No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Command Reference

S1720, S2700, S5700, and S6720 V200R011C10

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec Configuration Commands (IPSec Efficient VPN)

IPSec Configuration Commands (IPSec Efficient VPN)

Command Support

For details about command support, see the description of each command. If no command support information is provided, all switch models support the command by default.

anti-replay window

Function

The anti-replay window command sets the anti-replay window size for an IPSec tunnel.

The undo anti-replay window command restores the default anti-replay window size of an IPSec tunnel.

By default, the anti-replay window size of a single IPSec tunnel is not set. The global value is used.

Format

anti-replay window window-size

undo anti-replay window

Parameters

Parameter

Description

Value

window-size

Specifies the anti-replay window size of an IPSec tunnel.

The value can be 32, 64, 128, 256, 512, or 1024, in bits.

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Configuration Impact

You may need to change the anti-replay window size for an IPSec tunnel in some situations. For example, if QoS is performed for packets passing an IPSec tunnel, sequence numbers of service data packets may be different from those in common data packets. As a result, these service data packets are dropped as re-play attack packets. To prevent such packets from being dropped incorrectly, you can disable the anti-replay function or increase the anti-replay window size for the IPSec tunnel.

Prerequisites

The anti-replay function is enabled for the IPSec tunnel. By default, the anti-replay function is enabled ( through ipsec anti-reply enable command).

Precautions

When both anti-replay window and ipsec anti-replay window are configured, the anti-replay window configuration takes effect. When anti-replay window is not configured, the ipsec anti-replay window configuration takes effect.

Example

# Set the IPSec anti-replay window size to 128 bits.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] anti-replay window 128

dh

Function

The dh command specifies a Diffie-Hellman (DH) group used for IKE negotiation.

The undo dh command restores the default DH group for IKE negotiation.

By default, group14 is used for IKE negotiation.

Format

dh { group1 | group2 | group5 | group14 }

undo dh

Parameters

Parameter Description Value
group1 Uses the 768-bit DH group in IKE negotiation phase 1. -
group2 Uses the 1024-bit DH group in IKE negotiation phase 1. -
group5 Uses the 1536-bit DH group in IKE negotiation phase 1. -
group14 Uses the 2048-bit DH group in IKE negotiation phase 1. -

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The DH algorithm is a public key algorithm. Two communicating parties calculate a shared key based on data exchanged between them, without transmitting the key. A third party (such as a hacker) cannot calculate the actual key even if it obtains all exchanged data for key calculation.

Precautions
  • Both ends of an IPSec tunnel must be configured with the same DH group. Otherwise, the negotiation fails.

  • The security level order of the DH groups is: group14 > group5 > group2 > group1.

  • The group1, group2, and group5 have potential security risks. The group14 are recommended.

Example

# Specify the 2048-bit DH group for the IPSec Efficient VPN policy.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] dh group14

display ike error-info

Function

The display ike error-info command displays information about IPSec tunnel negotiation failures using IKE.

Format

display ike error-info [ verbose ] [ peer remote-address ]

Parameters

Parameter Description Value
verbose Displays details about IPSec tunnel negotiation failures using IKE. -
peer remote-address Displays information about IPSec tunnel negotiation failures using IKE with a specified remote IP address. The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command output contains information of the latest 200 IPSec tunnel negotiation failures using IKE.

Example

# Display information about IPSec tunnel negotiation failures using IKE.

<HUAWEI> display ike error-info

  current info Num :2
  Ike error information:
  current ike Error-info number :2
  -----------------------------------------------------------------------------
  peer       port      error-reason                version     error-time
  -----------------------------------------------------------------------------
  10.1.1.1  500       phase1 proposal mismatch     v1          2013-08-26 13:42:37
  10.1.1.1  500       phase1 proposal mismatch     v1          2013-08-26 13:08:45
  -----------------------------------------------------------------------------

# Display details about IPSec tunnel negotiation failures using IKE.

<HUAWEI> display ike error-info verbose 

  current info Num :1
  Ike error information:
  current ike Error-info number :1
--------------------------------------------------------------------------
Peer       : 10.1.1.1
Port       : 500
version    : v1
Reason     : phase1 proposal mismatch
Detail     : phase1 proposal mismatch
Error-time : 2013-08-26 12:02:37
--------------------------------------------------------------------------
Table 10-9  Description of the display ike error-info command output

Item

Description

current info Num Current information number.
Ike error information Information about IPSec tunnel negotiation failures using IKE.
current ike Error-info number Number of IPSec tunnel negotiation failures using IKE.
peer or Peer Remote IP address.
port or Port Peer UDP port number.
error-reason or Reason Causes for IPSec tunnel negotiation failures using IKE:
  • phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
  • phase2 proposal or pfs mismatch: IPSec proposal parameters or pfs algorithm of the two ends do not match.
  • responder dh mismatch: The DH algorithm of the responder does not match.
  • initiator dh mismatch: The DH algorithm of the initiator does not match.
  • encapsulation mode mismatch: The encapsulation mode does not match.
  • flow mismatch: The security ACL of the two ends does not match.
  • version mismatch: The IKE version number of the two ends does not match.
  • peer address mismatch: The IKE peer address of the two ends does not match.
  • config ID mismatch: The IKE peer of the specified ID is not found.
  • role mismatch: The negotiation mode of the two ends does not match.
  • authentication fail: Identity authentication fails.
  • construct local ID fail: The local ID fails to be constructed.
  • rekey no find old sa: The old SA is not found during re-negotiation.
  • rekey fail: The old SA is going offline during re-negotiation.
  • first packet limited: The rate of the first packet is limited.
  • unsupported version: The IKE version number is not supported.
  • malformed message: Malformed message.
  • malformed payload: Malformed payload.
  • critical drop: Unidentified critical payload.
  • cookie mismatch: Cookie mismatch.
  • invalid cookie: Invalid cookie.
  • invalid length: Invalid packet length.
  • unknown exchange type: Unknown negotiation mode.
  • local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
  • no policy applied on interface: No policy is applied to an interface.
  • nat detection fail: NAT detailed failed.
  • fragment packet limit: Fragment packets exceed the limit.
  • fragment packet reassemble timeout: Fragment packet reassembly times out.
version IKE version.
Error-time/error-time Time of IPSec tunnel negotiation failures using IKE.
Detail

Details about IPSec tunnel negotiation failures using IKE.

  • phase1 proposal mismatch: IKE proposal parameters of the two ends do not match.
  • phase2 proposal or pfs mismatch: IPSec proposal parameters or pfs algorithm of the two ends do not match.
  • responder dh mismatch: The DH algorithm of the responder does not match.
  • initiator dh mismatch: The DH algorithm of the initiator does not match.
  • encapsulation mode mismatch: The encapsulation mode does not match.
  • flow mismatch: The security ACL of the two ends does not match.
  • version mismatch: The IKE version number of the two ends does not match.
  • peer address mismatch: The IKE peer address of the two ends does not match.
  • config ID mismatch: The IKE peer of the specified ID is not found.
  • role mismatch: The negotiation mode of the two ends does not match.
  • authentication fail: Identity authentication fails.
  • construct local ID fail: The local ID fails to be constructed.
  • rekey no find old sa: The old SA is not found during re-negotiation.
  • rekey fail: The old SA is going offline during re-negotiation.
  • first packet limited: The rate of the first packet is limited.
  • unsupported version: The IKE version number is not supported.
  • malformed message: Malformed message.
  • malformed payload: Malformed payload.
  • critical drop: Unidentified critical payload.
  • cookie mismatch: Cookie mismatch.
  • invalid cookie: Invalid cookie.
  • invalid length: Invalid packet length.
  • unknown exchange type: Unknown negotiation mode.
  • local address mismatch: The local IP address in IKE negotiation and interface IP address do not match.
  • ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit.
  • no policy applied on interface: No policy is applied to an interface.
  • nat detection fail: NAT detailed failed.
  • fragment packet limit: Fragment packets exceed the limit.
  • fragment packet reassemble timeout: Fragment packet reassembly times out.
  • phase2 proposal mismatch: IPSec proposal parameters on both ends do not match.
  • (peer local or tunnel local or interface) address mismatch: The peer's local IP address, local tunnel IP address or interface IP address does not match the local one.
  • remote auth method mismatch: The peer authentication method does not match.
  • proc auth payload fail(pre-share-key): Failed to process the authentication payload during pre-shared key authentication.
  • recv peer auth fail notification: An authentication failure notification from the peer end is received.
  • recv peer auth fail notification(pre-share-key): An authentication failure notification from the peer end is received during pre-shared key authentication.
  • proc and auth ID payload fail(pre-share-key): The peer ID fails to be authenticated during pre-shared key authentication.

display ike global config

Function

The display ike global config command displays the global IKE configuration.

Format

display ike global config

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the global IKE configuration, such as the local name used in IKE negotiation, interval at which an IKE SA sends a heartbeat packet, timeout interval of heartbeat packets, and interval at which an IKE SA sends an NAT keepalive packet.

Example

# Display the global IKE configuration.

<HUAWEI> display ike global config
IKE Global Config:                                   
--------------------------------------------------------------
  IKE local-name                   : huawei
  IKE heartbeat-timer interval     : 30
  IKE heartbeat-timer timeout      : 100
  IKE nat-keepalive-timer interval : 52
--------------------------------------------------------------
Table 10-10  Description of the display ike global config command output

Item

Description

IKE Global Config

Global configuration of IKE.

IKE local-name

Local name used in IKE negotiation. To set the local name used in IKE negotiation, run the ike local-name command. If ike local-name is not configured on the local end, the name specified by the sysname command is used for IKE negotiation.

IKE heartbeat-timer interval

Interval at which an IKE SA sends a heartbeat packet, in seconds. To set the interval at which an IKE SA sends a heartbeat packet, run the ike heartbeat-timer interval command.

IKE heartbeat-timer timeout

Timeout interval of heartbeat packets, in seconds. To set the timeout interval of heartbeat packets, run the ike heartbeat-timer timeout command.

IKE nat-keepalive-timer interval

Interval at which an IKE SA sends an NAT keepalive packet, in seconds. To set the interval at which an IKE SA sends an NAT keepalive packet, run the ike nat-keepalive-timer interval command.

display ike offline-info

Function

The display ike offline-info command displays information about deleted IPSec tunnels established through IKE negotiation.

Format

display ike offline-info [ peer remote-address ]

Parameters

Parameter Description Value
peer remote-address Displays information about deleted IPSec tunnels with a specified remote IP address and established through IKE negotiation. The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command output contains the possible causes and time of the latest 200 IPSec tunnel deletions.

Example

Display information about deleted IPSec tunnels established through IKE negotiation.

<HUAWEI> display ike offline-info

  Current info Num :2 
  Ike offline information:
-----------------------------------------------------------------------------   
  peer              offline-reason              version     offline-time        
-----------------------------------------------------------------------------   
  2.1.1.2           dpd timeout                 v2          2017-02-18 02:12:39 
  2.1.1.2           dpd timeout                 v2          2017-02-18 01:17:06 
-----------------------------------------------------------------------------   
Table 10-11  Description of the display ike offline-info command output

Item

Description

Current info Num Current number of information records.
Ike offline information Information about IPSec tunnels established through IKE negotiation have been deleted.
peer Peer IP address of a deleted IPSec tunnel.
offline-reason Causes for deletion of IPSec tunnels established through IKE negotiation:
  • dpd timeout: Dead peer detection (DPD) times out.
  • manual reset phase1: IKE SA is manually deleted.
  • manual reset phase2: IPSec SA is manually deleted.
  • config modify: An SA is deleted due to configuration modification.
  • phase1 hard expire: Hard lifetime expires in phase 1 (no new SA negotiation success message is received).
  • phase2 hard expire: Hard lifetime expires in phase 2.
  • recv phase1 del info(Flags:xx): An IKE SA deletion message is received from the peer (Flags indicates the state of the SA).
  • recv phase2 del info(Flags:xx): An IPSec SA deletion message is received from the peer (Flags indicates the state of the SA).
  • modecfg address soft expiry: The IP address lease applied by the remote end from the server expires.
  • reauth timeout: An SA is deleted due to reauthentication timeout.
  • aaa cut user: The AAA module disconnects users.
  • hard expire triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
  • port mismatch after inbound sa miss: The UDP port number in the received packet is different from that in the inbound SA.
version IKE version.
offline-time IPSec tunnel deletion time.

display ike sa

Function

The display ike sa command displays information about SAs established through IKE negotiation.

