display ipsec efficient-vpn
Format
display ipsec efficient-vpn [ brief | capability | ip-alloc information | name efficient-vpn-name | remote ]
Parameters
Parameter |
Description |
Value |
|---|---|---|
brief |
Displays brief information about Efficient VPN policies. |
- |
capability |
Displays the IPSec configuration supported by an Efficient VPN policy. |
- |
ip-alloc information |
Displays information about the IP address allocated by the server (headquarters gateway) to the remote device (branch gateway) in the Efficient VPN policy. ip-alloc only takes effect on the server. |
- |
name efficient-vpn-name |
Displays information about a specified Efficient VPN policy. |
The value is an existing Efficient VPN policy name. |
| remote | Displays the running status of remote devices. remote only takes effect on the server. |
- |
Example
# Display information about the Efficient VPN policy named easyvpn_1.
<Huawei> display ipsec efficient-vpn name easyvpn_1 =========================================== IPSec efficient-vpn name: easyvpn_1 Using interface : GigabitEthernet1/0/0 =========================================== IPSec Efficient-vpn Name : easyvpn_1 IPSec Efficient-vpn Mode : 3 (1:Client 2:Network 3:Network-plus 4:Network-auto -cfg) ACL Number : Auth Method : 8 (8:PSK 9:RSA) VPN name : Local ID Type : 1 (1:IP 2:Name 3:User-fqdn 9:DN 11:Key-id) IKE Version : 1 (1:IKEv1 2:IKEv2) Remote Address : 99.1.2.1 Pre Shared Key : PFS Type : 0 (0:Disable 1:Group1 2:Group2 5:Group5 14:Group14) Remote Name : PKI Object : Anti-replay window size : 32 Qos pre-classify : 0 (0:Disable 1:Enable) Qos group : - Service-scheme name : scheme DPD Msg Type : seq-notify-hash Sim-based-username Type : IMEI Interface loopback : LoopBack100 Interface loopback IP : 100.1.1.1/25 Dns server IP : 2.2.2.2, 2.2.2.3 Wins server IP : 3.3.3.2, 3.3.3.3 Dns default domain name : mydomain.com.cn Auto-update url : Auto-update version : IP pool : 192.1.1.0/255.255.255.0 Resource acl list : 1 IP address/mask : 5.1.1.2/255.255.255.255 Source port number : 0 Destination port number : 0 Protocol ID : 0 Resource acl list : 2 IP address/mask : 6.1.1.0/255.255.255.0 Source port number : 0 Destination port number : 0 Protocol ID : 0
# Displays brief information about Efficient VPN policies.
<Huawei> display ipsec efficient-vpn brief
Total number of IPSec efficient-vpn: 1
Efficient-vpn name Efficient-vpn mode
------------------------------------------
v1 client
Item |
Description |
|---|---|
IPSec Efficient-vpn Name |
Name of the Efficient VPN policy. To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command. |
Using interface |
Interface to which an Efficient VPN policy is applied. |
IPSec Efficient-vpn Mode |
Mode used by the Efficient VPN policy.
