Contents

SSL VPN commands· 1

aaa domain· 1

bandwidth· 1

description· 2

display interface sslvpn-ac· 3

display sslvpn gateway· 5

display sslvpn online-users· 7

force-logout 10

https-port 10

interface· 11

interface sslvpn-ac· 11

ip-tunnel access-route· 12

ip-tunnel address-pool 13

ip-tunnel dns-server 14

ip-tunnel emo-server 14

ip-tunnel interface· 15

ip-tunnel keepalive· 16

ip-tunnel message-server 16

ip-tunnel wins-server 17

log ip-tunnel 18

log resource-access enable· 19

log user-login enable· 20

max-online-users per-gateway· 20

mtu· 21

reset counters interface sslvpn-ac· 22

service ipv4 enable· 22

shutdown· 23

ssl server-policy· 23

sslvpn gateway· 24

timeout idle· 25

verify-code· 25

SSL VPN commands

aaa domain

Use aaa domain to specify an ISP domain for authentication, authorization, and accounting of SSL VPN users for an SSL VPN gateway.

Use undo aaa domain to restore the default.

Syntax

aaa domain domain-name

undo aaa domain

Default

The default ISP domain is used for authentication, authorization, and accounting of SSL VPN users for an SSL VPN gateway.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

domain-name: Specifies the ISP domain name, a case-insensitive string of 1 to 255 characters. The name must meet the following requirements:

·     The name cannot contain a forward slash (/), backslash (\), vertical bar (|), quotation marks ("), colon (:), asterisk (*), question mark (?), left angle bracket (<), right angle bracket (>), or at sign (@).

·     The name cannot be d, de, def, defa, defau, defaul, default, i, if, if-, if-u, if-un, if-unk, if-unkn, if-unkno, if-unknow, or if-unknown.

Usage guidelines

An SSL VPN username cannot carry ISP domain information. After this command is executed, an SSL VPN gateway uses the specified ISP domain for authentication, authorization, and accounting of SSL VPN users.

Examples

# Specify ISP domain myserver for authentication, authorization, and accounting of SSL VPN users in SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] aaa domain myserver

bandwidth

Use bandwidth to set the expected bandwidth of an interface.

Use undo bandwidth to restore the default.

Syntax

bandwidth bandwidth-value

undo bandwidth

Default

The expected bandwidth of an interface is 64 kbps.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

bandwidth-value: Specifies the expected bandwidth, in the range of 1 to 400000000 kbps.

Usage guidelines

The expected bandwidth of an interface affects the following:

·     CBQ bandwidth. For more information, see QoS configuration in QoS Configuration Guide.

·     Link costs in OSPF, OSPFv3, and IS-IS. For more information, see OSPF configuration in Network Connectivity Configuration Guide.

Examples

# Specify expected bandwidth of interface SSL VPN AC 1000 as 10000 kbps.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] bandwidth 10000

description

Use description to specify a description for an interface.

Use undo description to restore the default.

Syntax

description text

undo description

Default

The description for an SSL VPN AC interface is interfacename Interface (for example, SSLVPN-AC1000 Interface).

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

text: Specifies the interface description, a case-sensitive string of 1 to 255 characters.

Usage guidelines

If a device has multiple interfaces, you can specify a description for an interface based on its connection information or purpose for identification and management.

This command is only used to identify an interface. To obtain the interface description, execute the display interface command.

Examples

# Specify the description for interface SSL VPN AC 1000 as SSL VPN A.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] description SSL VPN A

display interface sslvpn-ac

Use display interface sslvpn-ac to display SSL VPN AC interface information.

Syntax

display interface [ sslvpn-ac [ interface-number ] ] [ brief [ description | down ] ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify the sslvpn-ac keyword, this command displays information about all interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command displays information about all SSL VPN AC interfaces.

brief: Displays brief interface information. If you do not specify this keyword, the command displays detailed interface information.

description: Displays complete interface descriptions. If you do not specify this keyword, the command displays only the first 27 characters of interface descriptions.

down: Displays information about interfaces in the physical state of DOWN and the causes. If you do not specify this keyword, the command displays information about interfaces in all states.