Format

display ike sa [ remote ipv4-address ]

display ike sa verbose { remote ipv4-address | connection-id connection-id }

Parameters

Parameter Description Value
remote ipv4-address Specifies the IPv4 address of the remote peer. The value is in dotted decimal notation.
verbose

Displays detailed information about SAs.

-
connection-id connection-id

Specifies the connection ID of an SA.

The value is an integer that ranges from 1 to 4294967295.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ike sa command to check the following SA information: connection ID, peer IP address, VPN instance name, SA phase, and SA status.

Example

# Display IKE SAs and IPSec SAs.

<HUAWEI> display ike sa
IKE SA information :
    Conn-ID       Peer            VPN   Flag(s)                Phase            
  --------------------------------------------------------------------          
    117477244     10.100.1.1:4500 vrf1  RD|M                   v2:2             
    117477242     10.100.1.1:4500 vrf1  RD|M                   v2:1             
                                                                                
   Number of IKE SA : 2                                                    
  --------------------------------------------------------------------          
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING                     
Table 10-12  Description of the display ike sa command output

Item

Description

IKE SA information Configuration of SAs.
Conn-ID Connection ID of an SA.
Peer IP address and UDP port number of the peer.
VPN VPN instance bound to the interface where the IPSec policy was applied to.
Flag(s) SA status:
  • RD--READY: The SA has been established successfully.

  • ST--STAYALIVE: This end is the initiator of tunnel negotiation.

  • RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time.

  • FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires.

  • TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout.

  • HRT--HEARTBEAT: The local IKE SA sends heartbeat packets.

  • LKG--LAST KNOWN GOOD SEQ NO: It is the last known sequence number.

  • BCK--BACKED UP: The SA is backed up.

  • M--ACTIVE: The IPSec policy group is in active state.

  • S--STANDBY: The IPSec policy group is in standby state.

  • A--ALONE: The IPSec policy group is not backed up.

  • NEG--NEGOTIATING: The devices are negotiating an SA.

  • Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.

Phase Phases of the SA:
  • v1:1 or v2:1: v1 and v2 are IKE versions. The digit 1 indicates the phase during which a security channel, that is IKE SA, is established.
  • v1:2 or v2:2: v1 and v2 are IKE versions. The digit 2 indicates the phase during which a security service, that is IPSec SA, is negotiated.

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv1 to negotiate IPSec SAs.

<HUAWEI> display ike sa verbose remote 10.100.1.1
------------------------------------------------
Ike Sa phase   : 2
Establish Time : 2017-02-08 13:10:29
PortCfg Index  : 0x448
IKE Peer Name  : _resv_ikev1__1
Connection Id  : 26
Version        : v1
Flow VPN       :
Peer VPN       :
------------------------------------------------
Intiator Cookie         : 0x33d7a5bbf8ad12bb
Responder Cookie        : 0xf311b3991d739d38
Local Address           : 10.1.1.1
Remote Address          : 10.100.1.1:500
PFS                     :
Flags                   : RD|ST|A
------------------------------------------------

------------------------------------------------
Ike Sa phase   : 1
Establish Time : 2017-02-07 20:57:48
PortCfg Index  : 0x448
IKE Peer Name  : _resv_ikev1__1
Connection Id  : 7
Version        : v1
Exchange Mode  : Aggressive
Flow VPN       :
Peer VPN       :
------------------------------------------------
Intiator Cookie                : 0x33d7a5bbf8ad12bb
Responder Cookie               : 0xf311b3991d739d38
Local Address                  : 10.1.1.1
Remote Address                 : 10.100.1.1:500
Encryption Algorithm           : 3DES-CBC
Authentication Algorithm       : SHA1
Authentication Method          : Pre-Shared key
DPD Capability                 : Yes
DPD Enable                     : Yes
Remaining Duration             : 11168
Reference Counter              : 0
Flags                          : RD|ST|A
Remote Id                      : 10.1.1.2
DH Group                       : 2
NAT Traversal Version          : RFC3947
------------------------------------------------

  Number of IKE SA : 2
------------------------------------------------

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv2 to negotiate IPSec SAs.

<HUAWEI> display ike sa verbose remote 10.100.1.1
------------------------------------------------
Ike Sa phase   : 2
Establish Time : 2017-02-20 22:07:57
PortCfg Index  : 0x98
IKE Peer Name  : _resv_ikev2__1
Connection Id  : 4
Version        : v2
Flow VPN       :
Peer VPN       :
------------------------------------------------
Intiator Cookie         : 0x039b87ea4e1e91b2
Responder Cookie        : 0xdedd86121d2038d7
Local Address           : 10.1.1.1
Remote Address          : 10.100.1.1:4500
PFS                     :
Flags                   : RD|ST|A
------------------------------------------------

------------------------------------------------
Ike Sa phase   : 1
Establish Time : 2017-02-20 22:07:57
PortCfg Index  : 0x98
IKE Peer Name  : _resv_ikev2__1
Connection Id  : 3
Version        : v2
Flow VPN       :
Peer VPN       :
------------------------------------------------
Intiator Cookie                        : 0x039b87ea4e1e91b2
Responder Cookie                       : 0xdedd86121d2038d7
Local Address                          : 10.1.1.1
Remote Address                         : 10.100.1.1:4500
Encryption Algorithm                   : 3DES-CBC
Authentication Method                  : Pre-Shared key
Integrity Algorithm                    : hmac-sha1-96
Prf Algorithm                          : hmac-sha1
DPD Capability                         : Yes
DPD Enable                             : Yes
Remaining Duration                     : 11168
Reference Counter                      : 1
Flags                                  : RD|ST|A
Remote Id                              : huawei
DH Group                               : 14
------------------------------------------------

  Number of IKE SA : 2
------------------------------------------------

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING
Table 10-13  Description of the display ike sa verbose command output

Item

Description

Ike Sa phase Phases of the SA:
  • 1: IKE peers establish an IPSec tunnel. An IKE SA is established in this phase.
  • 2: IKE peers negotiate security services. An IPSec SA is established in this phase.
Establish Time Time when the SA was created.
PortCfg Index Index of the interface where the IPSec policy was applied to.
IKE Peer Name IKE peer name.
Connection Id

Connection ID of an SA.

Version
IKE version of the IKE peer:
  • v1: IKEv1 is enabled.
  • v2: IKEv2 is enabled.
  • v1v2: Both IKEv1 and IKEv2 are enabled.
Exchange Mode Negotiation mode of the IKEv1 phase 1.
  • Main: main mode.
  • Aggressive: aggressive mode.
Flow VPN VPN to which the data flow belongs.
Peer VPN VPN to which the peer belongs.
Intiator Cookie Cookie of the initiator.
Responder Cookie Cookie of the responder.
Local Address

Local IP address of an IPSec tunnel.

Remote Address Remote IP address and UDP port number of an IPSec tunnel.
Encryption Algorithm Encryption algorithm in the IKE proposal.
Authentication Algorithm Authentication algorithm in the IKE proposal.
Authentication Method Authentication method in the IKE proposal.
Integrity Algorithm Integrity algorithm used in an IKEv2 proposal.
Prf Algorithm Pseudo-random function (PRF) used in an IKEv2 proposal.
DPD Capability
Whether DPD capability is successfully negotiated.
  • yes
  • no
DPD Enable
Whether the DPD function is enabled.
  • yes
  • no
Remaining Duration Remaining lifetime of an SA.
Reference Counter

Number of IPSec SAs negotiated by the IKE SA.

PFS

Perfect Forward Secrecy (PFS) when the local end initiates negotiation.

Flags SA status:
  • RD--READY: The SA has been established successfully.

  • ST--STAYALIVE: This end is the initiator of tunnel negotiation.

  • RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time.

  • FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires.

  • TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout.

  • HRT--HEARTBEAT: The local IKE SA sends heartbeat packets.

  • LKG--LAST KNOWN GOOD SEQ NO: It is the last known sequence number.

  • BCK--BACKED UP: The SA is backed up.

  • M--ACTIVE: The IPSec policy group is in active state.

  • S--STANDBY: The IPSec policy group is in standby state.

  • A--ALONE: The IPSec policy group is not backed up.

  • NEG--NEGOTIATING: The devices are negotiating an SA.

  • Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.

Remote Id Remote ID for IKE negotiation.
DH Group

DH group in the IKE proposal.

NAT Traversal Version

Version of NAT traversal.
  • draft-ietf-ipsec-nat-t-ike-00
  • draft-ietf-ipsec-nat-t-ike-02
  • RFC3947
Number of IKE SA

Total number of IKE SAs and IPSec SAs.

display ike statistics

Function

The display ike statistics command displays IKE statistics.

Format

display ike statistics { v1 | v2 }

Parameters

Parameter Description Value
v1 Displays IKEv1 statistics. -
v2 Displays IKEv2 statistics. -

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When a fault occurs on the IPSec tunnel that is established through IKE negotiation, you can check statistics about IKE peers, IKE SAs, and DPD packets to diagnose and locate the fault.

Example

# Display IKEv1 statistics.

<HUAWEI> display ike statistics v1  
--------------------------------------------------------------------------------
 IKE V1 statistics information                                                  
 
 Number of total peers                        : 7                               
 Maximum of total peers in history            : 0
 Begin time of total peers                    : 2015-04-08 21:23:10             
 Maximum time of total peers                  : 2015-04-08 21:23:10             
 Number of proposals                          : 4                               
 Number of established V1 phase 1 SAs         : 0                               
 Number of established V1 phase 2 SAs         : 0                               
 Number of total V1 phase 1 SAs               : 0                               
 Number of total V1 phase 2 SAs               : 0                               
 Number of total SAs                          : 0                               
 Maximum of V1 phase 1 SAs in history         : 0                               
 Begin time of V1 phase 1 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V1 phase 1 SAs               : 2015-04-08 21:23:10             
 Maximum of V1 phase 2 SAs in history         : 0                               
 Begin time of V1 phase 2 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V1 phase 2 SAs               : 2015-04-08 21:23:10             
 Maximum of total SAs in history              : 0                               
 Begin time of total SAs                      : 2015-04-08 21:23:10             
 Maximum time of total SAs                    : 2015-04-08 21:23:10             
 Number of messages in V1 fast queue          : 0                               
 Number of messages in V1 slow queue          : 0                               
 Number of DPD request sent                   : 0                               
 Number of DPD ack received                   : 0                               
 Number of DPD request received               : 0                               
 Number of DPD ack sent                       : 0
--------------------------------------------------------------------------------

# Display IKEv2 statistics.

<HUAWEI> display ike statistics v2                                                    
--------------------------------------------------------------------------------
 IKE V2 statistics information                                                  
 
 Number of total peers                        : 0                               
 Maximum of total peers in history            : 0
 Begin time of total peers                    : 2015-04-08 21:23:10             
 Maximum time of total peers                  : 2015-04-08 21:23:10             
 Number of proposals                          : 4                               
 Number of established V2 phase 1 SAs         : 0                               
 Number of established V2 phase 2 SAs         : 0                               
 Number of total V2 phase 1 SAs               : 0                               
 Number of total V2 phase 2 SAs               : 0                               
 Number of total SAs                          : 0                               
 Maximum of V2 phase 1 SAs in history         : 0                               
 Begin time of V2 phase 1 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V2 phase 1 SAs               : 2015-04-08 21:23:10             
 Maximum of V2 phase 2 SAs in history         : 0                               
 Begin time of V2 phase 2 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V2 phase 2 SAs               : 2015-04-08 21:23:10             
 Maximum of total SAs in history              : 0                               
 Begin time of total SAs                      : 2015-04-08 21:23:10             
 Maximum time of total SAs                    : 2015-04-08 21:23:10             
 Number of messages in V2 fast queue          : 0                               
 Number of messages in V2 slow queue          : 0                               
 Number of DPD request sent                   : 0                               
 Number of DPD ack received                   : 0                               
 Number of DPD request received               : 0                               
 Number of DPD ack sent                       : 0
--------------------------------------------------------------------------------
Table 10-14  Description of the display ike statistics command output

Item

Description

IKE V1 statistics information IKEv1 statistics.
IKE V2 statistics information IKEv2 statistics.
Number of total peers

Total number of peers.

Maximum of total peers in history

Historical maximum number of IKE peers.

Begin time of total peers

Time when the system started to count the number of IKE peers.

Maximum time of total peers

Time when the total number of IKE peers reached the maximum value.

Number of proposals

Number of IKE proposals.

Number of established V1/V2 phase 1 SAs

Total number of IKE SAs that have been established successfully.

Number of established V1/V2 phase 2 SAs

Total number of IPSec SAs that have been established successfully.

