No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

AR500, AR510, and AR530 V200R007

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
display ipsec sa

display ipsec sa

Function

The display ipsec sa command displays IPSec SA information.

Format

display ipsec sa [ brief | duration | efficient-vpn efficient-vpn-name | peerip peer-ip-address | policy policy-name [ seq-number ] | profile profile-name ]

Parameters

Parameter

Description

Value

brief

Displays brief information about all SAs.

-

duration

Specifies the global SA lifetime.

-

efficient-vpn efficient-vpn-name

Specifies the name of an Efficient VPN policy.

The value is an existing Efficient VPN policy name.

peerip peer-ip-address

Displays information about the SA of a specified peer.

The value is in dotted decimal notation.

policy policy-name

Displays the SA established through a specified IPSec policy.

The value is an existing IPSec policy name.

seq-number

Specifies the sequence number of an IPSec policy.

The value is an integer that ranges from 1 to 10000.

profile profile-name

Specifies the name of an IPSec profile.

The value is an existing IPSec profile name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When policy is specified, detailed information about the specified SA is displayed. The output information contains some information about the IPSec policy and details about the SA established through the IPSec policy.

If no parameter is specified, information about all SAs is displayed.

Example

# Display information about all SAs established in IKE negotiation mode.

<Huawei> display ipsec sa
===============================
Interface: GigabitEthernet1/0/0
 Path MTU: 1500
===============================

  -----------------------------
  IPSec policy name: "pol"
  Sequence number  : 10
  Acl group        : 3101
  Acl rule         : 5
  Mode             : Template
  -----------------------------
    Connection ID     : 13
    Encapsulation mode: Tunnel
    Tunnel local      : 192.168.1.2
    Tunnel remote     : 192.168.2.1
    Flow source       : 10.1.1.0/255.255.255.0 0/0
    Flow destination  : 10.2.1.0/255.255.255.0 0/0
    Qos pre-classify  : Disable
    Qos group         : - 

    [Outbound ESP SAs]
      SPI: 631175643 (0x259ef9db)
      Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256
      SA remaining key duration (bytes/sec): 1887436800/3381
      Outpacket count       : 0                                                 
      Outpacket encap count : 0                                                 
      Outpacket drop count  : 0
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: N

    [Inbound ESP SAs]
      SPI: 1955105311 (0x74888a1f)
      Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256
      SA remaining key duration (bytes/sec): 1887436800/3381
      Inpacket count        : 0                                                 
      Inpacket decap count  : 0                                                 
      Inpacket drop count   : 0
      Max received sequence-number: 0
      Anti-replay window size:
      UDP encapsulation used for NAT traversal: N

# Display information about all SAs of a multi-link shared IPSec policy group.

<Huawei> display ipsec sa
===============================                                                 
Shared interface: LoopBack0
Interface: GigabitEthernet0/0/1
           GigabitEthernet0/0/2
           GigabitEthernet0/0/3
           GigabitEthernet0/0/4
===============================                                                 
  -----------------------------
  IPSec policy name: "policy1"
  Sequence number  : 10
  Acl group        : 3002
  Acl rule         : 5
  Mode             : ISAKMP
  -----------------------------
    Connection ID     : 2
    Encapsulation mode: Tunnel
    Tunnel local      : 192.168.1.2
    Tunnel remote     : 192.168.2.1
    Flow source       : 10.1.1.1/0.0.0.0 0/0
    Flow destination  : 10.2.1.2/0.0.0.0 0/0
    Qos pre-classify  : Disable    
    Qos group         : - 

     [Outbound ESP SAs]                                                          
      SPI: 141793553 (0x8739911)                                                
      Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256                                 
      SA remaining key duration (bytes/sec): 1887436800/1450
      Outpacket count       : 0                                                 
      Outpacket encap count : 0                                                 
      Outpacket drop count  : 0
      Max sent sequence-number: 0                                               
      UDP encapsulation used for NAT traversal: N                               
                                                                                
     [Inbound ESP SAs]                                                           
      SPI: 3919092460 (0xe9989aec)                                              
      Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256                                 
      SA remaining key duration (bytes/sec): 1887436800/1450
      Inpacket count        : 0                                                 
      Inpacket decap count  : 0                                                 
      Inpacket drop count   : 0
      Max received sequence-number: 0                                           
      Anti-replay window size: 32
      UDP encapsulation used for NAT traversal: N
Table 10-35  Description of the display ipsec sa command output

Item

Description

Shared interface

Loopback interface used by a multi-link shared IPSec policy group. This field is available only when a multi-link shared IPSec policy group is configured and applied to multiple interfaces. To configure a multi-link shared IPSec policy group, run the ipsec policy shared command.

