No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NETCONF YANG API Reference

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

NETCONF YANG API Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPSec

IPSec

IKE Proposal

This section describes the data model of the IKE proposal, and provides samples of creating, deleting, and modifying an IKE proposal.

Data Model

The data model file matching the IKE proposal is huawei-ipsec.yang.

Table 3-1041 IKE proposal

Object

Description

/huawei-ipsec/ipsec-vpn/ike-proposal

Indicates that the operation request (creating, deleting, and modifying) object is the IKE proposal. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ike-proposal/id

Indicates the number of the proposal. This number uniquely identifies an IKE proposal. A smaller the value indicates a higher priority. The value ranges from 1 to 19.

/huawei-ipsec/ipsec-vpn/ike-proposal/encryption-algorithm

Indicates the encryption algorithm used in IKE proposal. It is the predefined enumerated name.

  • des
  • 3des
  • aes-128
  • aes-192
  • aes-256
  • sm1
  • sm4

/huawei-ipsec/ipsec-vpn/ike-proposal/auth-algorithm

Indicates the authentication algorithm used in IKEv1 negotiation by IKE proposal. It is the predefined enumerated name.

  • md5
  • sha1
  • sha2-256
  • sha2-384
  • sha2-512
  • sm3

/huawei-ipsec/ipsec-vpn/ike-proposal/integrity-algorithm

Indicates the integrity algorithm used in IKEv2 negotiation by IKE proposal. It is the predefined enumerated name.

  • aes-xcbc-96
  • md5
  • sha1
  • sha2-256
  • sha2-384
  • sha2-512

/huawei-ipsec/ipsec-vpn/ike-proposal/prf

Indicates the Pseudo-random Function (PRF) algorithm used in IKEv2 negotiation. It is the predefined enumerated name.

  • aes-xcbc-128
  • md5
  • sha1
  • sha2-256
  • sha2-384
  • sha2-512

/huawei-ipsec/ipsec-vpn/ike-proposal/dh

Indicates the Diffie-Hellman (DH) group identification used for IKE key negotiation at phase 1. It is the predefined enumerated name.

  • group1
  • group2
  • group5
  • group14
  • group19
  • group20
  • group21

/huawei-ipsec/ipsec-vpn/ike-proposal/auth-mode

Indicates the authentication method (mandatory) used in the IKE SA negotiation. It is the predefined enumerated name.

  • digital-envelope
  • pre-share
  • rsa-signature

/huawei-ipsec/ipsec-vpn/ike-proposal/lifetime

Indicates the SA lifecycle. IKE SA is automatically updated after the duration expires. The value ranges from 60 to 604800, in seconds. The default value is 86400.

Creating an IKE Proposal

This section provides a sample of creating an IKE proposal using the merge method. You can also create an IKE proposal using the create method.

Table 3-1042 Creating an IKE proposal

Operation

XPATH

edit-config:merge

/huawei-ipsec/ipsec-vpn/ike-proposal

Data Requirements
Table 3-1043 Creating the IKE proposal 13

Item

Data

Description

IKE proposal number

13

Create an IKE proposal. Set the number of the IKE proposal to 13, encryption algorithm to aes-256, authentication algorithm, integrity algorithm, and PRF algorithm to sha2-256, DH group to group5, authentication mode to pre-share, and IKE SA lifecycle to 86400 (in seconds).

Encryption algorithm

aes-256

Authentication algorithm

sha2-256

Integrity algorithm

sha2-256

PRF algorithm

sha2-256

DH group

group5

Authentication mode

pre-share

IKE SA lifecycle

86400

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn
xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ike-proposal
xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
<id>13</id>
<encryption-algorithm>aes-256</encryption-algorithm>
<auth-algorithm>sha2-256</auth-algorithm>
<integrity-algorithm>sha2-256</integrity-algorithm> 
<prf>sha2-256</prf> 
<dh>group5</dh>
<auth-mode>pre-share</auth-mode>
<lifetime>86400</lifetime>
</ike-proposal>
</ipsec-vpn>
</config>
</edit-config></rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf9">
 <ok/>
</rpc-reply> 
Modifying the Configuration of an IKE Proposal

This section provides a sample of modifying the configuration of an IKE proposal using the replace method based on the IKE proposal created in the preceding section.

Table 3-1044 Modifying the configuration of an IKE proposal

Operation

XPATH

edit-config:replace

/huawei-ipsec/ipsec-vpn/ike-proposal

Data Requirements
Table 3-1045 Modifying the configuration of the IKE proposal 13

Item

Data

Description

IKE proposal number

13

Modify the SA lifecycle of an IKE proposal to 80000 (in seconds). The number of the IKE proposal is 13, encryption algorithm is aes-256, authentication algorithm, integrity algorithm, and PRF algorithm are sha2-256, DH group is group5, and authentication mode is pre-share.

Encryption algorithm

aes-256

Authentication algorithm

sha2-256

Integrity algorithm

sha2-256

PRF algorithm

sha2-256

DH group

group5

Authentication mode

pre-share

IKE SA lifecycle

80000

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn
xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ike-proposal
xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
<id>13</id>
<encryption-algorithm>aes-256</encryption-algorithm>
<auth-algorithm>sha2-256</auth-algorithm>
<integrity-algorithm>sha2-256</integrity-algorithm> 
<prf>sha2-256</prf> 
<dh>group5</dh>
<auth-mode>pre-share</auth-mode>
<lifetime>80000</lifetime>
</ike-proposal>
</ipsec-vpn>
</config>
</edit-config></rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf9">
 <ok/>
</rpc-reply> 
Deleting an IKE Proposal

This section provides a sample of deleting an IKE proposal using the remove method.