Number of total V1/V2 phase 1 SAs

Total number of IKE SAs.

Number of total V1/V2 phase 2 SAs

Total number of IPSec SAs.

Number of total SAs

Total number of SAs.

Maximum of V1/V2 phase 1 SAs in history

Maximum number of IKE SAs in the history.

Begin time of V1/V2 phase 1 SAs

Time when the system started to count the number of IKE SAs.

Maximum time of V1/V2 phase 1 SAs

Time when the total number of IKE SAs reaches the maximum value.

Maximum of V1/V2 phase 2 SAs in history

Maximum number of IPSec SAs in the history.

Begin time of V1/V2 phase 2 SAs

Time when the system started to count the number of IPSec SAs.

Maximum time of V1/V2 phase 2 SAs

Time when the total number of IPSec SAs reached the maximum value.

Maximum of total SAs in history

Maximum number of total SAs in the history.

Begin time of total SAs

Time when the system started to count the total number of SAs.

Maximum time of total SAs

Time when the total number of SAs reached the maximum value.

Number of messages in V1/V2 fast queue

Number of IKE messages in high-priority queues.

Number of messages in V1/V2 slow queue

Number of IKE messages in low-priority queues.

Number of DPD request sent

Number of DPD request packets sent from the local end.

Number of DPD ack received

Number of DPD ack packets received by the local end.

Number of DPD request received

Number of DPD request packets received by the local end.

Number of DPD ack sent

Number of DPD ack packets sent from the local end.

display ikev2 statistics

Function

The display ikev2 statistics command displays statistics on IPSec tunnels negotiated using IKEv2.

Format

display ikev2 statistics { error | notify-info | packet | sa }

Parameters

Parameter

Description

Value

error

Displays error statistics on IPSec tunnels negotiated using IKEv2.

-

notify-info

Displays notification message statistics on IPSec tunnels negotiated using IKEv2.

-

packet

Displays packet statistics on IPSec tunnels negotiated using IKEv2.

-

sa

Displays SA statistics on IPSec tunnels negotiated using IKEv2.

-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view error, packet, SA, and notification message statistics on IPSec tunnels negotiated using IKEv2.

Example

# Display error statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics error

Error statistics:
-------------------------------------------------------------------------------
Config error:
Version error            :0
Peer address can not match with any ike peer config                  :0
Phase1 proposal mismatch :0           Phase2 proposal or pfs mismatch:0
Responder dh mismatch    :0           Initiator dh mismatch          :0
Flow mismatch            :1
ID can not match with any ike peer config                            :0
Construct local id fail                                              :0
Authentication fail (may be pre-shared-key error)                    :0
-------------------------------------------------------------------------------
Packet or payload error:
Invalid length           :0
Message-id unordered     :0
Unknown exchange type    :0
Invalid cookie           :6
Shortpacket              :0
Malformed message        :4
Malformed payload        :0
Rekey, not find old child:0           Rekey, old child close         :14
Exchange-type or role(initiator or responder) mismatch               :0
Unexpected critical payload, drop                                    :0
Unexpected uncritical payload, ignore                                :0
-------------------------------------------------------------------------------
Maybe ddos attack:
Responder request IKEV2_COOKIE                                       :0
Responder receive invalid cookie for IKEV2_COOKIE request            :0
Responder receive no cookie for IKEV2_COOKIE request                 :0
-------------------------------------------------------------------------------
System abnormal:
Fail decrypt             :0           Fail encrypt                   :0
Fail integrity check     :0
No memory, fail send packet                                          :0
No memory, fail process packet                                       :0
-------------------------------------------------------------------------------
System limited:
First packet speed limited :0               License limited          :0
-------------------------------------------------------------------------------
Table 10-15  Description of the display ikev2 statistics error command output

Item

Description

Error statistics

Error statistics.

Config error

Configurations are incorrect.

Version error

The IKE version does not match.

Peer address can not match with any ike peer config

The corresponding IKE peer is not found based on the peer address.

Phase1 proposal mismatch

The phase 1 IPSec proposal does not match.

Phase2 proposal or pfs mismatch

The phase 2 IPSec proposal or PFS does not match.

Responder dh mismatch

DH group match on the responder failed. (If a matching DH group is available in the algorithm list of the initiator, the responder will send an information message to the initiator to instruct the initiator to start negotiation using the matching DH group. If the initiator accepts the information message, the negotiation succeeds.)

Initiator dh mismatch

DH group match on the initiator failed. (The initiator failed to process the message requesting a matching DH group.)

Flow mismatch

The data flow does not match.

ID can not match with any ike peer config

The peer ID does not match that configured in the IKE peer.

Construct local id fail

Local ID construction failed.

Authentication fail (may be pre-shared-key error)

Authentication failed. The possible cause is that the pre-shared key does not match.

Packet or payload error

Incorrect packet or payload.

Invalid length

Invalid length.

Message-id unordered

Message ID out of order.

Unknown exchange type

Unknown exchange type.

Invalid cookie

Invalid cookie:

  • The corresponding SA does not exist in the received IKEv2 message that does not trigger negotiation.
  • The cookie in the IKEv2 message that triggers negotiation is 0.

Shortpacket

The packet is too short.

Malformed message

Invalid message.

Malformed payload

Invalid payload.

Rekey, not find old child

The old IPSec SA is not found for re-negotiation.

Rekey, old child close

The old IPSec SA is offline for re-negotiation.

Exchange-type or role(initiator or responder) mismatch

The exchange type or role (initiator or responder) does not match.

Unexpected critical payload, drop

The unidentified key payload is dropped.

Unexpected uncritical payload, ignore

The unidentified key payload is ignored.

Maybe ddos attack

Maybe DDoS attacks occur.

Responder request IKEV2_COOKIE

The device requests a cookie when the SA in negotiation status exceeds the threshold.

Responder receive invalid cookie for IKEV2_COOKIE request

The received cookie is invalid.

Responder receive no cookie for IKEV2_COOKIE request

No cookie is received.

System abnormal

The system is abnormal.

Fail decrypt

Decryption failed.

Fail encrypt

Encryption failed.

Fail integrity check

Integrity check failed.

No memory, fail send packet

Packet sending failed due to insufficient memory.

No memory, fail process packet

Packet parsing failed due to insufficient memory.

System limited

System restriction.

First packet speed limited

The rate of the first packet is limited.

License limited

License restriction.

# Display notification message statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics notify-info

Ikev2 notification statistics:
-------------------------------------------------------------------------------
Notification:
INVALID_IKE_SPI notification                send:0          receive:0
INVALID_MAJOR_VERSION notification          send:0          receive:0
INVALID_SYNTAX notification                 send:0          receive:0
INVALID_IPSEC_SPI notification              send:0          receive:0
INVALID_KE_PAYLOAD notification             send:0          receive:0
SINGLE_PAIR_REQUIRED notification           send:0          receive:0
NO_ADDITIONAL_SA notification               send:0          receive:0
TS_UNACCEPTABLE notification                send:0          receive:0
INVALID_IPSEC_SELECTORS notification        send:0          receive:0
INITIAL_CONTACT payload                     send:0          receive:0
SET_WINDOW_SIZE payload                     send:0          receive:0
NAT_DETECTION_SOURCE_IP payload             send:0          receive:0
NAT_DETECTION_DESTINATION_IP payload        send:0          receive:0
USE_TRANSPORT_MODE notification             send:0          receive:0
REKEY_SA notification                       send:0          receive:0
ESP_TFC_PADDING_NOT_SUPPORTED payload       send:0          receive:0
AUTH_LIFETIME payload                       send:0          receive:0
REDIRECT payload                            send:0          receive:0
DELETE_OLD_CHILDSA notification             send:0          receive:0
DSCP payload                                send:0          receive:0
------------------------------------------------------------------------------- 
Table 10-16  Description of the display ikev2 statistics notify-info command output

Item

Description

Ikev2 notification statistics

IKEv2 notification message statistics.

Notification

IKEv2 notification message.

INVALID_IKE_SPI notification

Invalid IKE SPI notification message.

INVALID_MAJOR_VERSION notification

Invalid Major version number notification message.

INVALID_SYNTAX notification

Invalid syntax notification message.

INVALID_IPSEC_SPI notification

Invalid IPSec SPI notification message.

INVALID_KE_PAYLOAD notification

Incorrect KE payload.

SINGLE_PAIR_REQUIRED notification

Single_Pair_Required notification message.

NO_ADDITIONAL_SA notification

No additional SA notification message.

TS_UNACCEPTABLE notification

Invalid TS payload.

INVALID_IPSEC_SELECTORS notification

Invalid IPSec Selectors notification message.

INITIAL_CONTACT payload

Initial_Contact notification message.

SET_WINDOW_SIZE payload

Set_Window_Size notification message.

NAT_DETECTION_SOURCE_IP payload

NAT source IP notification message.

NAT_DETECTION_DESTINATION_IP payload

NAT destination IP notification message.

USE_TRANSPORT_MODE notification

Transport mode notification message.

REKEY_SA notification

SA re-negotiation notification message.

ESP_TFC_PADDING_NOT_SUPPORTED payload

ESP_TFC_Padding_Not_Supported notification message.

AUTH_LIFETIME payload

Auth_Lifetime notification message.

REDIRECT payload

Redirection notification message.

DELETE_OLD_CHILDSA notification

Delete_Old_ChildSa notification message.

DSCP payload

DSCP notification message.

send

Number of sent messages.

receive

Number of received messages.

# Display packet statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics packet

Packet statistics:                                                              
------------------------------------------------------------------------------- 
Ike_init request send    :33          Ike_init response send   :0               
Ike_init request recv    :10          Ike_init response recv   :0               
Ike_auth request send    :10          Ike_auth response send   :0               
Ike_auth request recv    :10          Ike_auth response recv   :0               
Create_child req send    :91          Create_child resp send   :147             
Create_child req recv    :87          Create_child resp recv   :147             
Ike_info request send    :210         Ike_info response send   :31              
Ike_info request recv    :0           Ike_info response recv   :31              
Del_info request send    :209         Del_info response send   :26              
Del_info request recv    :0           Del_info response recv   :31              
Dpd_info request send    :4           Dpd_info response send   :0               
Dpd_info request recv    :0           Dpd_info response recv   :0
------------------------------------------------------------------------------- 
Table 10-17  Description of the display ikev2 statistics packet command output

Item

Description

Packet statistics

IPSec packet statistics.

Ike_init request send

Number of sent IKE SA initialization exchange (ike_init) request packets.

Ike_init response send

Number of sent ike_init response packets.

Ike_init request recv

Number of received ike_init request packets.

Ike_init response recv

Number of received ike_init response packets.

Ike_auth request send

Number of sent IKE authentication exchange (ike_auth) request packets.

Ike_auth response send

Number of sent ike_auth response packets.

Ike_auth request recv

Number of received ike_auth request packets.

Ike_auth response recv

Number of received ike_auth response packets.

Create_child req send

Number of sent IPSec SA for sub-tunnel creation (create_child) request packets.

Create_child resp send

Number of sent create_child response packets.

Create_child req recv

Number of received create_child request packets.

Create_child resp recv

Number of received create_child response packets.

Ike_info request send

Number of sent IKE notification exchange (ike_info) request packets.

Ike_info response send Number of sent ike_info response packets.
Ike_info request recv Number of received ike_info request packets.
Ike_info response recv Number of received ike_info response packets.
Del_info request send Number of sent tunnel information deletion (del_info) request packets.
Del_info response send Number of sent del_info response packets.
Del_info request recv Number of received del_info request packets.
Del_info response recv Number of received del_info response packets.
Dpd_info request send Number of sent DPD information (dpd_info) request packets.
Dpd_info response send Number of sent dpd_info response packets.
Dpd_info request recv Number of received dpd_info request packets.
Dpd_info response recv Number of received dpd_info response packets.

# Display SA statistics on IPSec tunnels negotiated using IKEv2.

<HUAWEI> display ikev2 statistics sa

Sa establish and offline statistic:
-------------------------------------------------------------------------------
Establish:
Initiator request phase1 negotiation                           :33
Initiator request phase2 negotiation                           :16
Initiator request and success phase1 negotiation               :10
Initiator request and success phase2 negotiation               :41
Responder response phase1 negotiation                          :0
Responder response phase2 negotiation                          :0
Responder response and success phase1 negotiation              :0
Responder response and success phase2 negotiation              :0
Offline:
Receive ph1 delete info  :5           Receive ph2 delete info  :26
Manual reset phase1      :6           Manual reset phase2      :9
Phase1 hardware expire   :1           Phase2 hardware expire   :1
Phase1 replace           :125         Phase2 replace           :75
Aaa cut user             :0           Dpd timeout              :1
Reauth timeout           :0
-------------------------------------------------------------------------------
Table 10-18  Description of the display ikev2 statistics sa command output

Item

Description

Sa establish and offline statistic

SA establishment and deletion information.