Examples

# Display detailed information about SSL VPN AC 1000.

<Sysname> display interface sslvpn-ac 1000

SSLVPN-AC1000

Current state: UP

Line protocol state: UP

Description: SSLVPN-AC1000 Interface

Bandwidth: 64kbps

Maximum transmission unit: 1500

Internet address: 10.0.0.1/16(Primary)

Last clearing of counters: Never

Table 1 Command output

Field	Description
SSLVPN-AC1000	Information about interface SSL VPN AC 1000.
Current state	Physical link state of the interface: ·     Administratively DOWN—The interface has been shut down by using the shutdown command. ·     DOWN—The interface is administratively up, but its physical state is down (possibly because no physical link exists or the link has failed). ·     UP—The interface is both administratively and physically up.
Line protocol state	Data link layer state of the interface. The state is determined through automatic parameter negotiation at the data link layer. ·     UP—The data link layer protocol is up. ·     UP (spoofing)—The data link layer protocol is up, but the link is an on-demand link or does not exist. This attribute is typical of null interfaces and loopback interfaces. ·     DOWN—The data link layer protocol is down.
Description	Description of the interface.
Bandwidth	Expected bandwidth of the interface.
Maximum transmission unit	MTU of the interface.
Internet address: ip-address/mask-length (Type)	IP address of the interface and type of the address in parentheses. Possible IP address types include: ·     Primary—Manually configured primary IP address. ·     Sub—Manually configured secondary IP address. If the interface has both primary and secondary IP addresses, the primary IP address is displayed. If the interface has only secondary IP addresses, the lowest secondary IP address is displayed. ·     DHCP-allocated—DHCP allocated IP address. For more information, see DHCP client configuration in Network Connectivity Configuration Guide. ·     BOOTP-allocated—BOOTP allocated IP address. For more information, see BOOTP client configuration in Network Connectivity Configuration Guide. ·     Unnumbered—IP address borrowed from another interface.
Last clearing of counters	Most recent time the counters were cleared by using the reset counters interface command. If the reset counters interface command has never been executed since the device starts up, this field displays Never.

 

# Display brief information about all SSL VPN AC interfaces.

<Sysname> display interface sslvpn-ac brief

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP         Description

SSLVPN-AC1000        UP   DOWN     --

# Display brief information about SSL VPN AC 1000, including the complete interface description.

<Sysname> display interface sslvpn-ac 1000 brief description

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Protocol: (s) - spoofing

Interface            Link Protocol Primary IP         Description

SSLVPN-AC1000        UP    UP      1.1.1.1            SSLVPN-AC1000 Interface

# Display information about interfaces in DOWN state and the causes.

<Sysname> display interface sslvpn-ac brief down

Brief information of interfaces in route mode:

Link: ADM - administratively down; Stby - standby

Interface            Link Cause

SSLVPN-AC1000        ADM

SSLVPN-AC1001        ADM

Table 2 Command output

Field	Description
Brief information of interfaces in route mode:	Brief information about Layer 3 interfaces.
Interface	Abbreviated interface name.
Link	Physical link state of the interface: ·     UP—The interface is physically up. ·     DOWN—The interface is physically down. ·     ADM—The interface has been shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. ·     Stby—The interface is a backup interface in standby state.
Protocol	Data link layer protocol state of the interface: ·     UP—The data link layer protocol of the interface is up. ·     UP(s)—The data link layer protocol of the interface is up, but the link is an on-demand link or does not exist. The (s) attribute represents the spoofing flag. This value is typical of null interfaces and loopback interfaces. ·     DOWN—The data link layer protocol of the interface is down.
Primary IP	Primary IP address of the interface.
Description	Description of the interface.
Cause	Cause for the physical link state of an interface to be DOWN: ·     Administratively—The interface has been manually shut down by using the shutdown command. To restore the physical state of the interface, use the undo shutdown command. ·     Not connected—No physical connection exists (possibly because the network cable is disconnected or faulty).

 

Related commands

reset counters interface

display sslvpn gateway

Use display sslvpn gateway to display SSL VPN gateway information.

Syntax

display sslvpn gateway [ brief | name gateway-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

brief: Displays brief SSL VPN gateway information. If you do not specify this keyword, the command displays detailed SSL VPN gateway information.

name gateway-name: Specifies an SSL VPN gateway by its name. An SSL VPN gateway name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN gateway, this command displays information about all SSL VPN gateways.