Table 3-1046 Deleting an IKE proposal

Operation

XPATH

edit-config:remove

/huawei-ipsec/ipsec-vpn/ike-proposal

Data Requirements
Table 3-1047 Deleting the IKE proposal 13

Item

Data

Description

IKE proposal number

13

Delete the IKE proposal 13, of which the encryption algorithm is aes-256, authentication algorithm, integrity algorithm, and PRF algorithm are sha2-256, DH group is group5, authentication mode is pre-share, and the IKE SA lifecycle is 86400s.

Encryption algorithm

aes-256

Authentication algorithm

sha2-256

Integrity algorithm

sha2-256

PRF algorithm

sha2-256

DH group

group5

Authentication mode

pre-share

IKE SA lifecycle

86400

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn
xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ike-proposal
xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
<id>13</id>
<encryption-algorithm>aes-256</encryption-algorithm>
<auth-algorithm>sha2-256</auth-algorithm>
<integrity-algorithm>sha2-256</integrity-algorithm> 
<prf>sha2-256</prf> 
<dh>group5</dh>
<auth-mode>pre-share</auth-mode>
<lifetime>86400</lifetime>
</ike-proposal>
</ipsec-vpn>
</config>
</edit-config></rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf9"
 <ok/>
</rpc-reply> 

IPSec Proposal

This section describes the data model of the IPSec proposal, and provides samples of creating, deleting, and modifying an IPSec proposal.

Data Model

The data model file matching the IPSec proposal is huawei-ipsec.yang.

Table 3-1048 IPSec proposal

Object

Description

/huawei-ipsec/ipsec-vpn/ipsec-proposal

Indicates that the operation request (creating, deleting, and modifying) object is the IPSec proposal. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-proposal/name

Indicates the proposal name. The name uniquely identifies an IPSec proposal. The value is a string of 1 to 15 case-insensitive characters without question marks (?) or spaces.

/huawei-ipsec/ipsec-vpn/ipsec-proposal/transform-protocol

Indicates the security protocol used in the IPSec proposal (mandatory). It is the predefined enumerated name, including AH, ESP and AH&ESP protocol.

/huawei-ipsec/ipsec-vpn/ipsec-proposal/encapsulation-mode

Indicates the IPSec packet encapsulation modes, including tunnel and transmission modes. The default mode is tunnel.

/huawei-ipsec/ipsec-vpn/ipsec-proposal/ah-auth-algorithm

Indicates the authentication algorithms used in the AH protocol. It is the predefined enumerated name. When the transform-protocol is set to esp, it cannot be configured.

  • md5
  • sha1
  • sha2-256
  • sha2-384
  • sha2-512
  • sm3

/huawei-ipsec/ipsec-vpn/ipsec-proposal/esp-auth-algorithm

Indicates the authentication algorithms used in the ESP protocol. It is the predefined enumerated name. When the transform-protocol is set to ah, it cannot be configured.

  • md5
  • sha1
  • sha2-256
  • sha2-384
  • sha2-512
  • sm3

/huawei-ipsec/ipsec-vpn/ipsec-proposal/esp-encryption-algorithm

Indicates the encryption algorithms used in the ESP protocol. It is the predefined enumerated name. When the transform-protocol is set to ah, it cannot be configured.

  • des
  • 3des
  • aes-128
  • aes-192
  • aes-256
  • sm1
  • sm4
Creating an IPSec Proposal

This section provides a sample of creating an IPSec proposal using the merge method. You can also create an IPSec proposal using the create method.

Table 3-1049 Creating an IPSec proposal

Operation

XPATH

edit-config:merge

/huawei-ipsec/ipsec-vpn/ipsec-proposal

Data Requirements
Table 3-1050 Creating the IPSec proposal 13

Item

Data

Description

IPSec proposal name

13

Create an IPSec proposal, and set the proposal name to 13, security protocol to ah-esp, encapsulation mode to tunnel, authentication algorithms used in the AH and ESP protocols to sha2-256, and encryption algorithm used in the ESP protocol to aes-256.

Security protocol

ah-esp

Encapsulation mode

tunnel

Authentication algorithm used in the AH protocol

sha2-256

Authentication algorithm used in the ESP protocol

sha2-256

Encryption algorithm used in the ESP protocol

aes-256

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn
xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ipsec-proposal
xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
<name>13</name>
<transform-protocol>ah-esp</transform-protocol>
<encapsulation-mode>tunnel</encapsulation-mode>
<ah-auth-algorithm>sha2-256</ah-auth-algorithm>
<esp-auth-algorithm>sha2-256</esp-auth-algorithm>
<esp-encryption-algorithm>aes-256</esp-encryption-algorithm>
</ipsec-proposal>
</ipsec-vpn>
</config>
</edit-config></rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf20">
 <ok/>
</rpc-reply> 
Modifying the Configuration of an IPSec Proposal

This section provides a sample of modifying an IPSec proposal using the replace method based on the IPSec proposal created in the preceding section.

Table 3-1051 Modifying the configuration of an IPSec proposal

Operation

XPATH

edit-config:replace

/huawei-ipsec/ipsec-vpn/ipsec-proposal

Data Requirements
Table 3-1052 Modifying the configuration of the IPSec proposal 13

Item

Data

Description

IPSec proposal name

13

Modify the authentication algorithm used in the ESP protocol to sha2-384 for the IPSec proposal 13, of which the security protocol is ah-esp, encapsulation mode is tunnel, authentication algorithm used in the AH protocol is sha2-256, and encryption algorithm used in the ESP protocol is aes-256.

