No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
display ipsec efficient-vpn

display ipsec efficient-vpn

Function

The display ipsec efficient-vpn command displays Efficient VPN policy information.

Format

display ipsec efficient-vpn [ brief | capability | ip-alloc information | name efficient-vpn-name | remote ]

Parameters

Parameter

Description

Value

brief

Displays brief information about Efficient VPN policies.

-

capability

Displays the IPSec configuration supported by an Efficient VPN policy.

-

ip-alloc information

Displays information about the IP address allocated by the server (headquarters gateway) to the remote device (branch gateway) in the Efficient VPN policy. ip-alloc only takes effect on the server.

-

name efficient-vpn-name

Displays information about a specified Efficient VPN policy.

The value is an existing Efficient VPN policy name.

remote

Displays the running status of remote devices. remote only takes effect on the server.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None

Example

# Display information about the Efficient VPN policy named easyvpn_1.

<Huawei> display ipsec efficient-vpn name easyvpn_1
===========================================
IPSec efficient-vpn name: easyvpn_1
Using interface         : GigabitEthernet1/0/0
===========================================
 IPSec Efficient-vpn Name  : easyvpn_1                                          
 IPSec Efficient-vpn Mode  : 3 (1:Client 2:Network 3:Network-plus 4:Network-auto
-cfg)
 ACL Number                :                                                    
 Auth Method               : 8 (8:PSK 9:RSA)                                    
 VPN name                  :                                                    
 Local ID Type             : 1 (1:IP 2:Name 3:User-fqdn 9:DN 11:Key-id)                                    
 IKE Version               : 1 (1:IKEv1 2:IKEv2)                                
 Remote Address            : 99.1.2.1                                           
 Pre Shared Key            :                                                    
 PFS Type                  : 0 (0:Disable 1:Group1 2:Group2 5:Group5 14:Group14)
 Remote Name               :                                                    
 PKI Object                :                                                    
 Anti-replay window size   : 32                                                 
 Qos pre-classify          : 0 (0:Disable 1:Enable)
 Qos group                 : -
 Service-scheme name       : scheme
 DPD Msg Type              : seq-notify-hash     
 Sim-based-username Type   : IMEI 
 Interface loopback        : LoopBack100
 Interface loopback IP     : 100.1.1.1/25
 Dns server IP             : 2.2.2.2, 2.2.2.3 
 Wins server IP            : 3.3.3.2, 3.3.3.3  
 Dns default domain name   : mydomain.com.cn
 Auto-update url           : 
 Auto-update version       : 
 IP pool                   : 192.1.1.0/255.255.255.0
 Resource acl list         : 1
   IP address/mask         : 5.1.1.2/255.255.255.255
   Source port number      : 0
   Destination port number : 0
   Protocol ID             : 0
 Resource acl list         : 2
   IP address/mask         : 6.1.1.0/255.255.255.0
   Source port number      : 0
   Destination port number : 0
   Protocol ID             : 0

# Displays brief information about Efficient VPN policies.

<Huawei> display ipsec efficient-vpn brief
 Total number of IPSec efficient-vpn: 1

 Efficient-vpn name      Efficient-vpn mode
 ------------------------------------------
 v1                      client
Table 10-22  Description of the display ipsec efficient-vpn command output

Item

Description

IPSec Efficient-vpn Name

Name of the Efficient VPN policy. To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command.

Using interface

Interface to which an Efficient VPN policy is applied.

IPSec Efficient-vpn Mode

Mode used by the Efficient VPN policy.
  • 1: client
  • 2: network
  • 3: network-plus
  • 4: network-auto-cfg
To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command.

ACL Number

ACL used by the Efficient VPN policy. To configure an ACL referenced by an Efficient VPN policy, run the security acl command.

Auth Method

Authentication mode used by the Efficient VPN policy:
  • 8: pre-shared key authentication
  • 9: RSA signature authentication
To configure an authentication mode, run the authentication-method command.

VPN name

Name of the VPN instance bound to the Efficient VPN policy. To bind a VPN instance to an Efficient VPN policy, run the sa binding vpn-instance (Efficient VPN policy view) command.

Local ID Type

Local ID type in IKE negotiation, to set the local ID type, run the local-id-type command.

IKE Version

Configured IKE version:
  • 1: IKEv1
  • 2: IKEv2

Remote Address

IP address of the remote IKE peer. To configure the remote IP address, run the remote-address command.

Pre Shared Key

Pre-shared key. To configure a pre-shared key, run the pre-shared-key command.

