No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - Security 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - Security

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Verifying the Configuration of Automatic IPsec SA Negotiation (IKE)

Verifying the Configuration of Automatic IPsec SA Negotiation (IKE)

After establishing a tunnel, check the configurations.

Prerequisites

An IPsec tunnel in IKE automatic negotiation mode has been configured.

Procedure

  1. Check whether the IPSec VPN is available.

    In this example, the intranet devices are DeviceA and DeviceB at the two ends of the IPSec tunnel. Both DeviceA and DeviceB use private IP addresses. Before IPSec is configured, no IP connectivity is established between the two intranets. After IPSec is configured and default routes or routes to the peer intranet are added on the tunnel gateways, the IP connectivity between the two intranets is established.

    After IPSec is configured, ping DeviceB from DeviceA.

    • If the ping operation succeeds, the IPSec VPN is set up.

    • If the ping operation fails, the intranet or Internet may be disconnected, or the IPSec configuration may be incorrect.

  2. Check whether the route between the intranet device and the IPsec gateway is reachable, and whether the route between the IPsec gateways is reachable. If the route is not reachable, configure the route again. If the route is reachable, check the IPsec configurations.
  3. Run the display ipsec statistics command to check statistics of packets processed by IPsec, that is, statistics of packets encapsulated and decapsulated by IPsec.
  4. Run the display ike sa [ remote ip-address | verbose { remote ip-address | conn_id connid slot slot-id | peer peer-name [ identity identity ] } | slot slot-id | peer peer-name [ identity identity ] ] command to check the SA establishment situation.
  5. If the SA is not established, run the following commands to check the IPsec configurations:

    1. Run the display ike proposal command to check the IKE proposal configurations. Ensure that the encryption algorithm, authentication method, authentication algorithm, and DH group ID configured on both ends of the IPsec tunnel are consistent.
    2. Run the display ike peer [ name peer-name | brief ] command to check the IKE peer configurations. Ensure that the IKE version number and authentication mode configured on both ends of the IPsec tunnel are consistent.
    3. Run the display ipsec proposal command to check the IPsec proposal configurations. Ensure that the encapsulation mode, security protocol, encryption algorithm, and authentication algorithm configured on both ends of the IPsec tunnel are consistent.
    4. Run the display ipsec policy-template [ brief | name policy-template-name [ seq-number ] ] command to check the IPsec policy template configurations.
    5. Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to check the IPsec policy configurations.
    6. Run the display ipsec sa command to check the SA configurations. Ensure that the SA configurations on both ends of the IPsec tunnel are matched.
  6. Run the display ike statistics { all | msg | v1 | v2 } [ slot slot-id [ engine engine-id | card card-id ] ] command to check the IKE packet statistics.
  7. Run the display ike offline history [ peer-ip peer-ip [ vpn-instance-name vpn-instance-name ] [ port port ] ] [ slot slot-id ] command to check the IKE SA Negotiation offline information.
  8. Run the display ike error history [ peer-ip peer-ip [ vpn-instance-name vpn-instance-name ] [ port port ] ] [ slot slot-id ] command to check the IKE SA Negotiation failure errors.
  9. Run the display ipsec sa-expire statistics command to check the expired SA statistics.

Example

Run the display ipsec statistics command to check the statistics of packets processed by IPsec. For example:

<HUAWEI> display ipsec statistics
  IPv6 security packet statistics:
    Current system time: 2017-02-22 20:25:23
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0
  IPv4 security packet statistics:
    Current system time: 2017-02-22 20:25:23
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0

Run the display ike sa command to check the SA establishment situation. After the preceding commands are executed, a command output similar to the following is displayed, indicating that the IKE and IPsec SAs are established.

<HUAWEI> display ike sa
 current sa Num :2                                                             
   Single-homing :2     Multi-homing master :0    Multi-homing slave :0             
   None-backup sa :2    Backup sa :0 
Spu board slot 1, IKE SA Information:
 Current IKE SA number: 2
-----------------------------------------------------------------------
conn-id    peer                    flag        phase   ext    vpn              
-----------------------------------------------------------------------
373        11.1.2.2                RD|ST       V2:2    -      -                               
372        11.1.2.2                RD|ST       V2:1    -      -  

Run the display ike statistics command to check the IKE packet statistics. For example:

<HUAWEI> display ike statistics msg
----------------------------------------------------------
 IKE message statistics information
 IKE message received                           : 50629
 IKE message sent                               : 52526
 IKEv1 phase1 rekey success                     : 190
 IKEv1 phase2 rekey success                     : 6
 IKEv1 phase1 exchange timeout                  : 20
 IKEv1 phase2 exchange timeout                  : 1
 IKEv2 IKE SA rekey success                     : 1
 IKEv2 child SA rekey success                   : 0
 IKEv2 IKE SA rekey timeout                     : 1
 IKEv2 child SA rekey timeout                   : 0
 IKEv2 authenticate exchange timeout            : 0
 IKEv2 ReAuth initiate                          : 682
 IKEv2 Re-Auth Success                          : 680
 IKEv2 Drop ReAuth-Inv SA                       : 0
 IKEv2 Drop ReAuth-No Child                     : 0
 IKEv2 Hard ReAuth                              : 1
 Remote Auth Method Mismatch                    : 0
 IKE expire received                            : 0
 IKE acquire received                           : 229
 IKE acquire dropped                            : 0
 IKE expire dropped                             : 0
 IKE replace received                           : 0
----------------------------------------------------------
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055397

Views: 25987

Downloads: 52

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next