Security protocol

ah-esp

Encapsulation mode

tunnel

Authentication algorithm used in the AH protocol

sha2-256

Authentication algorithm used in the ESP protocol

sha2-384

Encryption algorithm used in the ESP protocol

aes-256

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn
xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ipsec-proposal
xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
<name>13</name>
<transform-protocol>ah-esp</transform-protocol>
<encapsulation-mode>tunnel</encapsulation-mode>
<ah-auth-algorithm>sha2-256</ah-auth-algorithm>
<esp-auth-algorithm>sha2-384</esp-auth-algorithm>
<esp-encryption-algorithm>aes-256</esp-encryption-algorithm>
</ipsec-proposal>
</ipsec-vpn>
</config>
</edit-config></rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf20">
 <ok/>
</rpc-reply> 
Deleting an IPSec Proposal

This section provides a sample of deleting an IPSec proposal using the remove method.

Table 3-1053 Deleting an IPSec proposal

Operation

XPATH

edit-config:remove

/huawei-ipsec/ipsec-vpn/ike-proposal

Data Requirements
Table 3-1054 Deleting the IPSec proposal 13

Item

Data

Description

IPSec proposal name

13

Delete the IPSec proposal 13, of which the security protocol is ah-esp, encapsulation mode is tunnel, authentication algorithms used in the AH and ESP protocols are sha2-256 and sha2-384, respectively, and the encryption algorithm used in the ESP protocol is aes-256.

Security protocol

ah-esp

Encapsulation mode

tunnel

Authentication algorithm used in the AH protocol

sha2-256

Authentication algorithm used in the ESP protocol

sha2-384

Encryption algorithm used in the ESP protocol

aes-256

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn
xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ipsec-proposal
xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
<name>13</name>
<transform-protocol>ah-esp</transform-protocol>
<encapsulation-mode>tunnel</encapsulation-mode>
<ah-auth-algorithm>sha2-256</ah-auth-algorithm>
<esp-auth-algorithm>sha2-384</esp-auth-algorithm>
<esp-encryption-algorithm>aes-256</esp-encryption-algorithm>
</ipsec-proposal>
</ipsec-vpn>
</config>
</edit-config></rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf20">
 <ok/>
</rpc-reply>

IPSec Connection

This section describes the data model of the IPSec connection, and provides samples of creating, deleting, and modifying an IPSec connection.

Data Model

The data model file matching the IPSec proposal is huawei-ipsec.yang.

Table 3-1055 IPSec connection

Object

Description

/huawei-ipsec/ipsec-vpn/ipsec-connection

Indicates that the operation request (creating, deleting, and modifying) object is the IPSec connection. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/name

Indicates the IPSec connection. The name uniquely identifies an IPSec connection. The value is a string of 1 to 127 case-sensitive characters. It can contain special characters, such as the exclamation point (!), at sign (@), number sign (#), dollar sign ($), and percentage (%), but cannot contain spaces.

/huawei-ipsec/ipsec-vpn/ipsec-connection/secnario

Indicates the IPSec connection scenarios (mandatory). Currently, it supports only p2p-protection (Branch) , p2mp-protection (HQ), and ipsec-tunnel scenarios.

/huawei-ipsec/ipsec-vpn/ipsec-connection/tunnel-vpn-name

Indicates the VPN multi-instance for this tunnel that IPSec connection belongs to.

/huawei-ipsec/ipsec-vpn/ipsec-connection/peer-address

Indicates the peer IPv4 address of the IPSec connection, which does not need to be configured in p2mp-protection scenario.

/huawei-ipsec/ipsec-vpn/ipsec-connection/trigger-mode

Indicates the mode in which IPSec SA setup is triggered of the IPSec connection.

  • auto
  • traffic-based

/huawei-ipsec/ipsec-vpn/ipsec-connection/local-information

Indicates the local information of the IPSec connection. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/local-information/interface-name

Indicates the interface to which an IPSec connection is applied.

/huawei-ipsec/ipsec-vpn/ipsec-connection/local-information/local-address

Indicates the local address of the tunnel for configuring the IPSec connection. It is only used to contain sub-objects, but does not have any data meaning. It does not need to be defined in p2mp-protection scenario.

/huawei-ipsec/ipsec-vpn/ipsec-connection/local-information/local-address/ip-address

Indicates that the local address of the tunnel for IPSec connection is the IPv4 address.

/huawei-ipsec/ipsec-vpn/ipsec-connection/local-information/local-address/use-interface-address

Indicates that the local address of the tunnel for IPSec connection is the primary address of an application interface.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param

Indicates the parameters for configuring IPSec tunnel through IKE negotiation. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/ike-proposal

Indicates that the IKE proposal used in IKE negotiation by configuring IPSec tunnel. The configuration of the IKE proposal should be completed in advance.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/ike-version

Indicates the IPSec version used in IKE negotiation by configuring IPSec tunnel (mandatory).

  • v1
  • v2
  • all

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/phase1-mode

Indicates the negotiation mode used in IKEv1 negotiation at phase 1 by configuring IPSec tunnel. It does not need to be configured in IKEv2 negotiation scenario.

  • main
  • aggressive

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-para/local-id

Indicates the local ID information used in IKE negotiation by configuring IPSec tunnel. Different identity authentication modes support different local ID types and ID configuration methods. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/local-id/type

Indicates the local ID type used in IKE negotiation by configuring IPSec tunnel.

  • dn
  • ip
  • key-id
  • fqdn
  • user-fqdn

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/local-id/value

Indicates the local ID used in IKE negotiation by configuring IPSec tunnel. The value is a string of 1 to 255 case-sensitive characters without question mark (?).

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/local-id/local-id-certificate-preference

Indicates whether to enable the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation.