Examples

# Display detailed information about all SSL VPN gateways.

<Sysname> display sslvpn gateway

Gateway name: gw

  Operation state: Down

  Down reason: Administratively down

  AAA domain: Not specified

  Code verification: Disabled

  Associated SSL VPN Interface: GigabitEthernet0/0/1

  SSL server policy configured: a

  HTTPS port: 443

  Maximum users allowed: 1048575

  Idle timeout: 30 min

Table 3 Command output

Field	Description
Gateway name	Name of the SSL VPN gateway.
Operation state	Operation state of the SSL VPN gateway: ·     Up—The gateway is running. ·     Down—The gateway is not running.
Down reason	Causes for the Down operation status: ·     Administratively down—The SSL VPN gateway is disabled. To enable the gateway, use the service enable command. ·     Applying SSL server-policy failed—Failed to apply the SSL server policy to the SSL VPN gateway.
AAA domain	ISP domain used by the SSL VPN gateway.
Code verification	Whether code verification is enabled for the SSL VPN gateway.
Associated SSL VPN Interface	Interface associated with the SSL VPN gateway.
SSL server policy configured	SSL server policy configured for the SSL VPN gateway. A newly configured SSL server policy takes effect only after the SSL VPN gateway restarts.
HTTPS port	HTTPS port number of the SSL VPN gateway.
Maximum users allowed	Maximum number of online users allowed for the SSL VPN gateway.
Idle timeout	Maximum idle time of an online SSL VPN user, in minutes.

‌

# Display brief information about all SSL VPN gateways.

<Sysname> display sslvpn gateway brief

Gateway name                    Admin  Operation

gw1                             Up     Up

gw2                             Down   Down (Administratively down)

gw3                             Up     Up

Table 4 Command output

Field	Description
Gateway name	Name of the SSL VPN gateway.
Admin	Administrative status of the SSL VPN gateway: ·     Up—The gateway has been enabled by using the service enable command. ·     Down—The gateway is disabled.
Operation	Operation state of the SSL VPN gateway: ·     Up—The gateway is running. ·     Down (Administratively down)—The gateway is disabled. To enable the gateway, use the service enable command. ·     Down (Applying SSL server-policy failed)—The gateway is down because the SSL server policy failed to be applied to the gateway.

‌

display sslvpn online-users

display sslvpn online-users to display online SSL VPN user information.

Syntax

display sslvpn online-users [ gateway gateway-name ] [ user user-name | verbose ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

gateway gateway-name: Specifies an SSL VPN gateway by its name. An SSL VPN gateway name is a case-insensitive string of 1 to 31 characters, and can contain only letters, digits, and underscores (_). If you do not specify an SSL VPN gateway, this command displays online SSL VPN user information for all SSL VPN gateways.

user user-name: Specifies an SSL VPN user by the username, a case-insensitive string of 1 to 80 characters. If you specify a user, this command displays detailed online SSL VPN user information for the user. If you do not specify a user, this command displays brief online SSL VPN user information for all users.

verbose: Displays detailed online SSL VPN user information for all SSL VPN users. If you do not specify this keyword, the command displays brief online SSL VPN user information for the specified or all SSL VPN users.

Examples

# Display brief information about online SSL VPN users in the SSL VPN gateway.

<Sysname> display sslvpn online-users

Total online-users: 2

 

SSL VPN gateway: gw1

Online-users: 2

Username        Connections  Idle time   Created       User IP

user1           5            0/00:00:23  0/04:47:16    192.0.2.1

user2           5            0/00:00:46  0/04:48:36    192.0.2.2

Table 5 Command output

Field	Description
Total online-users	Total number of users in all SSL VPN gateways.
SSL VPN gateway	SSL VPN gateway name.
Online-users	Number of users in the current SSL VPN gateway.
Username	Login name of the online user.
Connections	Number of connections for the online user.
Idle time	Duration that the online user has been idle, in the format of days/hh:mm:ss.
Created	Time elapsed since the online user was created, in the format of days/hh:mm:ss.
User IP	IP address used by the online user.