Establish

Statistics on established IPSec tunnels.

Initiator request phase1 negotiation Number of times that the initiator requests phase 1 negotiation.
Initiator request phase2 negotiation

Number of times that the initiator requests phase 2 negotiation.

Initiator request and success phase1 negotiation

Number of times that the initiator succeeds in requesting phase 1 negotiation.

Initiator request and success phase2 negotiation

Number of times that the initiator succeeds in requesting phase 2 negotiation.

Responder response phase1 negotiation

Number of times that the responder responds to phase 1 negotiation.

Responder response phase2 negotiation

Number of times that the responder responds to phase 2 negotiation.

Responder response and success phase1 negotiation

Number of times that the responder succeeds in responding to phase 1 negotiation.

Responder response and success phase2 negotiation

Number of times that the responder succeeds in responding to phase 2 negotiation.

Offline

Statistics on deleted IPSec tunnels.

Receive ph1 delete info

Number of times that the device receives phase 1 tunnel deletion messages.

Receive ph2 delete info

Number of times that the device receives phase 2 tunnel deletion messages.

Manual reset phase1 Number of times that the phase 1 tunnel is deleted manually.

Manual reset phase2

Number of times that the phase 2 tunnel is deleted manually.

Phase1 hardware expire Number of times that the phase 1 tunnel is deleted due to hard timeout.
Phase2 hardware expire Number of times that the phase 2 tunnel is deleted due to hard timeout.
Phase1 replace Number of phase 1 tunnel re-negotiation times.
Phase2 replace Number of phase 2 tunnel re-negotiation times.
Aaa cut user Number of tunnel deletion times caused by forced user offline.
Dpd timeout Number of tunnel deletion times caused by DPD timeout.
Reauth timeout Number of tunnel deletion times caused by re-authentication timeout.

display ipsec efficient-vpn

Function

The display ipsec efficient-vpn command displays Efficient VPN policy information.

Format

display ipsec efficient-vpn [ brief | capability | name efficient-vpn-name ]

Parameters

Parameter

Description

Value

brief

Displays brief information about Efficient VPN policies.

-

capability

Displays the IPSec configuration supported by an Efficient VPN policy.

-

name efficient-vpn-name

Displays information about a specified Efficient VPN policy.

The value is an existing Efficient VPN policy name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the Efficient VPN policy is configured, you can run this command to know the configuration information of the Efficient VPN policy, such as the name, interface, authentication method, IKE version, DH algorithm, and PFS algorithm of the Efficient VPN.

Example

# Display brief information about Efficient VPN policies.

<HUAWEI> display ipsec efficient-vpn brief
 Total number of IPSec efficient-vpn: 1

 Efficient-vpn name      Efficient-vpn mode
 ------------------------------------------
 v1                      client

# Display information about the Efficient VPN policy named easyvpn_1.

<HUAWEI> display ipsec efficient-vpn name easyvpn_1
===========================================
IPSec efficient-vpn name: easyvpn_1
Using interface         : Vlanif27
===========================================
 IPSec Efficient-vpn Name  : easyvpn_1
 IPSec Efficient-vpn Mode  : 1 (1:Client 2:Network 3:Network-plus)
 ACL Number                :
 Auth Method               : 8 (8:PSK)
 VPN name                  : wbh
 Local ID Type             : 11 (1:IP 2:Name 3:User-fqdn 11:Key-id)
 IKE Version               : 2 (1:IKEv1 2:IKEv2)
 Remote Address            : 10.10.10.1
 Pre Shared Key Cipher     : %^%#0vV`9|cDwFsNVs-ga@YF,b~X@EApDU$nJ!E1B+!1%^%#
 DH Group                  : DH group 5
 PFS Type                  : DH group 14
 Remote Name               :
 Re-auth interval          : 400 seconds 
 Anti-replay window size   : 0
 Service-scheme name       : ser
 DPD Msg Type              : seq-notify-hash
 Interface loopback        : LoopBack0
 Interface loopback IP     : 1.1.1.1/32
Table 10-19  Description of the display ipsec efficient-vpn command output

Item

Description

Total number of IPSec efficient-vpn Total number of the Efficient VPN policy.

Efficient-vpn name/IPSec Efficient-vpn Name

Name of the Efficient VPN policy. To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command.

Using interface

Interface to which an Efficient VPN policy is applied.

Efficient-vpn mode/IPSec Efficient-vpn Mode

Mode used by the Efficient VPN policy.
  • 1: client
  • 2: network
  • 3: network-plus
To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command.

ACL Number

ACL used by the Efficient VPN policy. To configure an ACL referenced by an Efficient VPN policy, run the security acl command.

Auth Method

Authentication method used by the Efficient VPN policy is pre-shared key authentication (8).

VPN name

Name of the VPN instance bound to the Efficient VPN policy. To bind a VPN instance to an Efficient VPN policy, run the sa binding vpn-instance (Efficient VPN policy view) command.

Local ID Type

Local ID type in IKE negotiation.
  • 1: IP
  • 2: Name
  • 3: User-fqdn
  • 11: Key-id

To set the local ID type, run the local-id-type command.

IKE Version

Configured IKE version:
  • 1: IKEv1
  • 2: IKEv2

Remote Address

IP address of the remote IKE peer. To configure the remote IP address, run the remote-address (Efficient VPN policy view) command.

Pre Shared Key Cipher

Pre-shared key. To configure a pre-shared key, run the pre-shared-key (Efficient VPN policy view) command.

DH Group

DH group used in IKE negotiation:

  • DH group 1: 768-bit DH group is used during IKE negotiation.
  • DH group 2: 1024-bit DH group is used during IKE negotiation.
  • DH group 5: 1536-bit DH group is used during IKE negotiation.
  • DH group 14: 2048-bit DH group is used during IKE negotiation.

To specify a DH group, run the dh command.

PFS Type

Perfect Forward Secrecy (PFS) used in IKE negotiation:
  • DH group 1: 768-bit DH group is used during IKE negotiation.
  • DH group 2: 1024-bit DH group is used during IKE negotiation.
  • DH group 5: 1536-bit DH group is used during IKE negotiation.
  • DH group 14: 2048-bit DH group is used during IKE negotiation.
To specify a PFS, run the pfs command.

Remote Name

Remote name used in IKE negotiation.

Re-auth interval IKEv2 re-authentication interval. To configure an IKEv2 re-authentication interval, run the re-authentication interval command.

Anti-replay window size

IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window command.

When the value is 0, the IPSec anti-replay function is enabled in the system view. To enable this function, run the ipsec anti-replay enable command.

Service-scheme name

Name of the bound service scheme. To configure the name of the bound service scheme, run the service-scheme (Efficient VPN policy view) command.

DPD Msg Type

Sequence of the payload in DPD packets.
  • seq-notify-hash
  • seq-hash-notify
To configure the sequence of the payload, run the dpd msg command.

Interface loopback

Number of the loopback interface. The loopback interface is dynamically created on the remote device and is used to establish an IPSec tunnel with the Efficient VPN server.

Interface loopback IP

IP address of the loopback interface, which is allocated by the Efficient VPN server to the remote device.

# Display the IPSec configuration supported by an Efficient VPN policy.

<HUAWEI> display ipsec efficient-vpn capability

  IKEv1 Global Supported Algorithms
-------------------------------------------------------
  Supported DH Groups:
    DH_GROUP1 | DH_GROUP2 | DH_GROUP5 | DH_GROUP14
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256
  Supported Authentication Algorithms:
    MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512
  Supported Authentication Methods:
    Pre Shared Key

  IKEv2 Global Supported Algorithms
-------------------------------------------------------
  Supported DH Groups:
    DH_GROUP1 | DH_GROUP2 | DH_GROUP5 | DH_GROUP14
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256
  Supported Integrity Algorithms:
    MD5 | SHA1 | AES-XCBC-96 | SHA2-256 | SHA2-384 | SHA2-512
  Supported PRF:
    PRF-MD5 | PRF-SHA1 | PRF-AES-XCBC-128 | PRF-SHA2-256 | PRF-SHA2-384 |
    PRF-SHA2-512

  IPSEC Global Supported Algorithms
-------------------------------------------------------
  Supported Security Protocols:
    ESP
  Supported Encapsulation Modes:
    TUNNEL
  Supported Authentication Algorithms:
    MD5 | SHA1 | SHA256 | SHA384 | SHA512
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256
NOTE:
  • The MD5 and SHA-1 authentication algorithms have security risks; therefore, you are advised to use SHA-2 preferentially.

  • The DES and 3DES encryption algorithms have security risks; therefore, you are advised to use AES preferentially.

  • The PRF-MD5 and PRF-SHA1 algorithms have security risks; therefore, you are advised to use PRF-AES-XCBC-128 or SHA-2 preferentially.

Table 10-20  Description of the display ipsec efficient-vpn capability command output

Item

Description

IKEv1 Global Supported Algorithms

Supported algorithms when IKEv1 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device.

Supported DH Groups

Supported DH groups when IKEv1 or IKEv2 is used.

Supported Encryption Algorithms

Supported encryption algorithms when IKEv1 or IKEv2 is used.

Supported Authentication Algorithms

Supported authentication algorithms when IKEv1 is used. To configure an authentication algorithm on the server.

Supported Authentication Methods

Supported authentication algorithms when IKEv1 is used: Pre Shared Key (pre-shared key authentication).

IKEv2 Global Supported Algorithms

Supported algorithms when IKEv2 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device.

Supported Integrity Algorithms

Supported integrity algorithms when IKEv2 is used. To configure an integrity algorithm on the server.

Supported PRF

Supported PRF algorithms when IKEv2 is used.

IPSEC Global Supported Algorithms

Algorithms supported by the system.

Supported Security Protocols

Security protocol supported by IPSec: ESP.

Supported Encapsulation Modes

Encapsulation mode supported by IPSec: tunnel mode.

Supported Authentication Algorithms

Authentication algorithm supported by IPSec.

Supported Encryption Algorithms

Encryption algorithm supported by IPSec.

display ipsec global config

Function

The display ipsec global config command displays IPSec global configurations.

Format

display ipsec global config

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view IPSec global configurations, run the display ipsec global config command. The global configurations include the global SA lifetime and whether the anti-replay function is enabled.

Example

# Display IPSec global configurations.

<HUAWEI> display ipsec global config
IPSec Global Config:                                                            
--------------------------------------------------------------                  
  IPSec sa global-duration time-based(seconds)        : 3600
  IPSec sa global-duration traffic-based(kbytes)      : 1843200
  IPSec anti-replay                                   : enable
--------------------------------------------------------------                  
Table 10-21  Description of the display ipsec global config command output

Item

Description

IPSec Global Config

IPSec global configurations.

IPSec sa global-duration time-based(seconds)

Time-based global SA lifetime, in seconds. To set the time-based global SA lifetime, run the ipsec sa global-duration time-based command.

IPSec sa global-duration traffic-based(kbytes)

Traffic-based global SA lifetime, in kilobytes. To set the traffic-based global SA lifetime, run the ipsec sa global-duration traffic-based command.

IPSec anti-replay

Whether the anti-replay function is enabled. To configure the anti-replay function, run the ipsec anti-replay enable command.

display ipsec interface brief

Function

The display ipsec interface brief command displays IPSec policies bound to an interface.

Format

display ipsec interface brief

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an IPSec policy is bound to an interface, you can run this command to view information about the bound IPSec policy, such as the policy name and interface to which the policy is bound.

Example

# Display IPSec policies bound to an interface.

<HUAWEI> display ipsec interface brief
------------------------------------------------       
  IPSec policy        : evpn_client   
  Using interface     : Vlanif100
  IPSec policy number : -                 
  IPSec policy Type   : efficient-vpn   
------------------------------------------------ 
Table 10-22  Description of the display ipsec interface brief command output

Item

Description

IPSec policy

Sequence number of the IPSec policy bound to the interface.

Name of the IPSec policy bound to an interface. To apply an IPSec policy to an interface, run the ipsec efficient-vpn (interface view) command.

Using interface

Interface to which an IPSec policy is applied.

IPSec policy number

Sequence number of the IPSec policy bound to the interface.

