo ah authentication-algorithm

Default

AH does not use any authentication algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.

sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.

sm3: Specifies the HMAC-SM3 algorithm, which uses a 256-bit key.

Usage guidelines

You can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

Examples

# Specify HMAC-SHA1 as the AH authentication algorithm for IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1

description

Use description to configure a description for an IPsec profile.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for an IPsec policy, IPsec policy template, or IPsec profile.

Views

IPsec profile view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-sensitive string of 1 to 80 characters.

Usage guidelines

If the system has multiple IPsec profiles, you can use this command to configure different descriptions for them to distinguish them.

Examples

# Configure the description for IPsec profile profile1 as CenterToA.

<Sysname> system-view  

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile—manual-profile1] description CenterToA

display ipsec history-error

Use display ipsec history-error to display IPsec history error information.

Syntax

display ipsec history-error

Views

Any view

Predefined user roles

network-admin

network-operator

Usage guidelines

This command displays a maximum of 4000 IPsec history error records. If the number of IPsec history error records exceeds the limit, the latest 4000 records will be displayed.

Examples

# Display all IPsec history error information.

<Sysname> display ipsec history-error

Total errors : 2

VRF = 0, src = 1.1.1.1, dst = 2.2.2.2/500, flow source = 192.168.1.1, flow destination = 192.168.2.1, error time = 2021/6/8 17:24:14:123, error reason = Failed to find policy in acquire sa

VRF = 0, src = 4.4.4.4, dst = 6.6.6.6/500, flow source = 192.168.10.1, flow destination = 192.168.20.1, error time = 2021/6/8 17:25:18:123, error reason = Failed to find policy in acquire sa.

Table 1 Command output

Field	Description
Total errors	Total number of IPsec history error records.
VRF	Local VPN number.
src	This field is not supported in the current software version. Local IP address of the IKE SA with errors.
dst	This field is not supported in the current software version. Remote IP address and port number of the IPsec tunnel with IKE SA errors.
flow source	Source IP address of the data flow where errors occurred.
flow destination	Destination IP address of the data flow where errors occurred.

‌

Related commands

reset ipsec history-error

display ipsec profile

Use display ipsec profile to display information about IPsec profiles.

Syntax

display ipsec profile [ profile-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify any parameters, this command displays information about all IPsec profiles.

Examples

# Display information about all IPsec profiles.

<Sysname> display ipsec profile

-----------------------------------------------

IPsec profile: profile

Mode: Manual

-----------------------------------------------

  Transform set: prop1

 

  Inbound AH setting:

    AH SPI: 12345 (0x00003039)

    AH string-key:

    AH authentication hex key: ******

  Inbound ESP setting:

    ESP SPI: 23456 (0x00005ba0)

    ESP string-key:

    ESP encryption hex-key: ******

    ESP authentication hex-key: ******

  Outbound AH setting:

    AH SPI: 12345 (0x00003039)

    AH string-key:

    AH authentication hex key: ******

  Outbound ESP setting:

    ESP SPI: 23456 (0x00005ba0)

    ESP string-key:

    ESP encryption hex key: ******

    ESP authentication hex key: ******

Table 2 Command output

Field	Description
IPsec profile	IPsec profile name.
Mode	Negotiation mode used by the IPsec profile.
Description	Description of the IPsec profile.
Transform set	IPsec transform set used by the IPsec profile.
Responder only	State of the responder only feature: ·     Enabled—The local device can only be the responder in an IPsec negotiation. ·     Disabled—The local device can be a responder or an initiator in an IPsec negotiation.

‌

Related commands

ipsec profile

display ipsec sa

Use display ipsec sa to display information about IPsec SAs.

Syntax

display ipsec sa [ brief | count | profile profile-name [ brief | count ] | remote [ ipv6 ] ip-address [ brief | count ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief information about all IPsec SAs.

count: Displays the number of IPsec SAs.

profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.

profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63 characters.

remote ip-address: Specifies an IPsec SA by its remote end IP address.

ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the specified remote end IP address is an IPv4 address.

Usage guidelines

If you do not specify any parameters, this command displays detailed information about all IPsec SAs.

Examples

# Display brief information about IPsec SAs.

<Sysname> display ipsec sa brief

-----------------------------------------------------------------------

Interface/Global   Dst Address      SPI         Protocol  Status

-----------------------------------------------------------------------

XGE3/0/1           10.1.1.1         400         ESP       Active

XGE3/0/1           255.255.255.255  4294967295  ESP       Active

XGE3/0/1           100::1/64        500         AH        Active

Global             --               600         ESP       Active

Table 3 Command output

Field	Description
Interface/Global	Interface where the IPsec SA belongs to or global IPsec SA (created by using an IPsec profile).
Dst Address	Remote end IP address of the IPsec tunnel. For the IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
SPI	IPsec SA SPI.
Protocol	Security protocol used by IPsec.
Status	Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.