 

# Display detailed information about online SSL VPN user user1.

<Sysname> display sslvpn online-users user user1

User                   : user1

Authentication method  : Username/password authentication

Gateway                : gw1

Idle timeout           : 30 min

Created at             : 13:49:27 UTC Wed 05/14/2021

Lastest                : 17:50:58 UTC Wed 05/14/2021

Allocated client IPv4  : 2.2.2.1

User IPv4 address      : 192.0.2.1

User ID                : 1

Endpoint information   : Internet Explorer

# Display detailed information about all online SSL VPN users.

<Sysname> display sslvpn online-users verbose

User                   : user1

Authentication method  : Username/password authentication

Gateway                : gw1

Idle timeout           : 30 min

Created at             : 13:49:27 UTC Wed 05/14/2021

Lastest                : 17:50:58 UTC Wed 05/14/2021

Allocated client IPv4  : 2.2.2.1

User IPv4 address      : 192.0.2.1

User ID                : 1

Endpoint information   : Internet Explorer

 

User                   : user2

Authentication method  : Username/password authentication

Gateway                : gw1

Idle timeout           : 2100 sec

Created at             : 14:15:12 UTC Wed 05/14/2021

Lastest                : 18:56:58 UTC Wed 05/14/2021

Allocated client IPv4  : 2.2.2.2

User IPv4 address      : 192.0.2.2

User ID                : 5

Endpoint information   : Internet Explorer

Table 6 Command output

Field	Description
User	SSL VPN username.
Authentication method	Authentication methods required for logging in to the SSL VPN gateway. Options include: ·     Username/password authentication. ·     Certificate authentication. ·     Code verification. ·     SMS authentication. ·     Custom authentication. The use of authentication methods must meet the following requirements: ·     You can enable one or multiple authentication methods. ·     Username/password authentication, certificate authentication, or both must be enabled. ·     Custom authentication and SMS authentication cannot both be enabled at the same time. ·     All authentication methods can be used independently except for code verification.
Gateway	SSL VPN gateway to which the user belongs.
Idle timeout	Idle timeout timer of the SSL VPN user, in seconds.
Created at	Time at which the SSL VPN user was created
Lastest	Most recent time when the SSL VPN user accessed resources through the SSL VPN gateway.
Allocated client IPv4	IPv4 address allocated to the iNode client of the SSL VPN user. This field is displayed only for iNode users.
User IPv4 address	IPv4 address used by the online SSL VPN user.
User ID	ID of the online SSL VPN user.
Endpoint information	Web browser or operating system used by the SSL VPN user.

 

force-logout

Use force-logout to force online users to log out.

Syntax

force-logout [ all | user-id user-id | user user-name ]

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

all: Logs out all users.

user-id user-id: Specifies a user by the user ID, in the range of 1 to 4294967295. You can obtain user IDs of online users by using display sslvpn online-users.

user user-name: Specifies a user by the username. The username is a case-sensitive string of 1 to 80 characters.

Examples

# Log out the user with user ID 1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] force-logout user-id 1

Related commands

display sslvpn online-users

https-port

Use https-port to specify an HTTPS port number for an SSL VPN gateway.

Use undo https-port to restore the default.

Syntax

https-port port-number

undo https-port

Default

The HTTPS port number used by an SSL VPN gateway is 443.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

port-number:  Specifies an HTTPS port number. The value range is 443 and 1025 to 65535. The default is 443.

Usage guidelines

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify HTTPS port number as 10443 for SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] https-port 10443

Related commands

display sslvpn gateway

interface

Use interface to specify an interface for an SSL VPN gateway.

Use undo interface to restore the default.

Syntax

interface interface-type interface-number

undo interface interface-type interface-number

Default

Non interface is specified for an SSL VPN gateway.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

The SSL VPN gateway uses the specified interface to communicate with SSL VPN users in IP access mode. It uses the interface to forward packets sent by the user to remote servers and to forward the servers' replies back to the user.

Examples

# Access SSL VPN gateway gw1 and specify the interface for the gateway as GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] interface gigabitEthernet 1/0/1

Related commands

display sslvpn gateway

interface sslvpn-ac

Use interface sslvpn-ac to create an SSL VPN AC interface and enter its view, or enter the view of an existing SSL VPN AC interface.

Use undo interface sslvpn-ac to delete an SSL VPN AC interface.

Syntax

interface sslvpn-ac interface-number

undo interface sslvpn-ac interface-number

Default

No SSL VPN AC interfaces exist.

Views

System view

Predefined user roles

network-admin

Parameters

interface-number: Specifies an SSL VPN AC interface number in the range of 0 to 4095.