IPSec policy Type

Type of the IPSec policy bound to an interface.

display ipsec sa efficient-vpn

Function

The display ipsec sa efficient-vpn command displays IPSec SA information.

Format

display ipsec sa efficient-vpn efficient-vpn-name

Parameters

Parameter Description Value
brief Displays brief information about all IPSec SAs. -
duration Displays detailed information about IPSec SAs with specified lifetime. -
policy policy-name Displays detailed information about IPSec SAs established using an IPSec policy with a specified name. The value must be an existing IPSec policy name.
seq-number Displays detailed information about IPSec SAs established using an IPSec policy with a specified sequence number. The value must be an existing IPSec policy sequence number.
profile profile-name Displays detailed information about IPSec SAs established using a specified IPSec profile. The value must be an existing IPSec profile name.
remote ipv4-address Displays detailed information about IPSec SAs with the specified remote IPv4 address. The value is in dotted decimal notation.
Parameter Description Value
efficient-vpn-name Displays SA information of an Efficient VPN policy with a specified name. The value is an existing Efficient VPN policy name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view Efficient VPN SA information, such as the local and remote addresses of the IPSec tunnel, source and destination addresses of data flows, and the SA lifetime.

Example

# Display information about the IPSec SA of Efficient VPN policy.
<HUAWEI> display ipsec sa efficient-vpn evpn

ipsec sa information:

===============================
Interface: Vlanif20
===============================

  -----------------------------
  IPSec efficient-vpn name: "evpn"
  Mode                    : EFFICIENTVPN-CLIENT MODE
  -----------------------------
    Connection ID     : 268435456
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 4m 29s
    Tunnel local      : 10.10.10.1:4500
    Tunnel remote     : 10.2.1.2:4500
    Flow source       : 10.1.1.6/255.255.255.255 0/0
    Flow destination  : 0.0.0.0/0.0.0.0 0/0
    Flow dscp         : af11 

    [Outbound ESP SAs]
      SPI: 2703436139 (0xa123296b)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key duration (kilobytes/sec): 5242880/3355
      Max sent sequence-number: 0
      UDP encapsulation used for NAT traversal: Y
      SA encrypted packets (number/bytes): 0/0

    [Inbound ESP SAs]
      SPI: 2303751342 (0x895074ae)
      Proposal: ESP-ENCRYPT-3DES-192 ESP-AUTH-SHA1
      SA remaining key duration (kilobytes/sec): 5242880/3355
      Max received sequence-number: 0
      UDP encapsulation used for NAT traversal: Y
      SA decrypted packets (number/bytes): 0/0
      Anti-replay : Enable
      Anti-replay window size: 1024
Table 10-23  Description of the display ipsec sa efficient-vpn command output

Item

Description

ipsec sa information Information about the IPSec SA.
Interface Interface to which the Efficient VPN policy is applied.
IPSec efficient-vpn name Name of the IPSec efficient-vpn policy. To configure the IPSec efficient-vpn policy name, run the ipsec efficient-vpn (system view) command.
Mode

Mode in which an Efficient VPN policy is created.

Connection ID ID of the IPSec SA connection.
Encapsulation mode Encapsulation mode in an IPSec proposal.
Holding time Time elapsed since an IPSec tunnel was created.
Tunnel local IP address and NAT traversal port of the local interface. To configure the IP address of the local interface, run the tunnel local command.
Tunnel remote IP address and NAT traversal port of the remote interface. To configure the IP address of the remote interface, run the remote-address (Efficient VPN policy view) command.
Flow source Source IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL.
Flow destination Destination IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL.
Flow dscp DSCP value of the data flow sent from the local end.
Outbound ESP SAs Outbound IPSec SA information using ESP.

SPI

SPI of an SA.

Proposal

IPSec proposal.

SA remaining key duration (kilobytes/sec)

Hard remaining lifetime of an SA, in kilobytes or seconds. To set the SA lifetime, run the ipsec sa global-duration command.

Max sent sequence-number

Maximum sequence number of sent packets. The sequence number increases during communication and is used for anti-replay.

UDP encapsulation used for NAT traversal

Whether NAT traversal is enabled:
  • Y
  • N

SA encrypted packets (number/bytes)

Number of packets that are successfully encrypted using the IPSec SA.

Inbound ESP SAs

Inbound IPSec SA information using ESP.

Max received sequence-number

Maximum sequence number of received packets.

SA decrypted packets (number/bytes)

Number of packets that are successfully decrypted using the IPSec SA.

Anti-replay

Whether the anti-replay function is enabled for an IPSec tunnel:
  • Enable
  • disable

To configure the anti-replay function for an IPSec tunnel, run the ipsec anti-replay enable command.

Anti-replay window size

IPSec anti-replay window size. This field is valid only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window or ipsec anti-replay window command.

display ipsec packet statistics

Function

The display ipsec packet statistics command displays IPSec packet statistics.

Format

display ipsec packet statistics

Parameters

None.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display ipsec packet statistics command to view IPSec packet statistics, including statistics about incoming or outgoing packets that are protected, statistics about encrypted and decrypted packets, detailed statistics about discarded packets that are protected, and statistics about IKE negotiation related packets. The IPSec packet statistics facilitate IPSec fault diagnosis and maintenance.

Precautions

The display ipsec packet statistics command only displays the number of plaintext bytes.

Example

# Display statistics about all IPSec packets.

<HUAWEI> display ipsec packet statistics 
 IPSec statistics information:
 Number of IPSec tunnels: 1
 the security packet statistics:                                                
   input/output security packets: 0/0                                           
   input/output security bytes: 0/0                                             
   input/output dropped security packets: 0/0                                   
   the encrypt packet statistics:                                               
     send chip: 0, recv chip: 0, send err: 0                                    
     local cpu: 0, other cpu: 0, recv other cpu: 0                              
     intact packet: 0, first slice: 0, after slice: 0                           
   the decrypt packet statistics:                                               
     send chip: 0, recv chip: 0, send err: 0                                    
     local cpu: 0, other cpu: 0, recv other cpu: 0                              
     reass  first slice: 0, after slice: 0                                      
   dropped security packet detail:                                              
     can not find SA: 0, wrong SA: 0  
     authentication: 0, replay: 0                                               
     front recheck: 0, after recheck: 0                                         
     change cpu enc: 0, dec change cpu: 0                                       
     fib search: 0, output l3: 0                                                
     flow err: 0, slice err: 0, byte limit: 0
  negotiate about packet statistics:                                            
    IKE fwd packet ok: 0, err: 0                                                
    IKE ctrl packet inbound ok: 0, outbound ok: 0                               
    SoftExpr: 0, HardExpr: 0, DPDOper: 0                                        
    trigger ok: 0, switch sa: 0, sync sa: 0                                     
    recv IKE nat keepalive: 0, IKE input: 0 
Table 10-24  Description of the display ipsec packet statistics command output

Item

Description

IPSec statistics information

Statistics about IPSec packets.

Number of IPSec tunnels

Number of the IPSec tunnels.

the security packet statistics

Statistics about packets that are protected.

input/output security packets

Number of incoming or outgoing packets that are protected.

input/output security bytes

Number of incoming or outgoing bytes that are protected.

input/output dropped security packets

Number of discarded incoming or outgoing packets that are protected.

the encrypt packet statistics

Statistics about encrypted packets.

send chip

Number of packets sent to the hardware for encryption and decryption.

recv chip

Number of packets encrypted and decrypted by hardware.

send err

Number of packets that fail to be sent to hardware for encryption and decryption.

local cpu

Number of packets encrypted and decrypted by the local CPU.

other cpu

Number of packets forwarded to another CPU for encryption and decryption.

recv other cpu

Number of packets received from another CPU for encryption and decryption.

intact packet

Number of non-fragmented encrypted packets.

first slice

Number of initial fragmented packets.

after slice

Number of non-initial fragmented packets.

the decrypt packet statistics

Statistics about decrypted packets.

reass first slice

Number of initial packets that are reassembled.

after slice

Number of non-initial packets that are reassembled.

dropped security packet detail

Detailed statistics about discarded packets that are protected.

can not find SA

Number of packets for which SAs are not found.

wrong SA

Number of packets with invalid SAs.

authentication

Number of packets that fail to be authenticated.

replay

Number of discarded packets due to replay check.

front recheck

Number of discarded packets due to IPSec pre-check.

after recheck

Number of discarded packets due to IPSec post-check.

change cpu enc

Number of encrypted packets that fail to be forwarded.

dec change cpu

Number of decrypted packets that fail to be forwarded.

fib search

Number of encrypted packets that are discarded due to route searching failure.

output l3

Number of encrypted packets that fail to be sent.

flow err

Number of packets discarded because negotiation is triggered.

slice err

Number of IPSec packets that fail to be fragmented.

byte limit

Number of discarded packets due to traffic limit.

negotiate about packet statistics

Statistics about IKE negotiation packets.

IKE fwd packet ok

Number of IKE packets sent to the IKE process.

err

Number of IKE packets that fail to be sent to the IKE process.

IKE ctrl packet inbound ok

Number of IKE packets received by the control plane.

outbound ok

Number of IKE packets sent by the control plane.

SoftExpr

Number of traffic soft timeouts.

HardExpr

Number of traffic hard timeouts.

DPDOper

Number of times DPD is performed in on-demand DPD mode.

trigger ok

Number of times that negotiation is triggered.

switch sa

Number of times the local device receives data encrypted with the new SA and instructs the IKE process to replace the SA.

sync sa

Number of times the active device notifies the IKE process that the SA triplet (remote address, SPI, protocol ID) does not exist on the standby device.

recv IKE nat keepalive

Number of received IKE nat keepalive packets.

IKE input

Number of received IKE packets.

dpd msg

Function

The dpd msg command configures the payload sequence of DPD packets on the specified IKE peer.

The undo dpd msg command restores the default payload sequence of DPD packets on the specified IKE peer.

By default, the payload sequence of DPD packets on an IKE peer is seq-notify-hash.

Format

dpd msg { seq-hash-notify | seq-notify-hash }

undo dpd msg

Parameters

Parameter

Description

Value

seq-hash-notify

Indicates that in a DPD packet, the hash payload is before the notify payload.

-

seq-notify-hash

Indicates that in a DPD packet, the notify payload is before the hash payload.

-

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

DPD packets carrying the notify payload and hash payload are exchanged bidirectionally. The notify payload sent by the initiator carries an R-U-THERE message equivalent to a Hello packet, and the notify payload sent by the responder carries an R-U-THERE-ACK message equivalent to an ACK packet.

The payload sequence of DPD packets sent by different devices may be different. IKE peers on both ends must send DPD packets with the same payload sequence; otherwise, DPD does not take effect. You can use the dpd msg command to set the same payload sequence of DPD packets on the two ends.

Precautions

This command applies only when an IKE peer uses IKEv1.

Example

# Set the payload sequence of DPD packets to hash-notify.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] dpd msg seq-hash-notify

ike dscp

Function

The ike dscp command sets a global DSCP priority of IKE packets.

The undo ike dscp command cancels the DSCP priority configuration.

By default, the global DSCP priority of IKE packets is 0.

Format

ike dscp dscp-value

undo ike dscp

Parameters

Parameter Description Value
dscp-value Specifies the global DSCP priority of IKE packets. The value can be an integer or a string of characters. That is, the value can be an integer that ranges from 0 to 63, or a string of AF11 to AF13, AF21 to AF23, AF31 to AF33, AF41 to AF43, CS1 to CS7, EF, or default.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

IKE packets are used for IKE SA and IPSec SA negotiation or DPD. When IKE packets are lost during transmission, IPSec SAs may fail to be negotiated. As a result, packets that need to be protected by IPSec are not protected. The DSCP priority of IKE packets can be improved so that IKE packets are processed preferentially. IKE packet transmission reliability is therefore improved.

To configure the DSCP priority for IKE packets of all IKE peers, run this command.

Example

# Set a global DSCP priority of IKE packets to CS2.

<HUAWEI> system-view
[HUAWEI] ike dscp cs2

ike heartbeat

Function

The ike heartbeat command sets heartbeat parameters.

The undo ike heartbeat command restores the default configuration.

By default, a heartbeat packet uses old type sequence number mechanism and does not carry the SPI list.

Format

ike heartbeat { seq-num { new | old } | spi-list }

undo ike heartbeat { seq-num | spi-list }

Parameters

Parameter

Description

Value

seq-num { new | old }

Configures the sequence number mechanism for heartbeat packets.

  • new: The sequence number mechanism conforms to draft-ietf-ipsec-heartbeats-00.txt.