‌

# Display the number of IPsec SAs.

<Sysname> display ipsec sa count

Total IPsec SAs count: 4

Related commands

ipsec sa global-duration

reset ipsec sa

display ipsec statistics

Use display ipsec statistics to display IPsec packet statistics.

Syntax

display ipsec statistics [ tunnel-id tunnel-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967294. You can use the display ipsec tunnel brief command to view the IDs of established IPsec tunnels.

Usage guidelines

If you do not specify any parameters, this command displays statistics for all IPsec packets.

Examples

# Display statistics for all IPsec packets.

<Sysname> display ipsec statistics

  IPsec packet statistics:

    Received/sent packets: 47/64

    Received/sent bytes: 3948/5208

    Dropped packets (received/sent): 0/45

 

    Dropped packets statistics

      No available SA: 0

      Wrong SA: 0

      Invalid length: 0

      Authentication failure: 0

      Encapsulation failure: 0

      Decapsulation failure: 0

      Replayed packets: 0

      ACL check failure: 45

      MTU check failure: 0

      Loopback limit exceeded: 0

      Crypto speed limit exceeded: 0

# Display statistics for the packets of IPsec tunnel 1.

<Sysname> display ipsec statistics tunnel-id 1

  IPsec packet statistics:

    Received/sent packets: 5124/8231

    Received/sent bytes: 52348/64356

    Dropped packets (received/sent): 0/0

 

    Dropped packets statistics

      No available SA: 0

      Wrong SA: 0

      Invalid length: 0

      Authentication failure: 0

      Encapsulation failure: 0

      Decapsulation failure: 0

      Replayed packets: 0

      ACL check failure: 0

      MTU check failure: 0

      Loopback limit exceeded: 0

      Crypto speed limit exceeded: 0

Table 4 Command output

Field	Description
Received/sent packets	Number of received/sent IPsec-protected packets.
Received/sent bytes	Number of bytes of received/sent IPsec-protected packets.
Dropped packets (received/sent)	Number of dropped IPsec-protected packets (received/sent).
No available SA	Number of packets dropped due to lack of available IPsec SA.
Wrong SA	Number of packets dropped due to wrong IPsec SA.
Invalid length	Number of packets dropped due to invalid packet length.
Authentication failure	Number of packets dropped due to authentication failure.
Encapsulation failure	Number of packets dropped due to encapsulation failure.
Decapsulation failure	Number of packets dropped due to decapsulation failure.
Replayed packets	Number of dropped replayed packets.
ACL check failure	Number of packets dropped due to ACL check failure.
MTU check failure	Number of packets dropped due to MTU check failure.
Loopback limit exceeded	Number of packets dropped due to loopback limit exceeded.
Crypto speed limit exceeded	Number of packets dropped due to crypto speed limit exceeded.

‌

Related commands

reset ipsec statistics

display ipsec transform-set

Use display ipsec transform-set to display information about IPsec transform sets.

Syntax

display ipsec transform-set [ transform-set-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

transform-set-name: Specifies an IPsec transform set by its name, a case-insensitive string of 1 to 63 characters.

Usage guidelines

If you do not specify an IPsec transform set, this command displays information about all IPsec transform sets.

Examples

# Display information about all IPsec transform sets.

<Sysname> display ipsec transform-set

IPsec transform set: mytransform

  State: incomplete

  Encapsulation mode: tunnel

  ESN: Enabled

  PFS:

  Transform: ESP

 

IPsec transform set: completeTransform

  State: complete

  Encapsulation mode: transport

  ESN: Enabled

  PFS:

  Transform: AH-ESP

  AH protocol:

    Integrity: SHA1

  ESP protocol:

    Integrity: SHA1

    Encryption: AES-CBC-128

Table 5 Command output

Field	Description
IPsec transform set	Name of the IPsec transform set.
State	Whether the IPsec transform set is complete.
Encapsulation mode	Encapsulation mode used by the IPsec transform set: transport or tunnel.
ESN	Whether Extended Sequence Number (ESN) is enabled.
Transform	Security protocols used by the IPsec transform set: AH, ESP, or both. If both protocols are configured, IPsec uses ESP before AH.
AH protocol	AH settings.
ESP protocol	ESP settings.
Integrity	Authentication algorithm used by the security protocol.
Encryption	Encryption algorithm used by the security protocol.

‌

Related commands

ipsec transform-set

display ipsec tunnel

Use display ipsec tunnel to display information about IPsec tunnels.

Syntax

display ipsec tunnel [ brief | count | tunnel-id tunnel-id ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief information about IPsec tunnels.

count: Displays the number of IPsec tunnels.

tunnel-id tunnel-id: Specifies an IPsec tunnel by its ID. The value range for the tunnel-id argument is 0 to 4294967294.

Usage guidelines

IPsec is a Layer 3 VPN technology that transmits data in a secure channel established between two endpoints (such as two security gateways). Such a secure channel is usually called an IPsec tunnel.