|
ACL Number |
ACL used by the Efficient VPN policy. To configure an ACL referenced by an Efficient VPN policy, run the security acl command. |
Auth Method |
Authentication mode used by the Efficient VPN policy:
|
VPN name |
Name of the VPN instance bound to the Efficient VPN policy. To bind a VPN instance to an Efficient VPN policy, run the sa binding vpn-instance (Efficient VPN policy view) command. |
Local ID Type |
Local ID type in IKE negotiation, to set the local ID type, run the local-id-type command. |
IKE Version |
Configured IKE version:
|
Remote Address |
IP address of the remote IKE peer. To configure the remote IP address, run the remote-address command. |
Pre Shared Key |
Pre-shared key. To configure a pre-shared key, run the pre-shared-key command. |
PFS Type |
Perfect Forward Secrecy (PFS) used in IKE negotiation:
|
Remote Name |
Remote name used in IKE negotiation. To configure the remote name used in IKE negotiation, run the remote-name command. When the local-id-type name command is used, the local and remote names are used for IKE negotiation. If ike local-name is not configured on the remote end, the name specified by the sysname command is used for IKE negotiation. |
PKI Object |
PKI domain bound to the Efficient VPN policy. To binds a PKI domain to an Efficient VPN policy, run the pki realm command. |
Anti-replay window size |
IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command. When the value is 0, the IPSec anti-replay function is enabled in the system view. To enable this function, run the ipsec anti-replay command. |
Qos pre-classify |
Whether pre-extraction of original IP packets is enabled:
|
Qos group |
QoS group to which IPSec packets belong. To configure the QoS group, run the qos group command. - indicates that no QoS group is specified for IPSec packets. |
Service-scheme name |
The name of the bound service scheme, run the service-scheme. |
DPD Msg Type |
The sequence of the payload in DPD packets, run the dpd msg command. |
Sim-based-username Type |
Type of the SIM card user name.
|
Interface loopback |
Number of the loopback interface. The loopback interface is dynamically created on the remote device and is used to establish an IPSec tunnel with the Efficient VPN server. |
Interface loopback IP |
IP address of the loopback interface, which is allocated by the Efficient VPN server to the remote device. |
Dns server IP |
DNS server IP address. To configure a DNS server IP address, run the dns command. |
Wins server IP |
WINS server IP address. To configure a WINS server IP address, run the wins command. |
Dns default domain name |
DNS domain name. To configure a DNS domain name, run the dns-name command. |
Auto-update url |
URL of the file used to upgrade a remote device. To configure the URL of the file used to upgrade a remote device, run the auto-update url command. |
Auto-update version |
Version number of the version file. To configure the version number of the version file, run the auto-update url command. |
IP pool |
IP address obtained from the address pool. |
Resource acl list |
Delivered ACL list. The value is the number of configured ACL rules. This field is available only when ACL delivery is enabled using the resource acl command. |
IP address/mask |
Delivered IP address or mask. To specify an IP address or port number, run the rule (advanced ACL view) command. |
Source port number |
Delivered source port number. To specify a source port number, run the rule (advanced ACL view) command. |
Destination port number |
Delivered destination port number. To specify a destination port number, run the rule (advanced ACL view) command. |
Protocol ID |
Delivered protocol ID. To specify a protocol ID, run the rule (advanced ACL view) command. |
# Displays the IPSec configuration supported by an Efficient VPN policy.
<Huawei> display ipsec efficient-vpn capability
IKEv1 Global Supported Algorithms
-------------------------------------------------------
Supported DH Groups:
DH_GROUP2
Supported Encryption Algorithms:
3DES
Supported Integrity Algorithms:
MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512
Supported Authentication Methods:
Pre Shared Key | RSA_SIG
IKEv2 Global Supported Algorithms
-------------------------------------------------------
Supported DH Groups:
DH_GROUP2
Supported Encryption Algorithms:
DES | 3DES | AES128 | AES192 | AES256
Supported Integrity Algorithms:
MD5 | SHA1 | AES-XCBC-96 | SHA2-256 | SHA2-384 | SHA2-512
Supported PRF:
PRF-MD5 | PRF-SHA1 | PRF-AES-XCBC-128 | PRF-SHA2-256 | PRF-SHA2-384 |
PRF-SHA2-512
IPSEC Global Supported Algorithms
-------------------------------------------------------
Supported Security Protocols:
ESP
Supported Encapsulation Modes:
TUNNEL
Supported Authentication Algorithms:
MD5 | SHA1 | SHA256 | SHA384 | SHA512 | NULL
Supported Encryption Algorithms:
DES | 3DES | AES128 | AES192 | AES256 | NULL
NOTE: The MD5 and SHA-1 authentication algorithms have security risks; therefore, you are advised to use SHA-2 preferentially.