  • old: The sequence number mechanism conforms to the standard that before draft-ietf-ipsec-heartbeats-00.txt emerges.

-

spi-list

Configures heartbeat packets to carry the SPI list.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In IPSec communication, if the local end becomes faulty and the remote end does not detect the fault because of system failures, the remote end still sends IPSec packets to the local end, causing traffic loss. Heartbeat detection solves this problem. After heartbeat detection is enabled, the local end periodically sends detection packets to the remote end. If the remote end does not receive packets after the heartbeat timer expires, the remote end considers the local end faulty. IKE can send heartbeat packets to detect IKE peer faults and maintain the IKE SA link status.

Precautions

The two ends must use the same heartbeat parameters.

If you run the ike heartbeat { seq-num { new | old } | spi-list } command multiple times, only the latest configuration takes effect.

Example

# Configure the sequence number mechanism for heartbeat packets to new.

<HUAWEI> system-view
[HUAWEI] ike heartbeat seq-num new

ike heartbeat-timer interval

Function

The ike heartbeat-timer interval command sets the interval for sending heartbeat packets through an IKE SA.

The undo ike heartbeat-timer interval command cancels the configuration.

By default, an IKE SA does not send heartbeat packets.

Format

ike heartbeat-timer interval interval

undo ike heartbeat-timer interval

Parameters

Parameter

Description

Value

interval

Specifies the interval for sending heartbeat packets through an IKE SA.

The value is an integer that ranges from 20 to 28800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After heartbeat detection is enabled, the local end periodically sends detection packets to the remote end. If the remote end does not receive packets after the heartbeat timer expires, the remote end considers the local end faulty. IKE can send heartbeat packets to detect IKE peer faults and maintain the IKE SA link status. This command sets the interval for sending heartbeat packets through an IKE SA.

The interval at which heartbeat packets are sent (configured using the ike heartbeat-timer timeout command) at the local end must be used with the timeout interval of heartbeat packets (configured using the ike heartbeat-timer timeout command) at the remote end. If the remote end does not receive any heartbeat packet within the timeout interval, it deletes the IKE SA with a timeout tag along with its corresponding IPSec SA. If the IKE SA does not have a timeout tag, it is marked as timeout.

Precautions

When the ike heartbeat-timer interval command is configured at one end, the ike heartbeat-timer timeout command must be used at the other end.

The timeout interval of heartbeat packets must be longer than the interval at which heartbeat packets are sent. On a network, packet loss seldom occurs more than three consecutive times. Therefore, it is recommended that the timeout interval of heartbeat packets be three times the interval at which heartbeat packets are sent.

Example

# Set the interval for sending heartbeat packets to 20 seconds.

<HUAWEI> system-view
[HUAWEI] ike heartbeat-timer interval 20

ike heartbeat-timer timeout

Function

The ike heartbeat-timer timeout command sets the timeout interval during which an IKE SA waits for a heartbeat packet.

The undo ike heartbeat-timer timeout command cancels the configuration.

By default, the timeout interval during which an IKE SA waits for a heartbeat packet is not configured.

Format

ike heartbeat-timer timeout seconds

undo ike heartbeat-timer timeout

Parameters

Parameter

Description

Value

seconds

Specifies the timeout interval during which an IKE SA waits for a heartbeat packet.

The value is an integer that ranges from 30 to 28800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After heartbeat detection is enabled, the local end periodically sends detection packets to the remote end. If the remote end does not receive packets after the heartbeat timer expires, the remote end considers the local end faulty. IKE can send heartbeat packets to detect IKE peer faults and maintain the IKE SA link status. This command sets the timeout interval during which an IKE SA waits for a heartbeat packet.

Precautions

When the ike heartbeat-timer interval command is configured at one end, the ike heartbeat-timer timeout command must be used at the other end.

The timeout interval of heartbeat packets must be longer than the interval at which heartbeat packets are sent. On a network, packet loss seldom occurs more than three consecutive times. Therefore, it is recommended that the timeout interval of heartbeat packets be three times the interval at which heartbeat packets are sent.

Example

# Set the timeout interval during which an IKE SA waits for a heartbeat packet to 60 seconds.

<HUAWEI> system-view
[HUAWEI] ike heartbeat-timer timeout 60

ike local-name

Function

The ike local-name command configures the local name for IKE negotiation.

The undo ike local-name command deletes the local name for IKE negotiation.

By default, no local name is configured for IKE negotiation.

Format

ike local-name local-name

undo ike local-name

Parameters

Parameter Description Value
local-name Specifies a local name for IKE negotiation. The value is a string of 1 to 255 case-sensitive characters without question marks (?).

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When identity authentication, If the ID type of an IKE peer is fully qualified domain name (FQDN), or USER-FQDN, the IKE peer uses the name for identity authentication. In this case, you need to run the ike local-name command to configure the local name.

Example

# Set the local ID for IKE negotiation to Huawei.

<HUAWEI> system-view
[HUAWEI] ike local-name Huawei

ike nat-keepalive-timer interval

Function

The ike nat-keepalive-timer interval command configures the interval for sending NAT Keepalive packets.

The undo ike nat-keepalive-timer interval command restores the default setting.

By default, the interval for sending NAT Keepalive packets is 20 seconds.

Format

ike nat-keepalive-timer interval interval

undo ike nat-keepalive-timer interval

Parameters

Parameter Description Value
interval Specifies the interval for sending NAT Keepalive packets. The value is an integer that ranges from 5 to 300, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When an NAT gateway exists between two IKE peers, to prevent NAT entries from being aged, the device on the private network side of the NAT gateway sends NAT Keepalive packets to its peer at a certain interval to maintain the NAT session.

Example

# Configure the interval for sending NAT Keepalive packets to 30 seconds.

<HUAWEI> system-view
[HUAWEI] ike nat-keepalive-timer interval 30

ikev1 phase1-phase2 sa dependent

Function

The ikev1 phase1-phase2 sa dependent command enables dependency between IPSec SA and IKE SA during IKEv1 negotiation.

The undo ikev1 phase1-phase2 sa dependent command cancels dependency between IPSec SA and IKE SA during IKEv1 negotiation.

By default, no dependency exists between IPSec SA and IKE SA during IKEv1 negotiation.

Format

ikev1 phase1-phase2 sa dependent

undo ikev1 phase1-phase2 sa dependent

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During IKEv1 negotiation, an IKE SA is established during phase 1, and an IPSec SA is established during phase 2. By default, no dependency exists between IPSec SA and IKE SA, that is, the two SAs can be deleted separately. If the IKE SA is deleted but the corresponding IPSec SA still exists, traffic forwarding will be effected. To prevent this problem, you can run this command to enable dependency between IPSec SA and IKE SA.

Example

# Enable dependency between IPSec SA and IKE SA during IKEv1 negotiation.

<HUAWEI> system-view
[HUAWEI] ikev1 phase1-phase2 sa dependent

ikev2 initial-contact enable

Function

The ikev2 initial-contact enable command enables the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

The undo ikev2 initial-contact enable command disables the device from sending the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

By default, the device is disabled to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

Format

ikev2 initial-contact enable

undo ikev2 initial-contact enable

Parameters

None

Views

System View

Default Level

2: Configuration level

Usage Guidelines

The INITIAL_CONTACT notify payload asserts that an IKE SA is the only active IKE SA between a pair of IKE peers. By default, the device will delete the old IKE SA without the INITIAL_CONTACT notify payload after the new IKE SA is created. When the remote end requires the INITIAL_CONTACT notify payload to delete the old IKE SA, configure this command.

When the local device restarts or expects to use the current IKE SA for establishing an IPSec tunnel only, run this command to enable the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request so that the remote device deletes the old IKE SA.

Example

# Enable the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

<HUAWEI> system-view
[HUAWEI] ikev2 initial-contact enable

ipsec anti-replay enable

Function

The ipsec anti-replay enable command enables the anti-replay function globally.

The undo ipsec anti-replay enable command disables the anti-replay function globally.

By default, the anti-replay function is enabled globally.

Format

ipsec anti-replay enable

undo ipsec anti-replay enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Replayed packets refer to the packets that have been processed by the device. IPSec uses the sliding window (anti-replay window) to detect replayed packets. AH and ESP packet headers carry 32-bit sequence numbers. The sequence numbers carried in the AH or ESP packet headers of the same SA are in ascending order. If the sequence number of an authenticated packet is the same as that of a decapsulated packet or the sequence number is outside the sliding window, the packet is considered a replayed packet.

Decapsulating replayed packets consumes many resources and makes system performance deteriorate. Therefore, attackers may use replayed packets to initiate a DoS attack. After the anti-replay function is enabled, the system discards replayed packets to save system resources.

Precautions

In some situations, for example, network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be different from those in common data packets. The device that has IPSec anti-replay enabled considers the packets replayed and discards them. You can disable global IPSec anti-replay to prevent packets from being discarded incorrectly or adjust the IPSec anti-replay window size to meet service requirements.

Example

# Enable the anti-replay function globally.

<HUAWEI> system-view
[HUAWEI] ipsec anti-replay enable

ipsec anti-replay window

Function

The ipsec anti-replay window command sets the global IPSec anti-replay window size.

The undo ipsec anti-replay window command restores the default global IPSec anti-replay window size.

By default, the global IPSec anti-replay window size is 1024 bits.

Format

ipsec anti-replay window window-size

undo ipsec anti-replay window

Parameters

Parameter

Description

Value

window-size

Specifies the global IPSec anti-replay window size.

The value can be 32, 64, 128, 256, 512, or 1024, in bits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In some situations, for example, network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be unusual. The device that has IPSec anti-replay enabled considers the packets replayed and discards them. To prevent packets from being discarded incorrectly, you can disable global IPSec anti-replay or adjust the IPSec anti-replay window size to meet service requirements.

Prerequisites

The anti-replay function has been enabled. By default, the anti-replay function is enabled (through ipsec anti-reply enable command).

Precautions

When both anti-replay window and ipsec anti-replay window are used, the anti-replay window command takes effect. When anti-replay window is not configured, the ipsec anti-replay window command takes effect.

Example

# Set the global IPSec anti-replay window size to 128 bits.

<HUAWEI> system-view
[HUAWEI] ipsec anti-replay window 128 

ipsec efficient-vpn (interface view)

Function

The ipsec efficient-vpn command binds an Efficient VPN policy to an interface.

The undo ipsec efficient-vpn command deletes the Efficient VPN policy from an interface.

By default, no Efficient VPN policy is applied to an interface.

Format

ipsec efficient-vpn efficient-vpn-name

undo ipsec efficient-vpn

Parameters

Parameter

Description

Value

efficient-vpn-name

Specifies the name of an Efficient VPN policy.

The value is an existing Efficient VPN policy name.

Views

VLANIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many branches and traveling staff connect to the headquarters over IPSec tunnels, similar or duplicate IPSec configurations and other network resource configurations must be configured on the branch and headquarters gateways. The Efficient VPN solution uses centralized IPSec configurations on the headquarters gateway and simplified IPSec configuration on each branch gateway. This solution reduces the manual configuration workload, and facilitates IPSec VPN configuration and maintenance.

Prerequisites

An Efficient VPN policy has been created using the ipsec efficient-vpn (system view) command.

Precautions

If an Efficient VPN policy is used to establish an IPSec tunnel between the enterprise branch and headquarters, apply the Efficient VPN policy to the branch gateway and use an IPSec policy template on the headquarters gateway to create an IPSec policy.

Example

# Apply the Efficient VPN policy named evpn to VLANIF10.
<HUAWEI> system-view
[HUAWEI] interface vlanif 10
[HUAWEI-Vlanif10] ipsec efficient-vpn evpn

ipsec efficient-vpn (system view)

Function

The ipsec efficient-vpn command creates an IPSec Efficient VPN policy and displays the IPSec Efficient VPN policy view.

The undo ipsec efficient-vpn command deletes an IPSec Efficient VPN policy.

By default, no IPSec Efficient VPN policy is created in the system.

Format

ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-plus } ]

undo ipsec efficient-vpn efficient-vpn-name

Parameters

Parameter

Description

Value

efficient-vpn-name

Specifies the name of an Efficient VPN policy.

The value is a string of 1 to 12 case-sensitive characters without question marks (?) or spaces.

mode

Specifies the mode of the Efficient VPN policy.

-

client

Indicates the client mode.

-

network

Indicates the network mode.