PFS Type

Perfect Forward Secrecy (PFS) used in IKE negotiation:
  • 0: PFS is not used during IKE negotiation.
  • 1: 768-bit Diffie-Hellman group is used during IKE negotiation.
  • 2: 1024-bit Diffie-Hellman group is used during IKE negotiation.
  • 5: 1536-bit Diffie-Hellman group is used during IKE negotiation.
  • 14: 2014-bit Diffie-Hellman group is used during IKE negotiation.
To specify an algorithm used to generate a pseudo random number, run the pfs command.

Remote Name

Remote name used in IKE negotiation. To configure the remote name used in IKE negotiation, run the remote-name command. When the local-id-type name command is used, the local and remote names are used for IKE negotiation. If ike local-name is not configured on the remote end, the name specified by the sysname command is used for IKE negotiation.

PKI Object

PKI domain bound to the Efficient VPN policy. To binds a PKI domain to an Efficient VPN policy, run the pki realm command.

Anti-replay window size

IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command.

When the value is 0, the IPSec anti-replay function is enabled in the system view. To enable this function, run the ipsec anti-replay command.

Qos pre-classify

Whether pre-extraction of original IP packets is enabled:
  • 0: Pre-extraction of original IP packets is enabled.
  • 1: Pre-extraction of original IP packets is disabled.
To enable pre-extraction of original IP packets, run the qos pre-classify command.

Qos group

QoS group to which IPSec packets belong. To configure the QoS group, run the qos group command.

- indicates that no QoS group is specified for IPSec packets.

Service-scheme name

The name of the bound service scheme, run the service-scheme.

DPD Msg Type

The sequence of the payload in DPD packets, run the dpd msg command.

Sim-based-username Type

Type of the SIM card user name.
  • IMEI: international mobile equipment identity.
  • IMSI: international mobile subscriber identity.

Interface loopback

Number of the loopback interface. The loopback interface is dynamically created on the remote device and is used to establish an IPSec tunnel with the Efficient VPN server.

Interface loopback IP

IP address of the loopback interface, which is allocated by the Efficient VPN server to the remote device.

Dns server IP

DNS server IP address. To configure a DNS server IP address, run the dns command.

Wins server IP

WINS server IP address. To configure a WINS server IP address, run the wins command.

Dns default domain name

DNS domain name. To configure a DNS domain name, run the dns-name command.

Auto-update url

URL of the file used to upgrade a remote device. To configure the URL of the file used to upgrade a remote device, run the auto-update url command.

Auto-update version

Version number of the version file. To configure the version number of the version file, run the auto-update url command.

IP pool

IP address obtained from the address pool.

Resource acl list

Delivered ACL list. The value is the number of configured ACL rules. This field is available only when ACL delivery is enabled using the resource acl command.

IP address/mask

Delivered IP address or mask. To specify an IP address or port number, run the rule (advanced ACL view) command.

Source port number

Delivered source port number. To specify a source port number, run the rule (advanced ACL view) command.

Destination port number

Delivered destination port number. To specify a destination port number, run the rule (advanced ACL view) command.

Protocol ID

Delivered protocol ID. To specify a protocol ID, run the rule (advanced ACL view) command.

# Displays the IPSec configuration supported by an Efficient VPN policy.

<Huawei> display ipsec efficient-vpn capability

  IKEv1 Global Supported Algorithms
-------------------------------------------------------
  Supported DH Groups:
    DH_GROUP2
  Supported Encryption Algorithms:
    3DES
  Supported Integrity Algorithms:
    MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512
  Supported Authentication Methods:
    Pre Shared Key | RSA_SIG

  IKEv2 Global Supported Algorithms
-------------------------------------------------------
  Supported DH Groups:
    DH_GROUP2
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256
  Supported Integrity Algorithms:
    MD5 | SHA1 | AES-XCBC-96 | SHA2-256 | SHA2-384 | SHA2-512
  Supported PRF:
    PRF-MD5 | PRF-SHA1 | PRF-AES-XCBC-128 | PRF-SHA2-256 | PRF-SHA2-384 |
    PRF-SHA2-512

  IPSEC Global Supported Algorithms
-------------------------------------------------------
  Supported Security Protocols:
    ESP
  Supported Encapsulation Modes:
    TUNNEL
  Supported Authentication Algorithms:
    MD5 | SHA1 | SHA256 | SHA384 | SHA512 | NULL
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256 | NULL
NOTE:
  • The MD5 and SHA-1 authentication algorithms have security risks; therefore, you are advised to use SHA-2 preferentially.

