No relevant resource is found in the selected language.
Enterprise
Worldwide
Huawei Global - English
Support Documentation
WLAN AC V200R010C00 Command Reference
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
display ipsec policy (all views)

display ipsec policy (all views)

Function

The display ipsec policy command displays IPSec policy information.

Format

display ipsec policy [ brief | name policy-name [ seq-number ] ]

Parameters

Parameter Description Value
brief Displays brief information about all IPSec policies. -
name policy-name Displays detailed information about an IPSec policy with a specified name. The value must be an existing IPSec policy name.
seq-number Displays detailed information about an IPSec policy with a specified sequence number. The value must be an existing IPSec policy sequence number.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If no parameter is specified, this command displays detailed information about all IPSec policies.

You can use the display ipsec policy brief command to check brief information about all IPSec policies, including:

  • Name and sequence number
  • Negotiation mode
  • ACL number
  • IKE peer
  • Local address
  • Remote address

Using the name parameter, you can view details on the specified IPSec policy. In this case, the information is displayed in detailed format. If you specify name policy-name and do not specify seq-number, the command displays detailed information about an IPSec policy group.

Example

# Display brief information about all the IPSec policies.

<AC6605> display ipsec policy brief
Number of policies group : 1 
Number of policies       : 1 
  
Policy name           Mode     ACL         Peer name   Local address    Remote address
--------------------------------------------------------------------------------------
policy1-100           isakmp   3002/IPv4   peer1
Table 20-26  Description of the display ipsec policy brief command output

Item

Description
Number of policies group

Number of IPSec policy groups. An IPSec policy is identified by its name and sequence number, and multiple IPSec policies with the same name constitute an IPSec policy group.
Number of policies

Number of IPSec policies.
Policy name

Name and sequence number of an IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.
Mode
Mode in which an IPSec policy is created:
  • isakmp: The IPSec policy is created in IKE negotiation mode.
  • template: The IPSec policy is created using an IPSec policy template.
  • manual: The IPSec policy is created manually.

To configure IPSec policy creation mode, run the ipsec policy (system view) command.
ACL ACL referenced in the IPSec policy. To reference an ACL in an IPSec policy, run the security acl command.
Peer name

Name of the IKE peer referenced in the IPSec policy. To configure an IKE peer, run the ike-peer command.
Local address Local IP address used in IPSec negotiation. To configure the local IP address used in IPSec negotiation, run the tunnel local command.
Remote address Remote IP address used in IPSec negotiation. To configure the remote IP address used in IPSec negotiation, run the tunnel remote (Manual IPSec policy view) command.

# Display information about all IPSec policies.

<AC6605> display ipsec policy
===========================================    
IPSec policy group: "10"                               
Using interface: VLANIF10  
===========================================                     
     Sequence number: 10 
     Policy Alias: map1-10  
     Security data flow: 3000/IPv4
     Peer name    :  rut2 
     Perfect forward secrecy: DH group 14
     Proposal name:  prop1 
     IPSec SA local duration(time based): 3600 seconds 
     IPSec SA local duration(traffic based): 1843200 kilobytes 
     SA trigger mode: Traffic-based
     Route inject state: -
     Route inject nexthop: -                       
     Route inject preference: -  
     Policy state: Enable                                                        
     Anti-replay window size: 1024                                               
     Fragment before-encryption: Disable
     Respond-only: Enable
     Policy status  : Inactive
     Tunnel remote : Vlanif20
     Sa keep-holding-to hard-duration : Disable
Table 20-27  Description of the display ipsec policy command output

Item

Description
IPSec policy group Name of an IPSec policy group. To configure an IPSec policy group, run the ipsec policy (system view) command.
Using interface Interface to which an IPSec policy group is applied.
Sequence number Sequence number of an IPSec policy. To configure a sequence number, run the ipsec policy (system view) command.

Policy Alias

Alias of the IPSec policy. To configure an alias for an IPSec policy, run the alias command.

Security data flow

 ACL referenced in the IPSec policy. To reference an ACL in an IPSec policy, run the security acl command.

Peer name

 IKE peer referenced in the IPSec policy. To configure an IKE peer, run the ike-peer command.

Perfect forward secrecy
Perfect Forward Secrecy (PFS) used in IKE negotiation:
  • DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 15: 3072-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 16: 4096-bit Diffie-Hellman group is used during IKE negotiation.
  • DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation.
  • DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation.
  • DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation.

To configure the PFS used in IKE negotiation, run the pfs command.

Proposal name

 IPSec proposal referenced in the IPSec policy. To reference an IPSec proposal, run the proposal command.

IPSec SA local duration(time based)

 Time-based IPSec SA lifetime. To set the time-based lifetime of the local SA, run the sa duration time-based command in the IPSec policy view.

IPSec SA local duration(traffic based)

 Traffic-based IPSec SA lifetime. To set the traffic-based lifetime of the local SA, run the sa duration traffic-based command in the IPSec policy view.

SA trigger mode

SA trigger mode:

  • Automatic
  • Traffic-based

To configure an SA trigger mode, run the sa trigger-mode command.
Route inject state

Route injection status:

  • Dynamic: Dynamic route injection is enabled.
  • Static: Static route injection is enabled.

To configure route injection, run the route inject command.
Route inject nexthop

Next hop of a generated route. To configure route injection, run the route inject command.
Route inject preference

Priority of a generated route. To configure route injection, run the route inject command.

Policy state

Policy status:

  • Enable
  • Disable

Anti-replay window size

IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window command.

Fragment before-encryption

IPSec fragmentation mode:

  • Enable: IPSec packets are fragmented before encryption.
  • Disable: IPSec packets are fragmented after encryption.

To configure an IPSec fragmentation mode, run the ipsec fragmentation before-encryption command.

Respond-only
Whether the local end is enabled to initiate IPSec negotiation when an IPSec policy in ISAKMP mode is used to create an IPSec tunnel.
  • Enable: The local end functions as the IPSec responder and does not initiate IPSec negotiation.
  • Disable: The local end initiates IPSec negotiation.
Policy status
IPSec policy status:
  • Active
  • Inactive
To set an IPSec policy to the active state, run the policy enable command.
Tunnel remote

Outbound interface on an IPSec tunnel for IKE negotiation packets. To configure the outbound interface, run the tunnel remote (ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view) command.
Sa keep-holding-to hard-duration

Whether the device deletes the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation.

  • Enable: The device will delete the original IPSec SA after the hard lifetime expires.
  • Disable: The device deletes the original IPSec SA immediately.

To configure the device to delete the original IPSec SA after the hard lifetime expires, run the sa keep-holding-to hard-duration command.
Translation
简体中文
Download
Updated: 2021-02-27

Document ID: EDOC1100064351

Views: 3162773

Downloads: 593

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next
Huawei e+ App Huawei e+

Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

You are going to visit :