Examples

# Create SSL VPN AC 1000 and enter its view.

<Sysname>system-view

[Sysname]interface SSLVPN-AC 1000

[Sysname-SSLVPN-AC1000]

ip-tunnel access-route

Use ip-tunnel access-route to specify the IPv4 routes to be issued to clients.

Use undo ip-tunnel access-route to remove the IPv4 routes to be issued to clients.

Syntax

ip-tunnel access-route ipv4-address { mask | mask-length }

undo ip-tunnel access-route ipv4-address { mask | mask-length }

Default

No IPv4 routes to be issued to clients are specified.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the destination address of the IPv4 route. It cannot be a multicast, broadcast, or loopback address.

mask: Specifies the mask for the destination address of the IPv4 route.

mask-length: Specifies the mask length for the destination address of the IPv4 route, in the range of 0 to 32.

Usage guidelines

When a client accesses an SSL VPN gateway in IP access mode, the SSL VPN gateway issues the configured IPv4 route or the specified IPv4 routes to the client. The client adds the IPv4 routes, using the VNIC as the output interface. Packets from the client to the internal servers match the IPv4 routes, and therefore are sent to the SSL VPN gateway through the VNIC.

Repeat this command to specify multiple IPv4 routes to be issued to clients.

Examples

# In SSL VPN gateway gw1, specify the destination address of the IPv4 route to be issued to clients as 10.0.0.0 and specify the mask length as 8.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel access-route 10.0.0.0 8

Related commands

display sslvpn gateway

ip-tunnel address-pool

Use ip-tunnel address-pool to create an IPv4 address pool.

Use undo ip-tunnel address-pool to delete an IPv4 address pool.

Syntax

ip-tunnel address-pool start-ipv4-address end-ipv4-address mask { mask | mask-length }

undo ip-tunnel address-pool start-ipv4-address end-ipv4-address

Default

No IPv4 address pool is configured.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

start-ip-address end-ip-address: Specifies the start IP address and end IP address for the pool. The end IP address must be greater than the start IP address. The start IP address and end IP address cannot be a multicast, broadcast, or loopback address.

mask { mask-length | mask }: Specifies the mask length or mask of the IPv4 address pool. The value range for the mask length is 1 to 30.

Usage guidelines

The created IPv4 address pools are used for an SSL VPN gateway to allocate addresses to SSL VPN IP access clients.

You can execute this command multiple times to configure multiple IPv4 address pools, but no overlapping address ranges are allowed for different address pools.

If an SSL VPN gateway is configured with multiple IPv4 address pools of different network segments, the IPv4 address allocated to a client might not be in the same network segment as the IPv4 address of an SSL VPN AC interface. In this case, you must add a route on the SSL VPN gateway for the SSL VPN AC interface to reach the client.

Examples

# In SSL VPN gateway gw1, create an IPv4 address pool named pool1 and specify the address range as 10.1.1.1 to 10.1.1.254.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel address-pool 10.1.1.1 10.1.1.254 mask 24

Related commands

display sslvpn gateway

ip-tunnel dns-server

Use ip-tunnel dns-server to specify an IPv4 DNS server for IP access.

Use undo ip-tunnel dns-server to restore the default.

Syntax

ip-tunnel dns-server { primary | secondary } ip-address

undo ip-tunnel dns-server { primary | secondary }

Default

No IPv4 DNS servers are specified for IP access.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

primary: Specifies the primary DNS server.

secondary: Specifies the secondary DNS server.

ip-address: Specifies the IPv4 address of the DNS server. It cannot be a multicast, broadcast, or loopback address.

Examples

# Specify the primary DNS server 1.1.1.1 for IP access in SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel dns-server primary 1.1.1.1

Related commands

display sslvpn gateway

ip-tunnel emo-server

Use ip-tunnel emo-server to specify an Endpoint Mobile Office (EMO) server for mobile clients.

Use undo ip-tunnel emo-server to restore the default.

Syntax

ip-tunnel emo-server address { host-name | ipv4-address } port port-number

undo ip-tunnel emo-server

Default

No EMO server is specified for mobile clients.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

address: Specifies the host name or IPv4 address of the EMO server.

host-name: Specifies the host name of the EMO server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

ipv4-address: Specifies the IPv4 address of the EMO server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.

port port-number: Specifies the port number of the EMO server, in the range of 1025 to 65535.