Interface

Interface to which an IPSec policy is applied. To apply an IPSec policy to an interface, run the ipsec policy (interface view) command.

Path MTU

MTU of the interface. To set the MTU of an interface, run the mtu command.

IPsec policy name

Name of the IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.

Sequence number

Sequence number in the IPSec policy.

Acl group

ACL referenced by the IPSec policy. To configure an ACL referenced by an IPSec policy, run the security acl command.

Acl rule

ACL rule referenced by the IPSec policy. To configure an ACL rule referenced by an IPSec policy, run the rule (advanced ACL view) command.

The ACL rule ID is not displayed if the IPSec tunnel is created manually.

Mode

Mode in which an SA is established:
  • Manual: SA established using a manually configured IPSec policy
  • ISAKMP: SA established using an IPSec policy in IKE negotiation mode
  • Template: SA established using an IPSec policy template
  • PROF-ISAKMP: SA established using an IPSec profile
  • PROF-Template: SA established using an IPSec virtual tunnel template interface
  • EFFICIENTVPN-NETWORK MODE: SA established using an Efficient VPN policy in network mode
  • EFFICIENTVPN-NETWORKPLUS MODE: SA established using an Efficient VPN policy in network-plus mode
  • EFFICIENTVPN-NETWORKAUTOCFG MODE: SA established using an Efficient VPN policy in network-auto-cfg mode
To configure an IPSec policy, run the ipsec policy (system view), ipsec profile (system view), or ipsec efficient-vpn (system view) command.

Connection ID

Connection ID of an SA.

Encapsulation mode

IPSec encapsulation mode:
  • Transport
  • Tunnel
To configure an encapsulation mode, run the encapsulation-mode command.

Tunnel local

Local IP address of an IPSec tunnel. To configure the local IP address, run the tunnel local command.

Tunnel remote

Remote IP address of an IPSec tunnel. To configure the remote IP address for a manually configured IPSec policy, run the tunnel remote command. To configure the remote IP address for an IPSec policy in IKE negotiation mode, run the remote-address command.

Flow source

Source address of data flows.

The value 60.1.1.1 indicates the network segment address of the source IP address.

The value 0.0.0.0 0 indicates the mask.

The value 0/0 indicates the ACL number and port number.

Flow destination

Destination address of data flows.

Qos pre-classify

Whether pre-extraction of original IP packets is enabled. To enable pre-extraction of original IP packets, run the qos pre-classify command.

Qos group

QoS group to which IPSec packets belong. To configure the QoS group, run the qos group command.

- indicates that no QoS group is specified for IPSec packets.

Outbound

Information about the outbound SA.

SPI

SPI of an SA. To configure the SPI for the SA created using a manually configured IPSec policy, run the sa spi command. The SPI is automatically generated when an IPSec policy is created in IKE negotiation mode.

Proposal

Name of an IPSec proposal referenced by the IPSec policy. To referenced an IPSec proposal, run the proposal command.

SA remaining key duration (bytes/sec)

Remaining lifetime of an SA., in bytes or seconds. To set the SA lifetime, run the sa duration (IPSec policy view) command in the IPSec policy view.

Outpacket count

Number of packets that can be encrypted with the IPSec SA.

Outpacket encap count

Number of sent packets that are successfully encrypted.

Outpacket drop count

Number of discarded packets during encryption.

Max sent sequence-number

Maximum sequence number of sent packets. The sequence number increases during communication and is used for anti-replay.

UDP encapsulation used for NAT traversal

Whether NAT traversal is enabled. To enable NAT traversal, run the nat traversal command.

Inbound

Information about the inbound SA.

Inpacket count

Number of packets that can be decrypted with the IPSec SA.

Inpacket decap count

Number of sent packets that are successfully decrypted.

Inpacket drop count

Number of discarded packets during decryption.

Max received sequence-number

Maximum sequence number of received packets.

Anti-replay window size

IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command.

Translation
Download
Updated: 2019-02-18

Document ID: EDOC1000097293

Views: 37389

Downloads: 101

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next