Examples

# Display brief information about all IPsec tunnels.

<Sysname> display ipsec tunnel brief

----------------------------------------------------------------------------

Tunn-id   Src Address     Dst Address     Inbound SPI   Outbound SPI  Status

----------------------------------------------------------------------------

0         --              --              1000          2000          Active

                                          3000          4000

1         1.2.3.1         2.2.2.2         5000          6000          Active

                                          7000          8000

Table 6 Command output

Field	Description
Src Address	Source IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
Dst Address	Destination IP address of the IPsec tunnel. For IPsec SAs created by using IPsec profiles, this field displays two hyphens (--).
Inbound SPI	Valid SPI in the inbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the inbound direction are displayed in two lines.
Outbound SPI	Valid SPI in the outbound direction of the IPsec tunnel. If the tunnel uses two security protocols, two SPIs in the outbound direction are displayed in two lines.
Status	Status of the IPsec SA: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.

‌

# Display the number of IPsec tunnels.

<Sysname> display ipsec tunnel count

Total IPsec Tunnel Count: 2

# Display detailed information about all IPsec tunnels.

<Sysname> display ipsec tunnel

Tunnel ID: 0

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

    outbound:  2000        (0x000007d0)   [AH]

    inbound:   1000        (0x000003e8)   [AH]

    outbound:  4000        (0x00000fa0)   [ESP]

    inbound:   3000        (0x00000bb8)   [ESP]

Tunnel:

    local  address:

    remote address:

Flow:

 

Tunnel ID: 1

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

    outbound:  6000        (0x00001770)   [AH]

    inbound:   5000        (0x00001388)   [AH]

    outbound:  8000        (0x00001f40)   [ESP]

    inbound:   7000        (0x00001b58)   [ESP]

Tunnel:

    local  address: 1.2.3.1

    remote address: 2.2.2.2

Flow:

    as defined in ACL 3100

# Display detailed information about IPsec tunnel 1.

<Sysname> display ipsec tunnel tunnel-id 1

Tunnel ID: 1

Status: Active

Perfect forward secrecy:

Inside vpn-instance:

SA's SPI:

    outbound:  6000        (0x00001770)   [AH]

    inbound:   5000        (0x00001388)   [AH]

    outbound:  8000        (0x00001f40)   [ESP]

    inbound:   7000        (0x00001b58)   [ESP]

Tunnel:

    local  address: 1.2.3.1

    remote address: 2.2.2.2

Flow:

    as defined in ACL 3100

Table 7 Command output

Field	Description
Tunnel ID	IPsec ID, used to uniquely identify an IPsec tunnel.
Status	IPsec tunnel status: Active or Standby. In a VSRP scenario, this field displays either Active or Standby. In standalone mode, this field always displays Active.
Inside vpn-instance	VPN instance where the IPsec-protected data flows belong.
SA's SPI	SPIs of the inbound and outbound SAs.
Tunnel	Local and remote addresses of the IPsec tunnel.
local  address	This field is not supported in the current software version. Local end IP address of the IPsec tunnel.
remote address	This field is not supported in the current software version. Remote end IP address of the IPsec tunnel.
Flow	Information about the data flow protected by the IPsec tunnel, including source IP address, destination IP address, source port, destination port, and protocol.
as defined in ACL 3001	This field is not supported in the current software version. Range of data flow protected by the IPsec tunnel that is established manually. This information shows that the IPsec tunnel protects all data flows defined by ACL 3001.

‌

encapsulation-mode

Use encapsulation-mode to set the encapsulation mode that the security protocol uses to encapsulate IP packets.

Use undo encapsulation-mode to restore the default.

Syntax

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Default

IP packets are encapsulated in tunnel mode.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

transport: Uses the transport mode for IP packet encapsulation.

tunnel: Uses the tunnel mode for IP packet encapsulation.

Usage guidelines

IPsec supports the following encapsulation modes:

·     Transport mode—The security protocols protect the upper layer data of an IP packet. Only the transport layer data is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are placed after the original IP header. You can use the transport mode when end-to-end security protection is required (the secured transmission start and end points are the actual start and end points of the data). The transport mode is typically used for protecting host-to-host communications.

·     Tunnel mode—The security protocols protect the entire IP packet. The entire IP packet is used to calculate the security protocol headers. The calculated security protocol headers and the encrypted data (only for ESP encapsulation) are encapsulated in a new IP packet. In this mode, the encapsulated packet has two IP headers. The inner IP header is the original IP header. The outer IP header is added by the network device that provides the IPsec service. You must use the tunnel mode when the secured transmission start and end points are not the actual start and end points of the data packets (for example, when two gateways provide IPsec but the data start and end points are two hosts behind the gateways). The tunnel mode is typically used for protecting gateway-to-gateway communications.

The IPsec transform sets at both ends of the IPsec tunnel must have the same encapsulation mode.