-

network-plus

Indicates the network-plus mode.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many branches and traveling staff connect to the headquarters over IPSec tunnels, similar or duplicate IPSec configurations and other network resource configurations must be configured on the branch and headquarters gateways. The Efficient VPN solution uses centralized IPSec configurations on the headquarters gateway and simplified IPSec configuration on each branch gateway. This solution reduces the manual configuration workload, and facilitates IPSec VPN configuration and maintenance.

The Efficient VPN policy has the following modes:

  • Client mode

    When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface. The remote device uses this IP address to establish an IPSec tunnel with the headquarters.

    The client mode applies to scenarios where small-scale branches connect to the headquarters network through private networks. In client mode, devices connected to the Efficient VPN server or remote devices can use the same IP address. However, the number of devices allowed depends on the number of IP addresses assigned by the Efficient VPN server.

  • Network mode

    In network mode, a remote device does not apply to the Efficient VPN server for an IP address. Instead, the remote device uses the original IP address to establish an IPSec tunnel with the headquarters.

    The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.

  • Network-plus mode

    Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, Telnet, or other management and maintenance operations on the remote device.

Follow-up Procedure

Configure negotiation parameters of Efficient VPN in the Efficient VPN policy view, and use the ipsec efficient-vpn (interface view) command to bind the Efficient VPN policy to an interface.

Example

# Create the Efficient VPN policy named vpn1 in client mode.

<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn vpn1 mode client
[HUAWEI-ipsec-efficient-vpn-vpn1]

ipsec sa global-duration

Function

The ipsec sa global-duration command sets the global hard lifetime of IPSec SAs.

The undo ipsec sa global-duration command restores the default global hard lifetime of IPSec SAs.

By default, the global time-based SA hard lifetime is 3600 seconds and the global traffic-based SA hard lifetime is 1843200 Kbytes.

Format

ipsec sa global-duration { time-based interval | traffic-based size }

undo ipsec sa global-duration { time-based | traffic-based }

Parameters

Parameter Description Value
time-based interval Specifies the time-based global IPSec SA hard lifetime.

When a large number of IPSec tunnels are established between two devices, you are advised to set the global IPSec SA hard lifetime to a value larger than or equivalent to 1800s.

When about 90% of the hard lifetime has elapsed, the device initiates IPSec SA negotiation again.

It is an integer that ranges from 30 to 604800, in seconds.
traffic-based size Specifies the traffic-based global IPSec SA hard lifetime.

It is recommended that the traffic volume be equal to or larger than the size of IPSec traffic forwarded in 1 hour.

The value is 0 or an integer from 256 to 200000000, in Kbytes.

  • IKEv1 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, both the local and remote devices disable the traffic timeout function.
  • IKEv2 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, the local device disables the traffic timeout function.
During IPSec negotiation between a Huawei device and a Cisco device using IKEv1:
  • If the Huawei device functions as the initiator and the traffic hard lifetime is set to 0, the traffic hard lifetime value pushed by the Cisco device takes effect on the local end.
  • If the Huawei device functions as the responder and the traffic hard lifetime is set to 0, the value 0 takes effect on the local end.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:
  • Time-based lifetime

    The period from when an SA is set up to when the SA is expired.

  • Traffic-based lifetime

    The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:
  • Hard lifetime: specifies the lifetime of an IPSec SA.

    When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

  • Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

    Table 10-25 lists the default soft lifetime values.
    Table 10-25  Soft lifetime values
    Soft Lifetime Type Description
    Time-based soft lifetime (soft timeout period)

    The value is 7/10 of the actual hard lifetime (hard timeout period).

    Traffic-based soft lifetime (soft timeout traffic)

    The value is 7/10 of the actual hard lifetime (hard timeout traffic).

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

Precautions

During IKEv1 negotiation:
  • The responder cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
  • The initiator cannot initiate IPSec SA renegotiation when its IKE SA is deleted and the IPSec SA soft lifetime expires.

During IKEv2 negotiation, the initiator or responder cannot initiate IPSec SA renegotiation if the IKE SA is deleted and the IPSec SA soft lifetime expires.

Example

# Set the time-based global SA hard lifetime to 7200s.

<HUAWEI> system-view
[HUAWEI] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA hard lifetime to 10 MB.

<HUAWEI> system-view
[HUAWEI] ipsec sa global-duration traffic-based 10240

local-id-type

Function

The local-id-type command sets the type of the local ID used in IKE negotiation.

The undo local-id-type command restores the default type of the local ID used in IKE negotiation.

By default, the local ID type used by IKE negotiation is IP.

Format

local-id-type { fqdn | ip | key-id | user-fqdn }

undo local-id-type

Parameters

Parameter Description Value
fqdn Specifies the name as the local ID. -
ip Specifies the IP address as the local ID. -
key-id Specifies the key-id as the local ID. -
user-fqdn Specifies the USER-FQDN as the local ID. -

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Identity authentication is a protection mechanism for IKE negotiation. The device ensures security by confirming identities of communication parties. IKE peers can use different types. This command configures the type of the local ID of an IKE peer.

Precautions

  • The local ID type can be different from the remote ID type. You can use commands to specify the local and remote ID types.
  • For pre-shared key authentication, the local ID type on the local end must be the same as the remote ID type on the remote end, and the local ID on the local end must be the same as the remote ID on the remote end.
Different authentication methods support different ID types, as shown in Table 10-26.
Table 10-26  Relationship between local IKE ID types, local ID, and authentication methods
Authentication Method IP FQDN USER-FQDN key-id
pre-share

Supported

The IP address is the local IP address used for IKE negotiation by default.

Supported

The ID specified by the ike local-name command, indicating that all peers on the device use this ID for identity authentication.

Supported

The ID specified by the ike local-name command, indicating that all peers on the device use this ID for identity authentication.

Supported

This parameter is often used when the device using the Efficient VPN policy functions as a remote end to communicate with Cisco devices.

Example

# Set the local ID type of Efficient VPN to FQDN.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] local-id-type fqdn

pfs

Function

The pfs command enables Perfect Forward Secrecy (PFS) when the local end initiates negotiation.

The undo pfs command disables PFS when the local end initiates negotiation.

By default, PFS is not used when the local end initiates negotiation.

Format

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

undo pfs

Parameters

Parameter Description Value
dh-group1 Uses the 768-bit DH group. -
dh-group2 Uses the 1024-bit DH group. -
dh-group5 Uses the 1536-bit DH group. -
dh-group14 Uses the 2048-bit DH group. -

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local end initiates negotiation, there is an additional DH exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

Precautions

The dh-group1, dh-group2, and dh-group5 have potential security risks. The dh-group14 are recommended.

Table 10-27 describes the requirement for consistency of the PFS DH groups configured on the local and remote ends when the PFS function is enabled.
Table 10-27  Description of PFS DH groups
Security Policy Mode on the Local and Remote Ends Description
IPSec policy in ISAKMP mode on both ends

The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

IPSec policy in ISAKMP mode on one end and IPSec policy configured using an IPSec policy template on the other end
  • If PFS is enabled in the IPSec policy template:

    The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

  • If PFS is disabled in the IPSec policy template:

    The IPSec SA negotiation may succeed when the DH groups specified on the two ends are different. The responder uses the DH group on the initiator.

IPSec profile on both ends

The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

Example

# Enable the PFS feature in the IPSec Efficient VPN policy evpn.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] pfs dh-group14

pre-shared-key (Efficient VPN policy view)

Function

The pre-shared-key command configures the pre-shared key used by IKE peers to perform pre-shared key authentication.

The undo pre-shared-key command deletes the pre-shared key used by IKE peers to perform pre-shared key authentication.

By default, the pre-shared key used by IKE peers to perform pre-shared key authentication is not configured.

Format

pre-shared-key { simple | cipher } key

undo pre-shared-key

Parameters

Parameter

Description

Value

simple

Indicates the pre-shared key in plain text. The pre-shared key is displayed in plain text in the configuration file.

NOTICE:

If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.

-

cipher

Indicates the pre-shared key in cipher text. You can enter a pre-shared key in plain text or cipher text, but the pre-shared key is displayed in cipher text in the configuration file.

-

key

Specifies the pre-shared key used by IKE peers to perform pre-shared key authentication.

The value is a string of case-sensitive characters without spaces. A plaintext key contains 1 to 128 characters, and a ciphertext key contains 48 to 188 characters. If the character string is enclosed in double quotation marks (" "), the character string can contain spaces.

NOTE:

To improve security, it is recommended that the pre-shared key contains at least 3 types of lowercase letters, uppercase letters, digits, and special characters, and contains at least 6 characters.

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During IKE negotiation, IPSec can use pre-shared key authentication to verify identities of communication parties. After pre-shared key authentication is configured, the initiator encrypts data using the pre-shared key before transmitting the data, and the receiver decrypts the data using the same pre-shared key. If the receiver succeeds in data decryption, the initiator passes the identity verification.

Precautions

Both ends of IKE negotiation must be configured with the same pre-shared key.

Example

# Configure pre-shared key authentication in the Efficient VPN policy evpn and set the pre-shared key to huawei@123 in cipher text.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] pre-shared-key cipher huawei@123

re-authentication interval

Function

The re-authentication interval command sets the IKEv2 re-authentication interval.

The undo re-authentication interval command cancels the configuration.

By default, the device does not perform IKEv2 re-authentication.

Format

re-authentication interval interval

undo re-authentication interval

Parameters

Parameter Description Value
interval

Specifies the IKEv2 re-authentication interval.

When about 70% of the time interval has elapsed, the device initiates IKEv2 re-authentication.

The value is an integer that ranges from 60 to 604800, in seconds.

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the remote access scenario, third-party attacks may occur during communications of peers. To improve IPSec network security, you can run this command to enable the peers to periodically re-authenticate each other.

Precautions

Only IKEv2 supports re-authentication.

Example

# Set the re-authentication interval to 400 seconds in the IPSec Efficient VPN policy.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] re-authentication interval 400 

remote-address (Efficient VPN policy view)

Function

The remote-address command configures an IP address or domain name for the remote IKE peer during IKE negotiation.

The undo remote-address command deletes an IP address or domain name for the remote IKE peer during IKE negotiation.

By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.

Format

remote-address { ip-address | host-name host-name } { v1 | v2 }

undo remote-address [ ip-address | host-name host-name ]

Parameters

Parameter

Description

Value

ip-address

Specifies the IP address of the remote IKE peer.

The value is in dotted decimal notation.

host-name host-name

Specifies the domain name of the remote IKE peer.

The value is an existing remote IKE peer domain name.

v1

Indicates that both ends use IKEv1.

-

v2

Indicates that both ends use IKEv2.

-

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The remote-address command configures an IP address or domain name for the remote IKE peer in an Efficient VPN policy. If the domain name is configured for the remote IKE peer, the IP address of the remote IKE peer is obtained in either of the following modes:
  • Static mode: The IP address of the remote IKE peer is obtained based on the mapping between the domain name and IP address.
  • Dynamic mode: The IP address of the remote IKE peer is obtained from the DNS server.

To improve network reliability, two devices can be deployed at the headquarters to connect to the branch gateway. In an Efficient VPN solution, two IP addresses or domain names of the remote IKE peer can be configured on the branch gateway. The branch gateway first attempts to use the first configured IP address or domain name to establish an IKE connection with the headquarters gateway. If establishing an IKE connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection.

Precautions

When you configure IP addresses or domain names for two remote IKE peers, ensure that the value type of remote-address and the IKE version are respectively the same. Generally, only one device is deployed at the headquarters to connect to the branch gateway. Therefore, only one remote address is configured.

Example

# Assign the IP addresses 10.1.1.1 and 10.1.2.1 to the remote peer in the Efficient VPN policy view.

<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] remote-address 10.1.1.1 v1
[HUAWEI-ipsec-efficient-vpn-evpn] remote-address 10.1.2.1 v1

# Set the domain name of the remote peer to mypeer in the Efficient VPN policy view.

<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] remote-address host-name mypeer v1

remote-id

Function

The remote-id command specifies the remote ID for IKE negotiation.

The undo remote-id command deletes the remote ID for IKE negotiation.

By default, the remote ID for IKE negotiation is not configured.

Format

remote-id id

undo remote-id

Parameters

Parameter Description Value
id Specifies the remote ID. The value is a string of 1 to 255 case-sensitive characters including special characters, such as the exclamation point (!), at sign (@), number sign (#), dollar sign ($), and percent (%).

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the remote ID type of the IKE peer is FQDN or USER-FQDN, you can run this command to set a value for the remote ID.

If the remote ID type of the IKE peer is DN, FQDN, or USER-FQDN, you can run this command to set a value for the remote ID.

During IKE negotiation, you can run the remote-id commands to configure the remote ID for authentication.