Usage guidelines

An EMO server provides services for mobile clients. The SSL VPN gateway issues the EMO server information to the clients, and the clients can access available service resources through the EMO server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the IP address of the EMO server as 10.10.1.1 and the port number as 9058 for SSL VPN gate gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel emo-server address 10.10.1.1 port 9058

Related commands

display sslvpn gateway

ip-tunnel interface

Use ip-tunnel interface to specify an SSL VPN AC interface for IP access.

Use undo ip-tunnel interface to restore the default.

Syntax

ip-tunnel interface sslvpn-ac interface-number

undo ip-tunnel interface

Default

No SSL VPN AC interface is specified for IP access.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

sslvpn-ac interface-number: Specifies the number of an SSL VPN AC interface. The interface must have been created.

Usage guidelines

The SSL VPN gateway uses the specified SSL VPN AC interface to communicate with SSL VPN users in IP access mode. It uses the SSL VPN AC interface to forward packets sent by the user to remote servers and to forward the servers' replies back to the user.

Examples

# Specify SSL VPN AC 100 for IP access in the view of SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel interface sslvpn-ac 100

Related commands

interface sslvpn-ac

ip-tunnel keepalive

Use ip-tunnel keepalive to set the keepalive interval for IP access.

Use undo ip-tunnel keepalive to restore the default.

Syntax

ip-tunnel keepalive seconds

undo ip-tunnel keepalive

Default

The keepalive interval is 30 seconds for IP access.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

seconds: Specifies the keepalive interval in the range of 0 to 600 seconds. If the interval is set to 0 seconds, a client does not send keepalive messages to the SSL VPN gateway.

Usage guidelines

A client sends keepalive messages to the SSL VPN gateway to maintain connections between them.

If an SSL VPN gateway does not receive any data or keepalive messages from a client during the online user idle timeout timer, it terminates the connection with the client.

Set the keepalive interval to be shorter than the user idle timeout timer configured by the timeout idle command.

Examples

# Set the keepalive interval to 50 seconds for SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel keepalive 50

ip-tunnel message-server

Use message-server to specify a message server for mobile clients.

Use undo message-server to restore the default.

Syntax

ip-tunnel message-server address { host-name | ipv4-address } port port-number

undo ip-tunnel message-server

Default

No message server is specified for mobile clients.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

address: Specifies the host name or IPv4 address of the message server.

host-name: Specifies the host name of the message server, a case-insensitive string of 1 to 127 characters. Valid characters are letters, digits, underscores (_), hyphens (-), and dots (.).

ipv4-address: Specifies the IPv4 address of the message server, in dotted decimal notation. The IP address cannot be a multicast, broadcast, or loopback address.

port port-number: Specifies the port number of the message server, in the range of 1025 to 65535.

Usage guidelines

A message server provides services for mobile clients. The SSL VPN gateway issues the message server information to the clients, and the clients can access the message server.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the IP address of the message server as 10.10.1.1 and the port number as 8000 for SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel message-server address 10.10.1.1 port 8000

Related commands

display sslvpn gateway

ip-tunnel wins-server

Use ip-tunnel wins-server to specify an IPv4 WINS server for IP access.

Use undo ip-tunnel wins-server to restore the default.

Syntax

ip-tunnel wins-server { primary | secondary } ip-address

undo ip-tunnel wins-server { primary | secondary }

Default

No IPv4 WINS servers are specified for IP access.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

primary: Specifies the primary WINS server.

secondary: Specifies the secondary WINS server.

ip-address: Specifies the IPv4 address of the WINS server. It cannot be a multicast, broadcast, or loopback address.

Examples

# Specify the primary WINS server 1.1.1.1 for IP access in SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ip-tunnel wins-server primary 1.1.1.1

Related commands

display sslvpn gateway

log ip-tunnel

Use ip-tunnel log to enable logging for IP address allocations and releases, IP access connection close events, or IP access packet drop events.

Use undo ip-tunnel log to disable logging for IP address allocations and releases, IP access connection close events, or IP access packet drop events.

Syntax

log ip-tunnel { address-alloc-release | connection-close | packet-drop }

undo log ip-tunnel { address-alloc-release | connection-close | packet-drop }

Default

Logging is disabled for IP access connection close events or IP access packet drop events.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

address-alloc-release: Enables logging for IP address allocations and releases for the VNIC of the IP access client.

connection-close: Enables logging for IP access connection close events.

packet-drop: Enables logging for IP access packet drop events.