Examples

# Configure IPsec transform set tran1 to use the transport mode for IP packet encapsulation.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] encapsulation-mode transport

Related commands

ipsec transform-set

esn enable

Use esn enable to enable the Extended Sequence Number (ESN) feature.

Use undo esn enable to disable the ESN feature.

Syntax

esn enable [ both ]

undo esn enable

Default

The ESN feature is disabled.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

both: Specifies IPsec to support both extended sequence number and traditional sequence number. If you do not specify this keyword, IPsec only supports extended sequence number.

Usage guidelines

The ESN feature extends the sequence number length from 32 bits to 64 bits. This feature prevents the sequence number space from being exhausted when large volumes of data are transmitted at high speeds over an IPsec SA. If the sequence number space is not exhausted, the IPsec SA does not need to be renegotiated.

This feature must be enabled at both the initiator and the responder.

Examples

# Enable the ESN feature in IPsec transform set tran1.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esn enable

Related commands

display ipsec transform-set

esp authentication-algorithm

Use esp authentication-algorithm to specify authentication algorithms for ESP.

Use undo esp authentication-algorithm to restore the default.

Syntax

esp authentication-algorithm { md5 | sha1 | sha256 | sha384 | sha512 | sm3 } *

undo esp authentication-algorithm

Default

ESP does not use any authentication algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

md5: Specifies the HMAC-MD5 algorithm, which uses a 128-bit key.

sha1: Specifies the HMAC-SHA1 algorithm, which uses a 160-bit key.

sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.

sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.

sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.

sm3: Specifies the HMAC-SM3 algorithm, which uses a 256-bit key.

Usage guidelines

You can specify multiple ESP authentication algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

The first specified ESP authentication algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP authentication algorithm.

Examples

# Configure IPsec transform set tran1 to use the HMAC-SHA1 algorithm as the ESP authentication algorithm.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esp authentication-algorithm sha1

Related commands

ipsec transform-set

esp encryption-algorithm

Use esp encryption-algorithm to specify encryption algorithms for ESP.

Use undo esp encryption-algorithm to restore the default.

Syntax

esp encryption-algorithm { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc | null | sm4-cbc } *

undo esp encryption-algorithm

Default

ESP does not use any encryption algorithms.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.

aes-cbc-128: Specifies the AES algorithm in CBC mode, which uses a 128-bit key.

aes-cbc-192: Specifies the AES algorithm in CBC mode, which uses a 192-bit key.

aes-cbc-256: Specifies the AES algorithm in CBC mode, which uses a 256-bit key.

des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.

null: Specifies the NULL algorithm, which means encryption is not performed.

sm4-cbc: Specifies the SM4 algorithm in CBC mode, which uses a 128-bit key. This keyword is available only for IKEv1.

Usage guidelines

You can specify multiple ESP encryption algorithms for one IPsec transform set, and the algorithm specified earlier has a higher priority.

The first specified ESP encryption algorithm takes effect. To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at both ends of the tunnel must have the same first ESP encryption algorithm.

Examples

# Configure IPsec transform set tran1 to use the AES-CBC-128 algorithm as the ESP encryption algorithm.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] esp encryption-algorithm aes-cbc-128

Related commands

ipsec transform-set

ipsec df-bit

Use ipsec df-bit to configure the DF bit for the outer IP header of IPsec packets on an interface.

Use undo ipsec df-bit to restore the default.

Syntax

ipsec df-bit { clear | copy | set }

undo ipsec df-bit

Default

The DF bit is not configured for the outer IP header of IPsec packets on an interface. The global DF bit setting is used.

Views

Interface view

Predefined user roles

network-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command does not change the DF bit for the original IP header of IPsec packets.

If multiple interfaces use an IPsec policy that is bound to a source interface, you must use the same DF bit setting on these interfaces.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent the IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

Examples

# Set the DF bit in the outer IP header of IPsec packets on Ten-GigabitEthernet 3/0/2.

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 3/0/2

[Sysname-Ten-GigabitEthernet3/0/2] ipsec df-bit set

Related commands

ipsec global-df-bit

ipsec fragmentation

Use ipsec fragmentation to configure the IPsec fragmentation feature.

Use undo ipsec fragmentation to restore the default.

Syntax

ipsec fragmentation before-encryption

undo ipsec fragmentation

Default

The device fragments packets before IPsec encapsulation.

Views

System view

Predefined user roles

network-admin

Parameters

before-encryption: Fragments packets before IPsec encapsulation (prefragmentation).

Usage guidelines

If you configure the device to fragment packets before IPsec encapsulation, the device predetermines the encapsulated packet size before the actual encapsulation. If the encapsulated packet size exceeds the MTU of the output interface and the DF bit is not set, the device fragments the packet before encapsulation. If the packet's DF bit is set, the device drops the packet and sends an ICMP error message.

Examples

# Configure the device to fragment packets before IPsec encapsulation.

<Sysname>system-view

[Sysname] ipsec fragmentation before-encryption

ipsec global-df-bit

Use ipsec global-df-bit to configure the DF bit for the outer IP header of IPsec packets on all interfaces.