  • true
  • false

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/local-id/local-id-reflect-enable

Indicates whether to enable the function of using the local ID of the responder as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation.

  • true
  • false

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/peer-id

Indicates the remote ID information used in IKE negotiation by configuring IPSec tunnel. Different identity authentication modes support different remote ID types and ID configuration methods. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/peer-id/type

Indicates the remote ID type used in IKE negotiation by configuring IPSec tunnel.

  • dn
  • ip
  • fqdn
  • user-fqdn
  • any

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/peer-id/value

Indicates the remote ID used in IKE negotiation by configuring IPSec tunnel. The value is a string of 1 to 255 case-sensitive characters. It can contain special characters, such as the exclamation point (!), at sign (@), number sign (#), dollar sign ($), and percentage (%), but cannot contain spaces.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/authentication-information

Indicates the authentication information used in IKE negotiation by configuring IPSec tunnel. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/authentication-information/pre-shared-key

Indicates the pre-shared key used in IKE negotiation by configuring IPSec tunnel. It can be configured only when the connection adopts the pre-share authentication mode of IKE proposal. The value is a string of 1 to 128 case-sensitive characters in plain text without spaces or a string of 48 or 188 case-sensitive characters in cipher text without spaces. The character string can contain spaces if it is enclosed with double quotation marks (").

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/authentication-information/certificate/certificate/authentication/pki-realm-name

Indicates the PKI realm referenced when IPSec is configured to use digital signature authentication.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/dpd

Indicates the parameters used in dead peer detection by configuring IPSec connection. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/dpd/type

Indicates the dead peer detection mode by configuring IPSec connection.

  • periodic
  • on-demand

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/dpd/msg

Indicates the sequence of the payload in DPD packets by configuring IPSec connection. The two ends must use the same sequence of the payload in DPD packets; otherwise, DPD does not take effect.

  • seq-hash-notify
  • seq-notify-hash

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/dpd/interval

Indicates the idle time for DPD by configuring IPSec connection. The value is an integer that ranges from 10 to 3600, in seconds.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/dpd/timeout

Indicates the retransmission interval of DPD packets by configuring IPSec connection. The value is an integer that ranges from 2 to 60, in seconds.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-param/dpd/if-related

Indicates whether to enable the function that checks whether the interface that receives DPD packets is the interface that establishes an IPSec SA.

  • true
  • false

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-packets-output-interface

Indicates outbound interface parameters in an IPSec connection for IKE packets. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ike-packets-output-interface/output-type/interface-name

Indicates an outbound interface in an IPSec connection for IKE packets.

/huawei-ipsec/ipsec-vpn/ipsec-connection/remote-users/remote-user

Indicates remote user parameters in an IPSec connection for IKE tunnel negotiation. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/remote-users/remote-user/interface-name

Indicates a tunnel interface in an IPSec connection for association with the remote user.

Multiple remote users may be created on the headquarters device for interconnection with the branches. If multiple tunnel interfaces are applied to the same IPSec profile on the headquarters device, IKE users in the headquarters may fail to match branch tunnel interfaces during IPSec negotiation. To prevent the negotiation failure, you need to configure this parameter.

/huawei-ipsec/ipsec-vpn/ipsec-connection/remote-users/remote-user/id-type

Indicates that the remote ID type in an IPSec connection for IKE tunnel negotiation.

  • dn
  • ip
  • fqdn
  • user-fqdn
  • any

If a remote ID is specified by both the remote-user and peer-id parameters, the value specified by the remote-user parameter takes effect.

/huawei-ipsec/ipsec-vpn/ipsec-connection/remote-users/remote-user/id-value

Indicates that the remote ID in an IPSec connection for IKE tunnel negotiation. The value is a string of 1 to 255 case-sensitive characters without spaces. It can contain special characters, such as the exclamation point (!), at sign (@), number sign (#), dollar sign ($), and percentage (%).

/huawei-ipsec/ipsec-vpn/ipsec-connection/remote-users/remote-user/pre-shared-key

Indicates that the pre-shared key in an IPSec connection for IKE tunnel negotiation. You can configure this parameter only when the authentication mode in the IKE proposal referenced in the IPSec connection is pre-share. The value is a string of 1 to 128 case-sensitive plain texts or 48 to 188 case-sensitive cipher texts without spaces. If the string is enclosed in double quotation marks (" "), the string can contain spaces.

If a pre-shared key is specified by both the remote-user and authentication-information parameters, the value specified by the remote-user parameter takes effect.

/huawei-ipsec/ipsec-vpn/ipsec-connection/remote-users/remote-user/user-name

Indicates that the remote user description in an IPSec connection for distinguishing remote users. The value is a string of 1 to 63 case-sensitive characters with spaces supported.

/huawei-ipsec/ipsec-vpn/ipsec-connection/ipsec-proposal

Indicates the IPSec proposal used in tunnel negotiation by configuring IPSec connection. The configuration of the IPSec proposal should be completed in advance.

/huawei-ipsec/ipsec-vpn/ipsec-connection/pfs

Indicates the Perfect Forward Secrecy (PFS) function used in tunnel negotiation by configuring IPSec connection.

  • group1
  • group2
  • group5
  • group14
  • group19
  • group20
  • group21

/huawei-ipsec/ipsec-vpn/ipsec-connection/acl

Indicates the ACL rules referenced by tunnel negotiation by configuring IPSec connection. The value is an integer that ranges from 3000 to 3999. ACL rules need to be configured in advance.

/huawei-ipsec/ipsec-vpn/ipsec-connection/anti-replay-enable

Indicates that the anti-replay function in the IPSec connection is enabled.