The DES and 3DES encryption algorithms have security risks; therefore, you are advised to use AES preferentially.
The PRF-MD5 and PRF-SHA1 algorithms have security risks; therefore, you are advised to use PRF-AES-XCBC-128 or SHA-2 preferentially.
Item |
Description |
|---|---|
IKEv1 Global Supported Algorithms |
Supported algorithms when IKEv1 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device. |
Supported DH Groups |
Supported DH groups when IKEv1 is used: DH_GROUP2 and 1024-bit Diffie-Hellman. To configure a Diffie-Hellman group on the server, run the dh command. |
Supported Encryption Algorithms |
Supported encryption algorithms when IKEv1 is used: 3DES and 168-bit 3DES-CBC. To configure an authentication algorithm on the server, run the authentication-algorithm command. |
Supported Integrity Algorithms |
Supported integrity algorithms when IKEv1 is used. To configure an authentication mode on the server, run the authentication-algorithm command. |
Supported Authentication Methods |
Supported authentication algorithms when IKEv1 is used:
|
IKEv2 Global Supported Algorithms |
Supported algorithms when IKEv2 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device. |
Supported PRF |
Supported PRF algorithms when IKEv2 is used. To configure a PRF algorithm on the server, run the prf command. |
IPSEC Global Supported Algorithms |
Algorithms supported by the system. |
Supported Security Protocols |
Security protocol supported by IPSec: ESP. To configure a security protocol, run the transform command. |
Supported Encapsulation Modes |
Encapsulation mode supported by IPSec: tunnel mode. To configure an encapsulation mode, run the encapsulation-mode command. |
Supported Authentication Algorithms |
Authentication algorithm supported by IPSec. To configure an authentication algorithm on the server, run the esp authentication-algorithm command. |
Supported Encryption Algorithms |
Encryption algorithm supported by IPSec. To configure an encryption algorithm on the server, run the esp encryption-algorithm command. |
# Display information about the IP address allocated by the server to the remote device in the Efficient VPN policy.
<Huawei> display ipsec efficient-vpn ip-alloc information
Efficient-vpn alloc ip information:
-------------------------------------------------------------------------------
Username: 325158558545651
loc-IP/Mask: 100.1.1.126/25
Alloc-Type: AAA Authorization
Interface: GigabitEthernet0/0/1
Request Time: 2012.06.26-20:36:23
Lease Time: 2012.06.27-20:36:23
Item |
Description |
|---|---|
Username |
User name. The information is displayed when Alloc-Type is set to AAA Authorization. |
Alloc-IP/Mask |
IP address or mask allocated to the remote device. |
Alloc-Type |
Allocation mode:
|
Interface |
Interface to which an Efficient VPN policy is applied. To bind an Efficient VPN policy to an interface, run the ipsec efficient-vpn (interface view) command. |
Request Time |
Time when the IP address was allocated. |
Lease Time |
IP address lease time. |
# Display running status of remote devices.
<Huawei> display ipsec efficient-vpn remote
Total number of remote : 1
Local interface : GigabitEthernet0/0/2
Client IP address : 80.1.1.1:500
Client system MAC : 5489-98f4-78f4
Client description :
Client alloc address : 100.1.1.254
Client version ID : 2
Client last upgrade info: Failed to get the upgrade information.
Item |
Description |
|---|---|
Total number of remote |
Number of remote devices. |
Local interface |
Interface bound to an IPSec policy on the server. To apply an IPSec policy to an interface, run the ipsec policy (interface view) command. |
Client IP address |
IP address of the remote device. |
Client system MAC |
MAC address of the remote device. |
Client description |
Device information and version information about the remote device. |
| Client alloc address | IP address delivered by the Efficient VPN server to the remote device. |
Client version ID |
Version number of the version file delivered from the server to the remote device. |
Client last upgrade info |
Information about the last automatic upgrade on the remote device. |
Previous
