No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
display ipsec policy

display ipsec policy

Function

The display ipsec policy command displays IPSec policy information.

Format

display ipsec policy [ brief | name policy-name [ seq-number ] ]

Parameters

Parameter

Description

Value

brief

Displays brief information about all IPSec policies.

-

name policy-name

Displays detailed information about a specified IPSec policy.

The value is an existing IPSec policy name.

seq-number

Specifies the sequence number of an IPSec policy.

The value is an integer that ranges from 1 to 10000.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If the policy name or the sequence number is not specified, detailed information about all IPSec policies is displayed. If the policy name is specified but the sequence number is not specified, information about the specified IPSec policy group is specified.

Example

# Display brief information about all IPSec policies.

<Huawei> display ipsec policy brief
Number of policies group : 1
Number of policies       : 1
 
Policy name           Mode     ACL   Peer name   Local address    Remote address
--------------------------------------------------------------------------------
policy1-100           isakmp   3002  peer1        
Table 10-28  Description of the display ipsec policy brief command output

Item

Description

Number of policies group

Number of IPSec policy groups. An IPSec policy is identified by its name and sequence number and multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group.

Number of policies

Number of IPSec policies.

Policy name

Name and sequence number of an IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.

Mode

Mode in which an IPSec policy is created:
  • isakmp: An IPSec policy is created in IKE negotiation mode.
  • template: An IPSec policy is created using an IPSec policy template.
  • manual: An IPSec policy is created manually.
To configure an IPSec policy, run the ipsec policy (system view) command.

ACL

ACL referenced by the IPSec policy. To configure an ACL referenced by an IPSec policy, run the security acl command.

Peer name

Name of the IKE peer referenced by the IPSec policy. To configure an IKE peer, run the ike-peer command.

Local address

Local IP address used in IKE negotiation. To configure the local IP address, run the tunnel local command.

Remote address

Remote IP address used in IKE negotiation. To configure the remote IP address, run the tunnel remote command.

# Display detailed information about the IPSec policy policy1.

<Huawei> display ipsec policy name policy1
 =========================================== 
 IPSec policy group: "policy1"
 Shared interface: LoopBack0
 Using interface: GigabitEthernet0/0/1
                  GigabitEthernet0/0/2
                  GigabitEthernet0/0/3
                  GigabitEthernet0/0/4
 =========================================== 
     Sequence number: 10
     Security data flow: 3000
     Peer name    :  rut2
     Perfect forward secrecy: None
     Proposal name:  prop1
     IPSec SA local duration(time based): 3600 seconds
     IPSec SA local duration(traffic based): 1843200 kilobytes
     Anti-replay window size     : 32
     SA trigger mode: Automatic
     Route inject: None
     Qos pre-classify: Enable
     Qos group: - 
Table 10-29  Description of the display ipsec policy command output

Item

Description

IPSec policy group

IPSec policy group name. To configure an IPSec policy, run the ipsec policy (system view) command.

Shared interface

Loopback interface used by a multi-link shared IPSec policy group. This field is available only when a multi-link shared IPSec policy group is configured and applied to multiple interfaces. To configure a multi-link shared IPSec policy group, run the ipsec policy shared command.

Using interface

Interface to which an IPSec policy is applied. To apply an IPSec policy to an interface, run the ipsec policy (interface view) command.

Sequence number

Sequence number in the IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.

Security data flow

ACL referenced by the IPSec policy. To configure an ACL referenced by an IPSec policy, run the security acl command.

Peer name

Name of the IKE peer referenced by the IPSec policy. To configure an IKE peer, run the ike-peer command.

Perfect forward secrecy

Perfect Forward Secrecy (PFS) used in IKE negotiation:
  • DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 14: 2014-bit Diffie-Hellman group is used during IKE negotiation.
  • None: PFS is not used during IKE negotiation.
To specify an algorithm used to generate a pseudo random number, run the pfs command.

Proposal name

Name of an IPSec proposal referenced by the IPSec policy. To referenced an IPSec proposal, run the proposal command.

IPsec SA local duration(time based)

Time-based lifetime of the local SA. To set the time-based lifetime of the local SA, run the sa duration time-based command in the IPSec policy view.

IPsec SA local duration(traffic based)

Traffic-based lifetime of the local SA. To set the traffic-based lifetime of the local SA, run the sa duration traffic-based command in the IPSec policy view.

Anti-replay window size

IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command.

SA trigger mode

SA trigger mode:
  • Automatic
  • Traffic-based
To configure an SA trigger mode, run the sa trigger-mode command.

Route inject

Route injection status:
  • Dynamic, Preference: Dynamic route injection is enabled and a priority is configured for the static route generated through route injection.
  • Static, Preference: Static route injection is enabled and a priority is configured for the static route generated through route injection.
  • None: Route injection is disabled.
To configure route injection, run the route inject command.

Qos pre-classify

Whether pre-extraction of original IP packets is enabled. To enable pre-extraction of original IP packets, run the qos pre-classify command.

Qos group

QoS group to which IPSec packets belong. To configure the QoS group, run the qos group command.

- indicates that no QoS group is specified for IPSec packets.

Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 47664

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next