/huawei-ipsec/ipsec-vpn/ipsec-connection/anti-replay-window

Indicates the anti-replay window size in the IPSec connection. The value can be 32, 64, 128, 256, 512, or 1024.

/huawei-ipsec/ipsec-vpn/ipsec-connection/lifetime-seconds

Indicates the IPSec tunnel lifecycle measured in time. The value is an integer that ranges from 30 to 604800, in seconds.

/huawei-ipsec/ipsec-vpn/ipsec-connection/lifetime-kilobytes

Indicates the IPSec tunnel lifecycle measured in traffic. The value is 0 or an integer that ranges from 256 to 200000000, in Kbytes.

/huawei-ipsec/ipsec-vpn/ipsec-connection/sa-keep-holding-to-hard-duration

Indicates whether to delete the original IPSec SA immediately after the device uses the new IPSec SA to transmit data during IPSec SA re-negotiation.

  • true: The device deletes the original IPSec SA after the hard lifetime expires.
  • false: The device deletes the original IPSec SA immediately after using the new IPSec SA to transmit data.

/huawei-ipsec/ipsec-vpn/ipsec-connection/qos-pre-classify

Indicates that the pre-extract of the original packet information is enabled.

/huawei-ipsec/ipsec-vpn/ipsec-connection/initiator

Indicates whether the configured IPSec connection is selected as an initiator. If the response-only is configured, the connection will not establish a tunnel.

  • bi-directional
  • response-only

/huawei-ipsec/ipsec-vpn/ipsec-connection/flow-vpn-name

Indicates the VPN multi-instance for the traffic that IPSec connection belongs to.

/huawei-ipsec/ipsec-vpn/ipsec-connection/reverse-route

Indicates the parameters of the route injection function. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/reverse-route/mode

Indicates the route injection mode.

  • static
  • dynamic

/huawei-ipsec/ipsec-vpn/ipsec-connection/connect-track

Indicates the parameters of detecting link establishment for setting up a tunnel by configuring IPSec connection. It is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-vpn/ipsec-connection/connect-track/track-obj-type

Indicates the type of detecting link establishment for setting up a tunnel by configuring IPSec connection.

  • nqa
  • nqa-group
  • bfd
  • bfd-group
  • vrrp

/huawei-ipsec/ipsec-vpn/ipsec-connection/connect-track/track-obj-name

Indicates the name of detecting link establishment for setting up a tunnel by configuring IPSec connection.

/huawei-ipsec/ipsec-vpn/ipsec-connection/connect-track/track-obj-extern-name

Indicates the extended name of detecting link establishment for setting up a tunnel by configuring IPSec connection.

/huawei-ipsec/ipsec-vpn/ipsec-connection/connect-track/track-obj-state

Indicates the state of detecting link establishment for setting up a tunnel by configuring IPSec connection.

  • up
  • down

/huawei-ipsec/ipsec-vpn/ipsec-connection/disconnect-track/track-obj-type

Indicates the type of detecting link disconnection for setting up a tunnel by configuring IPSec connection.

  • nqa
  • nqa-group
  • bfd
  • bfd-group
  • vrrp

/huawei-ipsec/ipsec-vpn/ipsec-connection/disconnect-track/track-obj-name

Indicates the name of detecting link disconnection for setting up a tunnel by configuring IPSec connection.

/huawei-ipsec/ipsec-vpn/ipsec-connection/disconnect-track/track-obj-extern-name

Indicates the extended name of detecting link disconnection for setting up a tunnel by configuring IPSec connection.

/huawei-ipsec/ipsec-vpn/ipsec-connection/disconnect-track/track-obj-state

Indicates the state of detecting link disconnection for setting up a tunnel by configuring IPSec connection.

  • up
  • down

/huawei-ipsec/ipsec-vpn/ipsec-connection/admin-state

Indicates the IPSec connection state (enabled or disabled). If the connection is disabled, the IPSec connection is not used to establish a tunnel.

/ipsec-vpn/ipsec-connection/status

Indicates the status of the established tunnel through this connection.

Creating an IPSec Connection

This section provides a sample of creating an IPSec connection using the merge method. You can also create an IPSec connection using the create method.

Table 3-1056 Creating an IPSec connection

Operation

XPATH

edit-config:merge

/huawei-ipsec/ipsec-vpn/ipsec-connection

Data Requirements
Table 3-1057 Creating the IPSec connection sample

Item

Data

Description

IPSec connection name

sample

Create an IPSec connection named sample and configure the parameters.

Application scenario

p2p-protection

Remote IP address

2.2.2.2

Interface to which an IPSec connection is applied

GigabitEthernet0/0/3

IKE proposal

13

IKE version

v1

Negotiation mode used in IKEv1 negotiation at phase 1

main

Local ID type

ip

Local ID

1.1.1.1

Remote ID type

ip

Remote ID

2.2.2.2

Pre-shared key used in IKE negotiation

huawei@123

Dead peer detection mode

periodic

Sequence of the payload in DPD packets

seq-hash-notify

Idle time for DPD

20

Retransmission interval of DPD packets

30

IPSec proposal

13

PFS function used in tunnel negotiation

group5

ACL rules referenced by tunnel negotiation

3111

Enabling the anti-replay function

true

Anti-replay window size

256

IPSec tunnel lifecycle measured in time

3600

IPSec tunnel lifecycle measured in traffic

1843200

IPSec connection state (enabled or disabled)