  • The DES and 3DES encryption algorithms have security risks; therefore, you are advised to use AES preferentially.

  • The PRF-MD5 and PRF-SHA1 algorithms have security risks; therefore, you are advised to use PRF-AES-XCBC-128 or SHA-2 preferentially.

Table 10-23  Description of the display ipsec efficient-vpn capability command output

Item

Description

IKEv1 Global Supported Algorithms

Supported algorithms when IKEv1 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device.

Supported DH Groups

Supported DH groups when IKEv1 is used: DH_GROUP2 and 1024-bit Diffie-Hellman. To configure a Diffie-Hellman group on the server, run the dh command.

Supported Encryption Algorithms

Supported encryption algorithms when IKEv1 is used: 3DES and 168-bit 3DES-CBC. To configure an authentication algorithm on the server, run the authentication-algorithm command.

Supported Integrity Algorithms

Supported integrity algorithms when IKEv1 is used. To configure an authentication mode on the server, run the authentication-algorithm command.

Supported Authentication Methods

Supported authentication algorithms when IKEv1 is used:
  • Pre Shared Key: pre-shared key authentication
  • RSA_SIG: RSA signature authentication
To configure an authentication mode on the server, run the authentication-method command.

IKEv2 Global Supported Algorithms

Supported algorithms when IKEv2 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device.

Supported PRF

Supported PRF algorithms when IKEv2 is used. To configure a PRF algorithm on the server, run the prf command.

IPSEC Global Supported Algorithms

Algorithms supported by the system.

Supported Security Protocols

Security protocol supported by IPSec: ESP. To configure a security protocol, run the transform command.

Supported Encapsulation Modes

Encapsulation mode supported by IPSec: tunnel mode. To configure an encapsulation mode, run the encapsulation-mode command.

Supported Authentication Algorithms

Authentication algorithm supported by IPSec. To configure an authentication algorithm on the server, run the esp authentication-algorithm command.

Supported Encryption Algorithms

Encryption algorithm supported by IPSec. To configure an encryption algorithm on the server, run the esp encryption-algorithm command.

# Display information about the IP address allocated by the server to the remote device in the Efficient VPN policy.

<Huawei> display ipsec efficient-vpn ip-alloc information
Efficient-vpn alloc ip information:

-------------------------------------------------------------------------------
Username:           325158558545651
loc-IP/Mask:      100.1.1.126/25
Alloc-Type:         AAA Authorization
Interface:          GigabitEthernet0/0/1
Request Time:       2012.06.26-20:36:23
Lease Time:         2012.06.27-20:36:23
Table 10-24  Description of the display ipsec efficient-vpn ip-alloc command output

Item

Description

Username

User name. The information is displayed when Alloc-Type is set to AAA Authorization.

Alloc-IP/Mask

IP address or mask allocated to the remote device.

Alloc-Type

Allocation mode:
  • Dhcp: IP addresses are allocated by the remote DHCP server.
  • Local: IP addresses are allocated from the local address pool.
  • AAA Authorization: IP addresses are allocated from the AAA RADIUS server.

Interface

Interface to which an Efficient VPN policy is applied. To bind an Efficient VPN policy to an interface, run the ipsec efficient-vpn (interface view) command.

Request Time

Time when the IP address was allocated.

Lease Time

IP address lease time.

# Display running status of remote devices.

<Huawei> display ipsec efficient-vpn remote
 Total number of remote : 1

 Local interface         : GigabitEthernet0/0/2
 Client IP address       : 80.1.1.1:500
 Client system MAC       : 5489-98f4-78f4
 Client description      : 
 Client alloc address    : 100.1.1.254                                          
 Client version ID       : 2
 Client last upgrade info: Failed to get the upgrade information.
Table 10-25  Description of the display ipsec efficient-vpn remote command output

Item

Description

Total number of remote

Number of remote devices.

Local interface

Interface bound to an IPSec policy on the server. To apply an IPSec policy to an interface, run the ipsec policy (interface view) command.

Client IP address

IP address of the remote device.

Client system MAC

MAC address of the remote device.

Client description

Device information and version information about the remote device.

Client alloc address IP address delivered by the Efficient VPN server to the remote device.

Client version ID

Version number of the version file delivered from the server to the remote device.

Client last upgrade info

Information about the last automatic upgrade on the remote device.

Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 99490

Downloads: 131

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next