Use undo ipsec global-df-bit to restore the default.

Syntax

ipsec global-df-bit { clear | copy | set }

undo ipsec global-df-bit

Default

The DF bit setting of the original IP header is copied to the outer IP header for IPsec packets.

Views

System view

Predefined user roles

network-admin

Parameters

clear: Clears the DF bit in the outer IP header. IPsec packets can be fragmented.

copy: Copies the DF bit setting of the original IP header to the outer IP header.

set: Sets the DF bit in the outer IP header. IPsec packets cannot be fragmented.

Usage guidelines

This command is effective only when the IPsec encapsulation mode is tunnel mode. It is not effective in transport mode because the outer IP header is not added in transport mode.

This command does not change the DF bit for the original IP header of IPsec packets.

Packet fragmentation and reassembly might cause packet forwarding to be delayed. You can set the DF bit to avoid the forwarding delay. However, to prevent IPsec packets from being discarded, you must make sure the path MTU is larger than the IPsec packet size. As a best practice, clear the DF bit if you cannot make sure the path MTU is larger than the IPsec packet size.

Examples

# Set the DF bit in the outer IP header of IPsec packets on all interfaces.

<Sysname> system-view

[Sysname] ipsec global-df-bit set

Related commands

ipsec df-bit

ipsec limit max-tunnel

Use ipsec limit max-tunnel to set the maximum number of IPsec tunnels.

Use undo ipsec limit max-tunnel to restore the default.

Syntax

ipsec limit max-tunnel tunnel-limit

undo ipsec limit max-tunnel

Default

The number of IPsec tunnels is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

tunnel-limit: Specifies the maximum number of IPsec tunnels, in the range of 1 to 4294967295.

Usage guidelines

To maximize concurrent performance of IPsec when memory is sufficient, increase the maximum number of IPsec tunnels. To ensure service availability when memory is insufficient, decrease the maximum number of IPsec tunnels.

Examples

# Set the maximum number of IPsec tunnels to 5000.

<Sysname> system-view

[Sysname] ipsec limit max-tunnel 5000

ipsec logging packet enable

Use ipsec logging packet enable to enable logging for IPsec packets.

Use undo ipsec logging packet enable to disable logging for IPsec packets.

Syntax

ipsec logging packet enable

undo ipsec logging packet enable

Default

Logging for IPsec packets is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

After logging for IPsec packets is enabled, the device outputs a log when an IPsec packet is discarded. IPsec packets might be discarded due to lack of inbound SA, AH/ESP authentication failure, or ESP encryption failure. A log contains the source and destination IP addresses, SPI, and sequence number of the packet, and the reason it was discarded.

Examples

# Enable logging for IPsec packets.

<Sysname> system-view

[Sysname] ipsec logging packet enable

ipsec profile

Use ipsec profile to create an IPsec profile and enter its view, or enter the view of an existing IPsec profile.

Use undo ipsec profile to delete an IPsec profile.

Syntax

ipsec profile profile-name manual

undo ipsec profile profile-name

Default

No IPsec profiles exist.

Views

System view

Predefined user roles

network-admin

Parameters

profile-name: Specifies a name for the IPsec profile, a case-insensitive string of 1 to 63 characters.

manual: Specifies the IPsec SA setup mode as manual.

Usage guidelines

A manual IPsec profile is used exclusively for IPsec protection for application protocols, including OSPFv3, IPv6 BGP, and RIPng.

Examples

# Create a manual IPsec profile named profile1.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile-manual-profile1]

Related commands

display ipsec profile

ipsec sa global-duration

Use ipsec sa global-duration to configure the global IPsec SA lifetime.

Use undo ipsec sa global-duration to restore the default.

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

Default

The time-based global IPsec SA lifetime is 3600 seconds, and the traffic-based global lifetime is 1843200 kilobytes.

Views

System view

Predefined user roles

network-admin

Parameters

time-based seconds: Specifies the time-based global lifetime for IPsec SAs, in the range of 180 to 604800 seconds.

traffic-based kilobytes: Specifies the traffic-based global lifetime for IPsec SAs, in the range of 2560 to 4294967295 kilobytes. When traffic on an SA reaches this value, the SA expires.

Usage guidelines

An IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires when either lifetime expires.

Examples

# Configure the global IPsec SA lifetime as 7200 seconds.

<Sysname> system-view

[Sysname] ipsec sa global-duration time-based 7200

# Configure the global IPsec SA lifetime as 10240 kilobytes.

[Sysname] ipsec sa global-duration traffic-based 10240

Related commands

display ipsec sa

ipsec transform-set

Use ipsec transform-set to create an IPsec transform set and enter its view, or enter the view of an existing IPsec transform set.

Use undo ipsec transform-set to delete an IPsec transform set.

Syntax

ipsec transform-set transform-set-name

undo ipsec transform-set transform-set-name

Default

No IPsec transform sets exist.