up

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<access-lists xmlns="urn:ietf:params:xml:ns:yang:ietf-acl">
<access-list>
<access-control-list-name>3111</access-control-list-name>
<access-list-entries>
<access-list-entry>
<rule-name>0</rule-name>
<actions>
<permit/>
</actions>
<matches>
<protocol>0</protocol>
<source-ipv4-network>10.1.1.0/24</source-ipv4-network>
<destination-ipv4-network>20.1.1.1/24</destination-ipv4-network>
</matches>
</access-list-entry>
</access-list-entries>
</access-list>
</access-lists>
<interfaces xmlns="urn:ietf:params:xml:ns:yang:ietf-interfaces">
<interface>
<name>GigabitEthernet0/0/3</name>
<type xmlns:iana="urn:ietf:params:xml:ns:yang:iana-if-type">iana:tunnel</type>
<ipv4 xmlns="urn:ietf:params:xml:ns:yang:ietf-ip">
<address>
<ip>1.1.1.1</ip>
<netmask>255.255.255.0</netmask>
</address>
</ipv4>
</interface> 
</interfaces>
<ipsec-vpn xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ipsec-connection xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="merge">
<name>sample</name>
<secnario>p2p-protection</secnario>
<peer-address>2.2.2.2</peer-address> 
<local-information> 
<interface-name>GigabitEthernet0/0/3</interface-name>
</local-information> 
<ike-param> 
<ike-proposal>13</ike-proposal> 
<ike-version>v1</ike-version> 
<phase1-mode>main</phase1-mode> 
<local-id> 
<type>ip</type>
<value>1.1.1.1</value>
</local-id> 
<peer-id> 
<type>ip</type>
<value>2.2.2.2</value> 
</peer-id> 
<pre-shared-key>huawei@123</pre-shared-key> 
<dpd> 
<type>periodic</type>
<msg>seq-hash-notify</msg> 
<interval>20</interval> 
<timeout>30</timeout> 
</dpd> 
</ike-param> 
<ipsec-proposal>13</ipsec-proposal> 
<pfs>group5</pfs>  
<acl>3111</acl>
<anti-replay-enable>true</anti-replay-enable> 
<anti-replay-window>256</anti-replay-window>  
<lifetime-seconds>3600</lifetime-seconds>  
<lifetime-kilobytes>1843200</lifetime-kilobytes>  
<admin-state>up</admin-state>
</ipsec-connection> 
</ipsec-vpn> 
</config> 
</edit-config> 
</rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf55">
 <ok/>
</rpc-reply>
Modifying the Configuration of an IPSec Connection

This section provides a sample of modifying an IPSec connection using the replace method based on the IPSec connection created in the preceding section.

Table 3-1058 Modifying the configuration of an IPSec connection

Operation

XPATH

edit-config:replace

/huawei-ipsec/ipsec-vpn/ipsec-connection

Data Requirements
Table 3-1059 Modifying the configuration of the IPSec connection sample

Item

Data

Description

IPSec connection name

sample

Modify the IPSec tunnel lifecycle measured in time of the IPSec connection sample to 3000s.

Application scenario

p2p-protection

Remote IP address

2.2.2.2

Interface to which an IPSec connection is applied

GigabitEthernet0/0/3

IKE proposal

13

IKE version

v1

Negotiation mode used in IKEv1 negotiation at phase 1

main

Local ID type

ip

Local ID

1.1.1.1

Remote ID type

ip

Remote ID

2.2.2.2

Pre-shared key used in IKE negotiation

huawei@123

Dead peer detection mode

periodic

Sequence of the payload in DPD packets

seq-hash-notify

Idle time for DPD

20

Retransmission interval of DPD packets

30

IPSec proposal

13

PFS function used in tunnel negotiation

group5

ACL rules referenced by tunnel negotiation

3111

Enabling the anti-replay function

true

Anti-replay window size

256

IPSec tunnel lifecycle measured in time

3000

IPSec tunnel lifecycle measured in traffic

1843200

IPSec connection state (enabled or disabled)

up

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ipsec-connection xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="replace">
<name>sample</name>
<secnario>p2p-protection</secnario>
<peer-address>2.2.2.2</peer-address> 
<local-information> 
<interface-name>GigabitEthernet0/0/3</interface-name>
</local-information> 
<ike-param> 
<ike-proposal>13</ike-proposal> 
<ike-version>v1</ike-version> 
<phase1-mode>main</phase1-mode> 
<local-id> 
<type>ip</type>
<value>1.1.1.1</value>
</local-id> 
<peer-id> 
<type>ip</type>
<value>2.2.2.2</value> 
</peer-id> 
<pre-shared-key>huawei@123</pre-shared-key> 
<dpd> 
<type>periodic</type>
<msg>seq-hash-notify</msg> 
<interval>20</interval> 
<timeout>30</timeout> 
</dpd> 
</ike-param> 
<ipsec-proposal>13</ipsec-proposal> 
<pfs>group5</pfs>  
<acl>3111</acl>
<anti-replay-enable>true</anti-replay-enable> 
<anti-replay-window>256</anti-replay-window>  
<lifetime-seconds>3000</lifetime-seconds>  
<lifetime-kilobytes>1843200</lifetime-kilobytes>  
<admin-state>up</admin-state>
</ipsec-connection> 
</ipsec-vpn> 
</config> 
</edit-config> 
</rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf55">
 <ok/>
</rpc-reply>
Deleting an IPSec Connection

This section provides a sample of deleting an IPSec connection using the remove method.

Table 3-1060 Deleting an IPSec connection

Operation

XPATH

edit-config:remove

/huawei-ipsec/ipsec-vpn/ipsec-connection

Data Requirements
Table 3-1061 Deleting the IPSec connection sample

Item

Data

Description

IPSec connection name

sample

Delete the IPSec connection sample.