Usage guidelines

If logging is enabled for IP address allocations and releases for the VNIC of the IP access client, the SSL VPN gateway generates logs when the VNIC's IP address is allocated or released.

If logging for IP access connection close events is enabled, the SSL VPN gateway generates logs when the connections established for SSL VPN IP access users are closed.

If logging for IP access packet drop events is enabled, the SSL VPN gateway generates logs when packets for SSL VPN IP access users are dropped.

The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about the information center, see Device Management Configuration Guide.

Examples

# Enable logging for IP access connection close events for SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] log ip-tunnel connection-close

Related commands

display sslvpn gateway

log resource-access enable

Use log resource-access enable to enable resource access logging.

Use undo log resource-access enable to disable resource access logging.

Syntax

log resource-access enable [ brief | filtering ] *

undo log resource-access enable

Default

Resource access logging is disabled.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

brief: Records brief resource access information. If you specify this keyword, only the address and port number of the accessed resource will be recorded. If you do not specify this keyword, a large amount of information including webpage formatting information will be recorded.

filtering: Enables resource access log filtering. With this keyword specified, the device generates only one log for accesses of the same user to the same resource in a minute. If this keyword is not specified, the device generates a log for each resource access.

Usage guidelines

This feature logs resource accesses of SSL VPN users. The logs are sent to the information center of the device.

With the information center, you can set log message filtering and output rules, including output destinations.

The information center can output SSL VPN resource access logs to any destinations except the console and the monitor terminal. If you configure the console or monitor terminal as an output destination, the output destination setting will not take effect.

To view SSL VPN resource access logs stored on the device, use the display logbuffer command. Make sure you do not disable log output to the log buffer, which is enabled by default.

For more information about configuring the information center, see Device Management Configuration Guide.

If you execute the log resource-access enable command multiple times, the most recent configuration takes effect.

Examples

# Enable resource access logging.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] log resource-access enable

log user-login enable

Use log user-login enable to enable logging for user login and logoff events.

Use undo log user-login enable to disable logging for user login and logoff events.

Syntax

log user-login enable

undo log user-login enable

Default

Logging for user login and logoff events is disabled.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Usage guidelines

This feature logs user login and logoff events. The logs are sent to the information center of the device. For the logs to be output correctly, you must also configure the information center on the device. For more information about configuring the information center, see Device Management Configuration Guide.

Examples

# Enable logging for user logins and logouts.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] log user-login enable

max-online-users per-gateway

Use max-online-users per-gateway to specify the maximum number of online users for an SSL VPN gateway.

Use undo max-online-users per-gateway to restore the default.

Syntax

max-online-users per-gateway max-number

undo max-online-users per-gateway

Default

A maximum of 1048575 online users are allowed for an SSL VPN gateway.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

per-gateway max-number: Specifies the maximum number of online users for an SSL VPN gateway, in the range of 1 to 1048575.

Usage guidelines

If the specified limit is reached, new users cannot access the SSL VPN gateway.

Examples

# Set the maximum number of online users to 500 for SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] max-online-users per-gateway 500

Related commands

display sslvpn gateway

mtu

Use mtu to set the MTU size of an interface.

Use undo mtu to restore the default.

Syntax

mtu size

undo mtu

Default

The MTU size of an interface is 1500 bytes.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Parameters

size: Specifies the MTU size, in the range of 100 to 64000 bytes.

Examples

# Set the MTU size of interface SSL VPN AC 1000 to 1430 bytes.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] mtu 1430

reset counters interface sslvpn-ac

Use reset counters interface sslvpn-ac to clear SSL VPN AC interface statistics.

Syntax

reset counters interface [ sslvpn-ac [ interface-number ] ]

Views

User view

Predefined user roles

network-admin

Parameters

sslvpn-ac [ interface-number ]: Specifies an SSL VPN AC interface by its number in the range of 0 to 4095. If you do not specify this option, the command clears statistics for all interfaces. If you specify the sslvpn-ac keyword without the interface-number argument, this command clears statistics for all existing SSL VPN AC interfaces.

Usage guidelines

Use this command to clear old statistics so you can observe new traffic statistics on an SSL VPN AC interface.