Precautions

  • In IKEv1, the configured remote ID is used to authenticate only the peer.
  • In IKEv2, the configured remote ID can be sent to the peer to check whether the local name of the peer is the same as this remote ID.

Example

# Set the remote peer name to Huawei in the Efficient VPN policy view.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn name mode client
[HUAWEI-ipsec-efficient-vpn-name] remote-id Huawei

reset ike error-info

Function

The reset ike error-info command clears information about IPSec tunnel negotiation failures using IKE.

Format

reset ike error-info

Parameters

None.

Views

User view

Default Level

3: Management level

Usage Guidelines

Statistics cannot be restored after being cleared.

You can run the display ike error-info command to view information about IPSec tunnel negotiation failures using IKE.

Example

# Clear information about IPSec tunnel negotiation failures using IKE.

<HUAWEI> reset ike error-info

reset ike offline-info

Function

The reset ike offline-info command clears information about deleted IPSec tunnels established through IKE negotiation.

Format

reset ike offline-info

Parameters

None.

Views

User view

Default Level

3: Management level

Usage Guidelines

Statistics cannot be restored after being cleared.

You can run the display ike offline-info command to check the reasons why IPSec tunnels established through IKE negotiation have been deleted.

Example

# Clear information about deleted IPSec tunnels established using IKE negotiation.

<HUAWEI> reset ike offline-info

reset ike sa

Function

The reset ike sa command clears information about SAs established through IKE negotiation.

Format

reset ike sa [ conn-id conn-id | remote [ ipv4-address ] ]

Parameters

Parameter Description Value
conn-id conn-id Specifies the connection ID of an SA. The value is an integer that ranges from 1 to 4294967295.
remote ipv4-address Specifies the IPv4 address of the remote end. The value is in dotted decimal notation.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

To clear an IPSec tunnel established through IKE negotiation, run the reset ike sa command to clear the IKE SA that is used to negotiate the IPSec tunnel.

There are two types of SAs established by IKE negotiation: IKE SAs in phase 1 and IPSec SAs in phase 2. IKE SAs in phase 1 are used for IKE negotiation. Under the protection of these IKE SAs, IPSec SAs in phase 2 are used to protect data flows.

  • If the specified conn-id parameter corresponds to an IKE SA in phase 1, IKE peers do not automatically negotiate an IKE SA after the IKE SA is cleared. The IKE peers re-negotiate an IKE SA in phase 1 only when data flows match ACL rules in the IPSec policy again.
  • If the specified conn-id parameter corresponds to an IPSec SA in phase 2, either of the following will occur:
    • Automatic triggering mode: The IKE peers re-negotiate an IPSec SA in phase 2 under the protection of the IKE SA in phase 1 after the IPSec SA is cleared.
    • Traffic-based triggering mode: The IKE peers do not automatically negotiate an IPSec SA after the IPSec SA is cleared. They re-negotiate an IPSec SA in phase 2 under the protection of the IKE SA in phase 1 only when data flows match ACL rules in the IPSec policy again.
  • If the conn-id parameter is not specified, all IKE SAs in phase 1 are cleared, and IKE negotiation process is similar to that described above.

Precautions

After dependency between IPSec SA and IKE SA during IKEv1 negotiation is disabled using the undo ikev1 phase1-phase2 sa dependent command, running the reset ike sa conn-id command to delete an IKE SA will also delete the corresponding IPSec SA.

Example

# Clear IKE SAs in both phases.

<HUAWEI> reset ike sa
Related Topics

reset ike statistics

Function

The reset ike statistics command clears IKE statistics.

Format

reset ike statistics

Parameters

None.

Views

User view

Default Level

3: Management level

Usage Guidelines

Statistics cannot be restored after being cleared.

To diagnose and locate faults of IPSec tunnels established using IKE, you can collect IKE statistics in a given period of time. You can run the reset ike statistics command to clear historical IKE statistics before starting statistics collection. You can then run the display ike statistics command to check IKE statistics.

Example

# Clear IKE statistics.

<HUAWEI> reset ike statistics

reset ipsec sa

Function

The reset ipsec sa command deletes IPSec SAs.

Format

reset ipsec sa [ remote ipv4-address | parameters ipv4-address esp spi | efficient-vpn efficient-vpn-name ]

Parameters

Parameter Description Value
remote ipv4-address Specifies the IPv4 address of the remote end. The value is in dotted decimal notation.
parameters ipv4-address esp spi Specifies the three elements that uniquely identify an IPSec SA. The three elements are ipv4-address (destination address), protocol (ESP), and Security Parameter Index (SPI). To reset an SA, the three elements must be specified.
The three elements are described as follows:
  • ipv4-address: IPv4 address.
  • protocol: ESP.
  • spi: an integer that ranges from 256 to 4294967295.

efficient-vpn efficient-vpn-name

Specifies the name of an Efficient VPN policy.

The value is an existing Efficient VPN policy name.

Views

User view

Default Level

3: Management level

Usage Guidelines

When you run the reset ipsec sa command to delete IPSec SAs, note the following points:
  • If no parameter is specified, all IPSec SAs are deleted.

  • If parameters is specified, the IPSec SAs in two directions are deleted simultaneously.

  • To delete IPSec SAs established through IKE negotiation, you must run the reset ipsec sa and reset ike sa commands in sequence. Otherwise, IPSec SAs established through IKE negotiation fail to be deleted. After the IPSec SAs are deleted, IKE peers re-negotiate IPSec SAs only when packets trigger IKE negotiation.

Example

# Delete the IPSec SA created through Efficient VPN policy evpn.
<HUAWEI> reset ipsec sa efficient-vpn evpn

reset ipsec packet statistics

Function

The reset ipsec packet statistics command deletes statistics about IPSec packets.

Format

reset ipsec packet statistics

Parameters

None.

Views

User view

Default Level

3: Management level

Usage Guidelines

Usage Scenario

Before collecting statistics about IPSec packets within a given period of time, run this command to delete existing statistics.

Precautions

The deleted statistics about IPSec packets cannot be restored. Exercise caution when you run this command.

Example

# Delete statistics about all IPSec packets.

<HUAWEI> reset ipsec packet statistics

sa binding vpn-instance (Efficient VPN policy view)

Function

The sa binding vpn-instance command binds a VPN instance to an IPSec tunnel.

The undo sa binding vpn-instance command unbinds a VPN instance from an IPSec tunnel.

By default, no VPN instance is bound to an IPSec tunnel.

Format

sa binding vpn-instance vpn-instance-name

undo sa binding vpn-instance

Parameters

Parameter

Description

Value

vpn-instance-name

Specifies the name of the VPN instance bound to an IPSec tunnel.

The value is an existing VPN instance name.

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Applicable environment

On an VPN with small VPN sites, if CEs and PEs are connected through the Internet but not leased lines, hosts connected to a CE can access resources on another VPN site only through the insecure Internet. To enhance access security, these hosts can connect to the backbone network of the VPN through an IPSec tunnel.

This command specifies the VPN that the remote end of the IPSec tunnel belongs to. The tunnel initiator then can obtain the outbound interface and send packets through the outbound interface.

Prerequisites

A VPN instance has been created using the ip vpn-instance command.

A route distinguisher (RD) for the VPN instance has been configured using the route-distinguisher command.

Example

# Bind the VPN instance vpna to the Efficient VPN policy evpn.

<HUAWEI> system-view
[HUAWEI] ip vpn-instance vpna
[HUAWEI-vpn-instance-vpna] ipv4-family
[HUAWEI-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[HUAWEI-vpn-instance-vpna-af-ipv4] vpn-target 100:100
[HUAWEI-vpn-instance-vpna-af-ipv4] quit
[HUAWEI-vpn-instance-vpna] quit
[HUAWEI] ipsec efficient-vpn evpn mode client
[HUAWEI-ipsec-efficient-vpn-evpn] sa binding vpn-instance vpna

security acl

Function

The security acl command specifies an ACL to be referenced in an IPSec policy or IPSec policy template.

The undo security acl command cancels the configuration.

By default, an IPSec policy or IPSec policy template does not reference an ACL.

Format

security acl acl-number

undo security acl

Parameters

Parameter

Description

Value

acl-number

Specifies the number of an ACL.

The value is an integer that ranges from 3000 to 3999.

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The security acl command references an ACL that defines data flows to be protected by IPSec. In practice, you need to configure rules in an ACL to define data flows to be protected and apply the ACL to an IPSec policy to protect the data flows.

When an IPSec policy is created using an IPSec policy template, you can determine whether to define data flows to be protected by IPSec on the responder.
  • If data flows to be protected by IPSec are not specified on the responder, the responder accepts the range of data flows to be protected by IPSec defined on the initiator.
  • If data flows to be protected by IPSec are specified on the responder, the configuration on the responder must mirror that on the initiator or the range of protected data flows on the responder must contain the range of protected data flows on the initiator.
Precautions

To reference an ACL in an IPSec policy, ensure that rules must be configured in this ACL view and the number of rules configured in this ACL view does not exceed 32. Otherwise, this ACL cannot be referenced in this IPSec policy.

Example

# Reference ACL 3101 in an Efficient VPN policy.
<HUAWEI> system-view
[HUAWEI] acl number 3101
[HUAWEI-acl-adv-3101] rule permit tcp source 10.1.1.1 0.0.0.0 destination 10.1.1.2 0.0.0.0
[HUAWEI-acl-adv-3101] quit
[HUAWEI] ipsec efficient-vpn name mode network
[HUAWEI-ipsec-efficient-vpn-name] security acl 3101

service-scheme (Efficient VPN policy view)

Function

The service-scheme command configures a server-end service scheme in an Efficient VPN policy.

The undo service-scheme command deletes a server-end service scheme from an Efficient VPN policy.

By default, no server-end service scheme is configured in an Efficient VPN policy.

Format

service-scheme service-scheme-name

undo service-scheme

Parameters

Parameter Description Value
service-scheme-name Specifies the name of a service scheme on the server end. The service scheme name must already exist.

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

In an Efficient VPN scenario, the customer wants to deploy network resources including the DNS domain name, DNS server address, WINS server address, and IP addresses on the server end (headquarters gateway). The server end pushes network resource information to remote ends (branch gateways) to simplify configuration and maintenance of network resources on them.

Remote ends are authorized based on network resource information pushed by the server end or the server-end AAA service scheme specified in an Efficient VPN policy. To use the AAA service scheme, run the service-scheme command to configure a server-end service scheme in an Efficient VPN policy and run the local-id-type command to specify the key-id parameter. Otherwise, the configuration does not take effect.

Example

# Configure the server-end service scheme service in an Efficient VPN policy.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn name mode network
[HUAWEI-ipsec-efficient-vpn-name] service-scheme service

tunnel local

Function

The tunnel local command specifies the local address of an IPSec tunnel.

The undo tunnel local command cancels the configuration.

By default, no local IP address is configured for the IPSec tunnel.

Format

tunnel local { ipv4-address | applied-interface }

undo tunnel local

Parameters

Parameter Description Value
ipv4-address Specifies an IPv4 address for the local end of an IPSec tunnel. The value is in dotted decimal notation.
applied-interface Indicates the primary IP address of the IPSec-enabled interface is used as the local address of an IPSec tunnel. -

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to specify a start point for an IPSec tunnel.

You do not need to configure an IP address for the local end of an IPSec tunnel. During SA negotiation, the device will select a proper address based on route information. The local address needs to be configured in the following situations:
  • If the IP address of the interface to which an IPSec policy is applied varies or is unknown, run the tunnel local ipv4-address command to specify the IP address of another interface (such as the loopback interface) on the device as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the IP address of the interface to which an IPSec policy is applied as the local address of an IPSec tunnel.
  • If the interface to which an IPSec policy is applied has multiple IP addresses (one primary IP address and several secondary IP addresses), run the tunnel local ipv4-address command to specify one of these IP addresses as the IP address for the local end of an IPSec tunnel. Otherwise, run the tunnel local applied-interface command to specify the primary IP address of the interface as the local address of an IPSec tunnel.
  • If equal-cost routes exist between the local and remote ends, run the tunnel local command to specify a local IP address for an IPSec tunnel.

Example

# Set the primary IP address of the interface to which the Efficient VPN policy in IKE negotiation mode is applied as the local IP address of the IPSec tunnel.
<HUAWEI> system-view
[HUAWEI] ipsec efficient-vpn name mode network
[HUAWEI-ipsec-efficient-vpn-name] tunnel local applied-interface
Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000178165

Views: 42083

Downloads: 1103

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next