Views

System view

Predefined user roles

network-admin

Parameters

transform-set-name: Specifies a name for the IPsec transform set, a case-insensitive string of 1 to 63 characters.

Usage guidelines

An IPsec transform set defines the security parameters for IPsec SA negotiation, including the security protocol, encryption algorithms, authentication algorithms, and encapsulation mode.

Examples

# Create an IPsec transform set named tran1 and enter its view.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-transform-set-tran1]

Related commands

display ipsec transform-set

protocol

Use protocol to specify a security protocol for an IPsec transform set.

Use undo protocol to restore the default.

Syntax

protocol { ah | ah-esp | esp }

undo protocol

Default

The IPsec transform set uses the ESP protocol.

Views

IPsec transform set view

Predefined user roles

network-admin

Parameters

ah: Specifies the AH protocol.

ah-esp: Specifies using the ESP protocol first and then using the AH protocol.

ah: Specifies the AH protocol.

Usage guidelines

The two tunnel ends must use the same security protocol in the IPsec transform set.

Examples

# Specify the AH protocol for the IPsec transform set.

<Sysname> system-view

[Sysname] ipsec transform-set tran1

[Sysname-ipsec-transform-set-tran1] protocol ah

reset ipsec history-error

Use reset ipsec history-error to clear IPsec history error information.

Syntax

reset ipsec history-error

Views

User view

Predefined user roles

network-admin

Examples

# Clear IPsec history error information.

<Sysname> reset ipsec history-error

Related commands

display ipsec history-error

reset ipsec sa

Use reset ipsec sa to clear IPsec SAs.

Syntax

reset ipsec sa [ profile profile-name | remote { ipv4-address | ipv6 ipv6-address } | spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num ]

Views

User view

Predefined user roles

network-admin

Parameters

profile profile-name: Clears IPsec SAs for the IPsec profile specified by its name, a case-insensitive string of 1 to 63 characters.

remote: Clears IPsec SAs for the specified remote address.

ipv4-address: Specifies a remote IPv4 address.

ipv6 ipv6-address: Specifies a remote IPv6 address.

spi { ipv4-address | ipv6 ipv6-address } { ah | esp } spi-num: Clears IPsec SAs matching the specified SA triplet: the remote address, the security protocol, and the SPI.

·     ipv4-address: Specifies a remote IPv4 address.

·     ipv6 ipv6-address: Specifies a remote IPv6 address.

·     ah: Specifies the AH protocol.

·     esp: Specifies the ESP protocol.

·     spi-num: Specifies the security parameter index in the range of 256 to 4294967295.

Usage guidelines

If you do not specify any parameters, this command clears all IPsec SAs.

If you specify an SA triplet, this command clears the IPsec SA matching the triplet, and all the other IPsec SAs that were established during the same negotiation process, including the corresponding IPsec SA in the other direction, and the inbound and outbound IPsec SAs using the other security protocol (AH or ESP).

An outbound SA is uniquely identified by an SA triplet and an inbound SA is uniquely identified by an SPI. To clear IPsec SAs by specifying a triplet in the outbound direction, you should provide the remote IP address, the security protocol, and the SPI, where the remote IP address can be any valid address if the SAs are established by IPsec profiles. To clear IPsec SAs by specifying a triplet in the inbound direction, you should provide the SPI and use any valid values for the other two parameters.

After a manual IPsec SA is cleared, the system automatically creates a new SA.

Examples

# Clear all IPsec SAs.

<Sysname> reset ipsec sa

# Clear the inbound and outbound IPsec SAs for the triplet of SPI 256, remote IP address 10.1.1.2, and security protocol AH.

<Sysname> reset ipsec sa spi 10.1.1.2 ah 256

# Clear all IPsec SAs for remote IP address 10.1.1.2.

<Sysname> reset ipsec sa remote 10.1.1.2

Related commands

display ipsec sa

reset ipsec statistics

Use reset ipsec statistics to clear IPsec packet statistics.

Syntax

reset ipsec statistics [ tunnel-id tunnel-id ]

Views

User view

Predefined user roles

network-admin

Parameters

tunnel-id tunnel-id: Clears IPsec packet statistics for the specified IPsec tunnel. The value range for the tunnel-id argument is 0 to 4294967294. If you do not specify this option, the command clears all IPsec packet statistics.

Examples

# Clear IPsec packet statistics.

<Sysname> reset ipsec statistics

Related commands

display ipsec statistics

sa hex-key authentication

Use sa hex-key authentication to configure an authentication key for a manual IPsec SA.

Use undo sa hex-key authentication to delete an authentication key for a manual IPsec SA.

Syntax

sa hex-key authentication { inbound | outbound } { ah | esp } { cipher | simple } string

undo sa hex-key authentication { inbound | outbound } { ah | esp }

Default

No hexadecimal authentication keys are configured for manual IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Specifies a hexadecimal authentication key for the inbound SA.

outbound: Specifies a hexadecimal authentication key for the outbound SA.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 85 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.