Application scenario

p2p-protection

Remote IP address

2.2.2.2

Interface to which an IPSec connection is applied

GigabitEthernet0/0/3

IKE proposal

13

IKE version

v1

Negotiation mode used in IKEv1 negotiation at phase 1

main

Local ID type

ip

Local ID

1.1.1.1

Remote ID type

ip

Remote ID

2.2.2.2

Pre-shared key used in IKE negotiation

huawei@123

Dead peer detection mode

periodic

Sequence of the payload in DPD packets

seq-hash-notify

Idle time for DPD

20

Retransmission interval of DPD packets

30

IPSec proposal

13

PFS function used in tunnel negotiation

group5

ACL rules referenced by tunnel negotiation

3111

Enabling the anti-replay function

true

Anti-replay window size

256

IPSec tunnel lifecycle measured in time

3000

IPSec tunnel lifecycle measured in traffic

1843200

IPSec connection state (enabled or disabled)

up

Request Example
<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf7">
<edit-config>
<target>
<running/>
</target>
<error-option>rollback-on-error</error-option>
<config>
<ipsec-vpn xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
<ipsec-connection xmlns:ns0="urn:ietf:params:xml:ns:netconf:base:1.0" ns0:operation="remove">
<name>sample</name>
<secnario>p2p-protection</secnario>
<peer-address>2.2.2.2</peer-address> 
<local-information> 
<interface-name>GigabitEthernet0/0/3</interface-name>
</local-information> 
<ike-param> 
<ike-proposal>13</ike-proposal> 
<ike-version>v1</ike-version> 
<phase1-mode>main</phase1-mode> 
<local-id> 
<type>ip</type>
<value>1.1.1.1</value>
</local-id> 
<peer-id> 
<type>ip</type>
<value>2.2.2.2</value> 
</peer-id> 
<pre-shared-key>huawei@123</pre-shared-key> 
<dpd> 
<type>periodic</type>
<msg>seq-hash-notify</msg> 
<interval>20</interval> 
<timeout>30</timeout> 
</dpd> 
</ike-param> 
<ipsec-proposal>13</ipsec-proposal> 
<pfs>group5</pfs>  
<acl>3111</acl>
<anti-replay-enable>true</anti-replay-enable> 
<anti-replay-window>256</anti-replay-window>  
<lifetime-seconds>3000</lifetime-seconds>  
<lifetime-kilobytes>1843200</lifetime-kilobytes>  
<admin-state>up</admin-state>
</ipsec-connection> 
</ipsec-vpn> 
</config> 
</edit-config> 
</rpc>
]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="0df9bf2d-1669-40cf-9815-ce70cce7ecf55">
 <ok/>
</rpc-reply>

IPSec Tunnel Monitoring

This section describes the data model of the IPSec tunnel monitoring and provides a sample of checking the IPSec tunnel monitoring information.

Data Model

The data model file matching the IPSec tunnel monitoring is huawei-ipsec.yang, which cannot be configured.

Table 3-1062 IPSec tunnel monitoring

Object

Description

/ipsec-vpn/ipsec-monitor

Indicates that the operation request object is the ipsec-monitor. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec:ipsec-monitor/ipsec-tunnels

Indicates the tunnel information of IPSec connection in returning to data monitoring.

Checking the PSec Tunnel Monitoring Information

This section provides a sample of checking the IPSec tunnel monitoring information using the get method. You need to deliver an IPSec connection for tunnel negotiation in advance.

Table 3-1063 Checking IPSec tunnel monitoring information

Operation

XPATH

get

/huawei-ipsec:ipsec-monitor

Request Example
<?xml version="1.0" encoding="UTF-8"?> 
<rpc message-id="1001" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> 
  <get> 
    <filter type="subtree"> 
      <ipsec-monitor xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec"></ipsec-monitor> 
    </filter> 
  </get> 
</rpc>]]>]]>
Response Example

Sample of successful response

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="1001">
<data>
<ipsec-monitor xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
 <ipsec-tunnels>
  <ipsec-connection>2208f2e9e5e9525:3</ipsec-connection>
  <interface-name>GigabitEthernet0/0/3</interface-name>
  <peer-address>1.1.1.1</peer-address>
  <status>negotiating</status>
 </ipsec-tunnels>
</ipsec-monitor>
</data>
</rpc-reply>                                                         
]]>]]> 
Table 3-1064 Response example output information description

Object

Description

ipsec-connection

IPSec connection name.

interface-name

Interface name

peer-address

Peer IP address.

status

IPSec tunnel status. The options are as follows:

  • ready: The IPSec tunnel has been established successfully.
  • nego-fail: The IPSec tunnel is being negotiated.

Obtaining IPSec Tunnel Information

NOTE:

This function is supported in V300R003C10 and later versions.

Data Model

The data model file matching obtaining IPSec tunnel information is huawei-ipsec.yang.

Table 3-1065 Obtaining IPSec tunnel information

Object

Description

/huawei-ipsec/get-ipsec-sa-list

Indicates that the operation request object is get-ipsec-sa-list. It is a root object, which is only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/get-ipsec-sa-list/start-index

Indicates the page index.

/huawei-ipsec/get-ipsec-sa-list/request-num

Indicates the number of SAs.