Examples

# Clear statistics for SSL VPN AC 1000.

<Sysname> reset counters interface sslvpn-ac 1000

Related commands

display interface sslvpn-ac

service ipv4 enable

Use service ipv4 enable to enable the IPV4 service for an SSL VPN gateway.

Use undo service ipv4 enable to disable the IPv4 service for an SSL VPN gateway.

Syntax

service ipv4 enable

undo service ipv4 enable

Default

The IPv4 service is disabled for an SSL VPN gateway.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Usage guidelines

The IPv4 service enables an SSL VPN gateway to establish SSL connections with remote access users and forward IPv4 traffic between remote users and internal servers.

Examples

# Enable the IPv4 service for SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] service ipv4 enable

Related commands

display sslvpn gateway

shutdown

Use shutdown to shut down an interface.

Use undo shutdown to bring up an interface.

Syntax

shutdown

undo shutdown

Default

An SSL VPN AC interface is up.

Views

SSL VPN AC interface view

Predefined user roles

network-admin

Usage guidelines

CAUTION: Executing this command on an interface cause service traffic interruption on the interface and interrupts communication. Use this command with caution.

 

Examples

# Shut down interface SSL VPN AC 1000.

<Sysname> system-view

[Sysname] interface sslvpn-ac 1000

[Sysname-SSLVPN-AC1000] shutdown

ssl server-policy

Use ssl server-policy to apply an SSL server policy to an SSL VPN gateway.

Use undo ssl server-policy to remove the application.

Syntax

ssl server-policy policy-name

undo ssl server-policy [ policy-name ]

Default

An SSL VPN gateway uses the SSL server policy of its self-signed certificate.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the name of an SSL server policy, a case-insensitive string of 1 to 31 characters. If you do not specify this argument for the undo ssl server-policy command, the system removes all the application of SSL server policies from the SSL VPN gateway.

Usage guidelines

You can apply only one SSL server policy to an SSL VPN gateway. The SSL VPN gateway will use the parameters defined by the policy to establish SSL connections to remote users.

Examples

# Apply SSL server policy CA_CERT to SSL VPN gateway gw1.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] ssl server-policy CA_CERT

Related commands

display sslvpn gateway

sslvpn gateway

Use sslvpn gateway to create an SSL VPN gateway and enter its view, or enter the view of an existing SSL VPN gateway.

Use undo sslvpn gateway to delete an SSL VPN gateway.

Syntax

sslvpn gateway gateway-name

undo sslvpn gateway gateway-name

Default

No SSL VPN gateways exist.

Views

System view

Predefined user roles

network-admin

Parameters

gateway-name: Specifies an SSL VPN gateway name, a case-insensitive string of 1 to 31 characters. Valid characters are letters, digits, and underscores (_).

Usage guidelines

An SSL VPN gateway resides between remote users and the enterprise network to ensure secure access of remote users to the enterprise internal network. The SSL VPN gateway establishes an SSL connection to a remote user, and then authenticates the user before allowing the user to access an internal server.

Examples

# Create an SSL VPN gateway named gw1 and enter its view.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1]

Related commands

display sslvpn gateway

timeout idle

Use timeout idle to set the idle timeout timer for online SSL VPN users.

Use undo timeout idle to restore the default.

Syntax

timeout idle minutes

undo timeout idle

Default

The idle timeout timer is 30 minutes for online SSL VPN users.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Parameters

seconds: Specifies the idle timeout timer, in the range of 1 to 1440 minutes.

Usage guidelines

If the idle time of an online SSL VPN user exceeds the specified idle timeout timer, the connection to the user is terminated.

Examples

# Set the idle timeout timer to 50 minutes for online SSL VPN users.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] timeout idle 50

Related commands

display sslvpn policy-group

verify-code

Use verify-code enable to enable code verification.

Use undo verify-code enable to disable code verification.

Syntax

verify-code enable

undo verify-code enable

Default

Code verification is disabled.

Views

SSL VPN gateway view

Predefined user roles

network-admin

Usage guidelines

After code verification is enabled, a user must enter a correct verification code to log in to the SSL VPN webpage.

Examples

# Enable code verification.

<Sysname> system-view

[Sysname] sslvpn gateway gw1

[Sysname-sslvpn-gateway-gw1] verify-code enable

Related commands

display sslvpn gateway