The following matrix shows the key length for the algorithms:

 

Algorithm	Key length (bytes)
HMAC-MD5	16
HMAC-SHA1	20
HMAC-SHA-256	32
HMAC-SHA-384	48
HMAC-SHA-512	64
HMAC-SM3	32

 

Usage guidelines

You must set an authentication key for both the inbound and outbound SAs.

The local inbound SA must use the same authentication key as the remote outbound SA, and the local outbound SA must use the same authentication key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local authentication keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same protocol and direction, the most recent configuration takes effect.

Examples

# Configure plaintext authentication keys 0x112233445566778899aabbccddeeff00 and 0xaabbccddeeff001100aabbccddeeff00 for the inbound and outbound SAs that use AH.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile—manual-profile1] sa hex-key authentication inbound ah simple 112233445566778899aabbccddeeff00

[Sysname-ipsec-profile—manual-profile1] sa hex-key authentication outbound ah simple aabbccddeeff001100aabbccddeeff00

Related commands

display ipsec sa

sa string-key

sa hex-key encryption

Use sa encryption-hex to configure an encryption key for a manual IPsec SA.

Use undo sa encryption-hex to delete an encryption key for a manual IPsec SA.

Syntax

sa hex-key encryption { inbound | outbound } esp { cipher | simple } string

undo sa hex-key encryption { inbound | outbound } esp

Default

No hexadecimal encryption keys are configured for manual IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Specifies a hexadecimal encryption key for the inbound SA.

outbound: Specifies a hexadecimal encryption key for the outbound SA.

esp: Uses ESP.

cipher: Specifies a key in encrypted form.

simple: Specifies a key in plaintext form. For security purposes, the key specified in plaintext form will be stored in encrypted form.

string: Specifies the key. Its encrypted form is a case-sensitive string of 1 to 117 characters. Its plaintext form is a case-insensitive hexadecimal string and the key length varies by algorithm.

The following matrix shows the key length for the algorithms:

 

Algorithm	Key length (bytes)
DES-CBC	8
3DES-CBC	24
AES128-CBC	16
AES192-CBC	24
AES256-CBC	32
SM4128-CBC	16

‌

Usage guidelines

You must set an encryption key for both the inbound and outbound SAs.

The local inbound SA must use the same encryption key as the remote outbound SA, and the local outbound SA must use the same encryption key as the remote inbound SA.

In an IPsec profile to be applied to an IPv6 routing protocol, the local encryption keys of the inbound and outbound SAs must be identical.

The keys for the IPsec SAs at the two tunnel ends must be configured in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

If you execute this command multiple times for the same direction, the most recent configuration takes effect.

Examples

# Configure plaintext encryption keys 0x1234567890abcdef and 0xabcdefabcdef1234 for the inbound and outbound IPsec SAs that use ESP.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile—manual-profile1] sa hex-key encryption inbound esp simple 1234567890abcdef

[Sysname-ipsec-profile—manual-profile1] sa hex-key encryption outbound esp simple abcdefabcdef1234

Related commands

display ipsec sa

sa string-key

sa spi

Use sa spi to configure an SPI for IPsec SAs.

Use undo sa spi to remove the SPI.

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

Default

No SPI is configured for IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Specifies an SPI for inbound SAs.

outbound: Specifies an SPI for outbound SAs.

ah: Uses AH.

esp: Uses ESP.

spi-number: Specifies a security parameters index (SPI) in the range of 256 to 4294967295.

Usage guidelines

You must configure an SPI for both inbound and outbound SAs, and make sure the SAs in each direction are unique: For an outbound SA, make sure its triplet (remote IP address, security protocol, and SPI) is unique. For an inbound SA, make sure its SPI is unique.

The local inbound SA must use the same SPI as the remote outbound SA, and the local outbound SA must use the same SPI as the remote inbound SA.

When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:

·     The local inbound and outbound SAs must use the same SPI.

·     The IPsec SAs on the devices in the same scope must have the same SPI. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For IPv6 BGP, the scope consists of IPv6 BGP peers or an IPv6 BGP peer group.

Examples

# Set the SPI for the inbound SA to 10000 and the SPI for the outbound SA to 20000 in a manual IPsec policy.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile—manual-profile1] sa spi inbound ah 10000

[Sysname-ipsec-profile—manual-profile1] sa spi outbound ah 20000

Related commands

display ipsec sa

sa string-key

Use sa string-key to set a key string (a key in character format) for manual IPsec SAs.

Use undo sa string-key to remove the key string.

Syntax

sa string-key { inbound | outbound } { ah | esp } { cipher | simple } string

undo sa string-key { inbound | outbound } { ah | esp }

Default

No key string is configured for manual IPsec SAs.