Request Example

<rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="155a9a21-915f-11e8-918b-ebbc486d0a39">
  <hw-ipsec:get-ipsec-sa-list xmlns:hw-ipsec="urn:huawei:params:xml:ns:yang:huawei-ipsec">
    <hw-ipsec:start-index>1</hw-ipsec:start-index>
    <hw-ipsec:request-num>2</hw-ipsec:request-num>
  </hw-ipsec:get-ipsec-sa-list>
</rpc>

Response Example

Sample of successful response for obtaining IPSec tunnel information

<rpc-reply xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" message-id="155a9a21-915f-11e8-918b-ebbc486d0a39">
  <ipsec-sa>
    <interface-name>GigabitEthernet1/0/0</interface-name>
    <ipsec-connection>ysh-1</ipsec-connection>
    <peer-address>10.1.2.2</peer-address>
    <peer-port>500</peer-port>
    <local-address>10.1.2.1</local-address>
    <local-port>500</local-port>
    <flow-info>Source: 1.0.0.1/255.255.255.255:0-65535 Destination: 2.0.0.1/255.255.255.255:0-65535 Protocol: 0</flow-info>
    <status>up</status>
  </ipsec-sa>
  <returned-num>1</returned-num>
</rpc-reply>
Table 3-1066 Response example output information description

Object

Description

ipsec-connection

IPSec connection name.

peer-address

Peer IP address.

peer-port

Peer UDP port number.

local-address

Local IP address.

local-port

Local UDP port number.

flow-info

Flow information:
  • Source: Source IP address segment of a data flow and port number of the ACL
  • Destination: Destination IP address segment of a data flow and port number of the ACL
  • Protocol: Protocol type of packets that an ACL matches
  • DSCP: DSCP value

status

IPSec tunnel status. The options are as follows:

  • up: An IPSec tunnel is successfully set up.
  • Down: The IPSec tunnel goes down.
  • nego-fail: IPSec tunnel setup fails.

IPSec alarm

Data Model

The data model file name of IPSec alarms is huawei-ipsec.yang, which cannot be configured.

Table 3-1067 IPSec alarm data model

Object

Description

/huawei-ipsec/ipsec-notification

Indicates that the operation object of the request is ipsec-notification. It is the root node and only used to contain sub-objects, but does not have any data meaning.

/huawei-ipsec/ipsec-notification/interface-name

Indicates the name of an interface to which the IPSec policy is applied.

/huawei-ipsec/ipsec-notification/ipsec-connection-name

Indicates the IPSec connection name.

/huawei-ipsec/ipsec-notification/tunnel-vpn-name

Indicates the name of a VPN instance bound to the IPSec tunnel.

/huawei-ipsec/ipsec-notification/peer-address

Indicates the peer IP address of the IPSec connection.

/huawei-ipsec/ipsec-notification/reason

  • Indicates the reason for IPSec tunnel Down. The options are as follows:
    • dpd timeout: DPD detection times out.
    • peer request: The remote device instructs the local device to delete the entry.
    • config modify or manual offline: The local IPSec configuration has been modified, the IPSec policy is manually deleted, or a reset SA operation is performed.
    • hard expire: The IPSec SA times out.
    • heartbeat timeout: Heartbeat detection times out.
    • modecfg address soft expire: The IP address lease applied by the remote end from the server expires.
    • peer address switch: The peer IP address changes.
    • hard expire triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number.
    • unknown: unknown reason.
  • Indicates the reason for IPSec tunnel setup failure. The options are as follows:
    • ike proposal mismatch: IKE proposal parameters of the two ends do not match.
    • ipsec proposal or pfs mismatch: IPSec proposal parameters or the PFS algorithms of the two ends do not match.
    • authentication failed: Identity authentication fails.
    • acl mismatch: The security ACL of the two ends does not match.
    • cannot find ike peer: No IKE peer is found by the local end.
    • version mismatch: The IKE version number of the two ends does not match.
    • encapsulation mode mismatch: The encapsulation mode of the two ends does not match.
    • IPSec route Spec is reached: The number of IPSec routes reaches the upper limit.
    • unknown: unknown reason.

/huawei-ipsec/ipsec-notification/status

Indicates the IPSec tunnel status. The options are as follows:

  • up: An IPSec tunnel is successfully set up.
  • Down: The IPSec tunnel goes down.
  • nego-fail: IPSec tunnel setup fails.
NOTE:

V300R003C10 and later versions support the following nodes.

/huawei-ipsec/ipsec-notification/peer-port

Indicates the peer UDP port number.

/huawei-ipsec/ipsec-notification/local-address

Indicates the local IP address.

/huawei-ipsec/ipsec-notification/local-port

Indicates the local UDP port number.

/huawei-ipsec/ipsec-notification/flow-vpn-name

Indicates the VPN instance for a data flow.

/huawei-ipsec/ipsec-notification/flow-info

Indicates flow information:
  • Source: Source IP address segment of a data flow and port number of the ACL
  • Destination: Destination IP address segment of a data flow and port number of the ACL
  • Protocol: Protocol type of packets that an ACL matches
  • DSCP: DSCP value
Response Example

Response example of IPSec setup success

<ipsec-notification xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec">
 <interface-name>GigabitEthernet0/0/1</interface-name>
 <ipsec-connection-name>ttttt</ipsec-connection-name>
 <peer-address>6.1.1.1</peer-address>
 <status>down</status>
 <reason>config modify or manual offline</reason>
</ipsec-notification> 

Response example of IPSec tunnel down

<ipsec-notification xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec"> 
 <interface-name>GigabitEthernet0/0/1</interface-name>  
 <ipsec-connection-name>ttttt</ipsec-connection-name> 
 <peer-address>6.1.1.1</peer-address>   
 <status>down</status>   
 <reason>config modify or manual offline</reason>
</ipsec-notification>    

Response example of IPSec setup failure

<ipsec-notification xmlns="urn:huawei:params:xml:ns:yang:huawei-ipsec"> 
 <interface-name>GigabitEthernet0/0/1</interface-name>  
 <peer-address>6.1.1.1</peer-address>   
 <status>nego-fail</status>   
 <reason>ike proposal mismatch</reason>   
</ipsec-notification>
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100022096

Views: 9603

Downloads: 69

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next