Views

IPsec profile view

Predefined user roles

network-admin

Parameters

inbound: Sets a key string for inbound IPsec SAs.

outbound: Sets a key string for outbound IPsec SAs.

ah: Uses AH.

esp: Uses ESP.

cipher: Specifies a key string in encrypted form.

simple: Specifies a key string in plaintext form. For security purposes, the key string specified in plaintext form will be stored in encrypted form.

string: Specifies the key string. Its encrypted form is a case-sensitive string of 1 to 373 characters. Its plaintext form is a case-sensitive string of 1 to 255 characters. Using the key string, the system automatically generates keys that meet the algorithm requirements. When the protocol is ESP, the system automatically generates keys for the authentication algorithm and encryption algorithm.

Usage guidelines

You must set a key for both inbound and outbound SAs.

The local inbound SA must use the same key as the remote outbound SA, and the local outbound SA must use the same key as the remote inbound SA.

The keys for the IPsec SAs at the two tunnel ends must be input in the same format (either in hexadecimal or character format). Otherwise, they cannot establish an IPsec tunnel.

When you configure an IPsec profile for an IPv6 routing protocol, follow these guidelines:

·     The local inbound and outbound SAs must use the same key.

·     The IPsec SAs on the devices in the same scope must have the same key. The scope is defined by protocols. For OSPFv3, the scope consists of OSPFv3 neighbors or an OSPFv3 area. For RIPng, the scope consists of directly-connected neighbors or a RIPng process. For IPv6 BGP, the scope consists of IPv6 BGP peers or an IPv6 BGP peer group.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Configure the inbound and outbound SAs that use AH to use plaintext keys abcdef and efcdab, respectively.

<Sysname> system-view

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile—manual-profile1] sa string-key inbound ah simple abcdef

[Sysname-ipsec-profile—manual-profile1] sa string-key outbound ah simple efcdab

Related commands

display ipsec sa

sa hex-key

snmp-agent trap enable ipsec

Use snmp-agent trap enable ipsec command to enable SNMP notifications for IPsec.

Use undo snmp-agent trap enable ipsec command to disable SNMP notifications for IPsec.

Syntax

snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach | tunnel-start | tunnel-stop] *

undo snmp-agent trap enable ipsec [ auth-failure | decrypt-failure | encrypt-failure | global | invalid-sa-failure | no-sa-failure | policy-add | policy-attach | policy-delete | policy-detach | tunnel-start | tunnel-stop] *

Default

All SNMP notifications for IPsec are disabled.

Views

System view

Predefined user roles

network-admin

Parameters

auth-failure: Specifies notifications about authentication failures.

decrypt-failure: Specifies notifications about decryption failures.

encrypt-failure: Specifies notifications about encryption failures.

global: Specifies notifications globally.

invalid-sa-failure: Specifies notifications about invalid-SA failures.

no-sa-failure: Specifies notifications about SA-not-found failures.

policy-add: Specifies notifications about events of adding IPsec profiles.

policy-attach: Specifies notifications about events of applying IPsec profiles to interfaces.

policy-delete: Specifies notifications about events of deleting IPsec profiles.

policy-detach: Specifies notifications about events of removing IPsec profiles from interfaces.

tunnel-start: Specifies notifications about events of creating IPsec tunnels.

tunnel-stop: Specifies notifications about events of deleting IPsec tunnels.

Usage guidelines

If you do not specify any keywords, this command enables or disables all SNMP notifications for IPsec.

To generate and output SNMP notifications for a specific IPsec failure type or event type, perform the following tasks:

1.     Enable SNMP notifications for IPsec globally.

2.     Enable SNMP notifications for the failure type or event type.

Examples

# Enable SNMP notifications for IPsec globally.

<Sysname> system-view

[Sysname] snmp-agent trap enable ipsec global

# Enable SNMP notifications for events of creating IPsec tunnels.

[Sysname] snmp-agent trap enable ipsec tunnel-start

transform-set

Use transform-set to specify an IPsec transform set for an IPsec profile.

Use undo transform-set to remove the IPsec transform set specified for an IPsec profile.

Syntax

transform-set transform-set-name&<1-6>

undo transform-set [ transform-set-name ]

Default

No IPsec transform set is specified for an IPsec profile.

Views

IPsec profile view

Predefined user roles

network-admin

Parameters

transform-set-name&<1-6>: Specifies a space-separated list of up to six IPsec transform sets by their names, a case-insensitive string of 1 to 63 characters.

Usage guidelines

You can specify only one IPsec transform set. If you execute this command multiple times, the most recent configuration takes effect.

If you do not specify the transform-set-name argument, the undo transform-set command removes all IPsec transform sets specified for the IPsec policy, IPsec policy template, or IPsec profile.

Examples

# Specify IPsec transform set prop1 for IPsec profile profile1.

<Sysname> system-view

[Sysname] ipsec transform-set prop1

[Sysname-ipsec-transform-set-prop1] quit

[Sysname] ipsec profile profile1 manual

[Sysname-ipsec-profile—manual-profile1] transform-set prop1

Related commands

ipsec profile

ipsec transform-set