AR100-S, AR110-S, AR120-S, AR150-S, AR160-S, AR200-S, AR1200-S, AR2200-S, and AR3200-S V200R010 Command Reference

ah authentication-algorithm (ipsec-proto-protect-proposal view)

Function

The ah authentication-algorithm command configures the authentication algorithm for Authentication Header (AH).

The undo ah authentication-algorithm command restores the default authentication algorithm for AH.

By default, the authentication algorithm SHA2-256 is used for AH.

Format

ah authentication-algorithm { md5 | sha1 | sha2-256 }

undo ah authentication-algorithm

Parameters

Parameter	Description	Value
md5	Configures MD5 as the authentication algorithm for AH. NOTE: To ensure high security, do not use the MD5 algorithm as the AH authentication algorithm.	-
sha1	Configures Secure Hash Algorithm-1 (SHA1) as the authentication algorithm for AH. NOTE: To ensure high security, do not use the SHA1 algorithm as the AH authentication algorithm.	-
sha2-256	Configures SHA2-256 as the authentication algorithm for AH.	-

Views

IPSec proto-protect proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

AH is used to prevent packets from being intercepted or modified and implement data origin authentication during data transmission. AH implements the Hash algorithm on the sending and receiving parties and checks data integrity and authenticity.

AH currently supports MD5, SHA-1 and SHA2-256 authentication algorithms.

MD5: generates a 128-bit message summary for an input message of any length
SHA-1: generates a 160-bit message summary for an input message of less than 2⁶⁴ bits
SHA2-256: generates a 256-bit message summary for an input message of less than 2⁶⁴ bits

MD5 is faster than SHA-1, but is less secure.

Prerequisite

The transform command has been configured to select AH before the authentication algorithm for AH is configured.

Precautions

The authentication algorithms on both IPSec peers must be identical.

Example

# Set the authentication algorithm to SHA-1 for AH.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal prop1

[Huawei-ipsec-proto-protect-proposal-prop1] transform ah

[Huawei-ipsec-proto-protect-proposal-prop1] ah authentication-algorithm sha1

anti-replay window

Function

The anti-replay window command sets the anti-replay window size for an IPSec tunnel.

The undo anti-replay window command restores the default anti-replay window size of an IPSec tunnel.

By default, the anti-replay window size of a single IPSec tunnel is not set. The global value is used.

Format

anti-replay window window-size

undo anti-replay window

Parameters

Parameter	Description	Value
window-size	Specifies the anti-replay window size of an IPSec tunnel.	The value can be 32, 64, 128, 256, 512, or 1024, in bits.

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Configuration Impact

You may need to change the anti-replay window size for an IPSec tunnel in some situations. For example, if QoS is performed for packets passing an IPSec tunnel, sequence numbers of service data packets may be different from those in common data packets. As a result, these service data packets are dropped as re-play attack packets. To prevent such packets from being dropped incorrectly, you can disable the anti-replay function or increase the anti-replay window size for the IPSec tunnel.

Prerequisites

The anti-replay function is enabled for the IPSec tunnel. By default, the anti-replay function is enabled (through ipsec anti-reply enable command).

Precautions

When both anti-replay window and ipsec anti-replay window are configured, the anti-replay window configuration takes effect. When anti-replay window is not configured, the ipsec anti-replay window configuration takes effect.

Example

# Set the IPSec anti-replay window size to 128 bits.

<Huawei> system-view
[Huawei] ipsec policy poli 10 isakmp
[Huawei-ipsec-policy-isakmp-poli-10] anti-replay window 128

Related Topics

ipsec anti-replay window

display ipsec policy-template (all views)

display ike proposal (All views)

authentication-algorithm

Function

The authentication-algorithm command configures an authentication algorithm for IKEv1 negotiation.

The undo authentication-algorithm command restores the default configuration.

By default, the SHA2-256 authentication algorithm is used for IKEv1 negotiation.

Format

authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo authentication-algorithm

Parameters

Parameter	Description	Value
md5	Uses the message digest algorithm 5 (MD5) authentication algorithm.	-
sha1	Uses the Secure Hash Algorithm 1 (SHA-1) authentication algorithm.	-
sha2-256	Uses the SHA2-256 authentication algorithm.	-
sha2-384	Uses the SHA2-384 authentication algorithm.	-
sha2-512	Uses the SHA2-512 authentication algorithm.	-
sm3	Uses the SM3 authentication algorithm.The algorithm can be used only in IKEv1 negotiation.When the SM3 algorithm is used, the padding mode of RSA signing cannot be PSS.	-

Views

IKE proposal view

Default Level

2: Configuration level

Usage Guidelines

An authentication algorithm is required for IKEv1 negotiation. Authentication algorithms that can be used for IKEv1 negotiation include the following (listed in descending order of security level): sha2-512 > sha2-384 > sha2-256 > sha1 > md5.

md5 and sha1 are not recommended because they cannot provide high security.

Example

# Specify the SHA2-384 authentication algorithm for IKE proposal 10.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] authentication-algorithm sha2-384

Related Topics

authentication-method

Function

The authentication-method command specifies the authentication method used in IKE negotiation.

The undo authentication-method command restores the default authentication method.

By default, pre-shared key authentication is used in IKE negotiation.

Format

authentication-method { pre-share | rsa-signature }

undo authentication-method

Parameters

Parameter	Description	Value
pre-share	Uses pre-shared key authentication.	-
rsa-signature	Uses RSA signature authentication.	-

Views

IKE proposal view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Identity authentication is a protection mechanism that ensures secure data transmission on an insecure network. This command configures an identity authentication method.

Precautions

The authentication methods in the IKE proposals used by the IKE peer must be the same. Otherwise, IKE negotiation fails.

For IKEv1, the authentication-method command does not take effect in the Efficient VPN policy view.

Follow-up Procedure

If pre-share is specified, run the pre-shared-key command to specify an authentication key.
If rsa-signature is specified, configure a local certificate.

Example

# Configure pre-shared key authentication in IKE proposal 10.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] authentication-method pre-share

# Configure pre-shared key authentication for Efficient VPN policy vpn1.

<Huawei> system-view
[Huawei] ipsec efficient-vpn vpn1 mode client
[Huawei-ipsec-efficient-vpn-vpn1] authentication-method pre-share

Related Topics

ike proposal

display ike proposal (All views)

certificate peer-name

Function

The certificate peer-name command enables IKEv1 digital envelope negotiation to use the peer certificate file imported to the PKI.

The undo certificate peer-name command disables IKEv1 digital envelope negotiation from using the peer certificate file imported to the PKI.

By default, the system does not use the peer certificate file imported to the PKI for IKEv1 digital envelope negotiation.

Format

certificate peer-name peer-name

undo certificate peer-name

Parameters

Parameter	Description	Value
peer-name peer-name	Specifies the name of the digital certificate of an IKE peer.	The digital certificate must have been imported to the PKI.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

If the authentication method is digital envelope (digital-envelope), you can use the peer digital certificate imported to the PKI. IKEv1 obtains the certificate public key through the peer digital certificate for digital envelope negotiation.

Example

# Import the peer digital certificate aa.pem and reference it in the IKE peer.

<Huawei> system-view
[Huawei] pki import-certificate peer abcd pem filename aa.pem
[Huawei] ike peer a
[Huawei-ike-peer-a] certificate peer-name abcd

Related Topics

authentication-method

certificate-check disable

Function

The certificate-check disable command disables validity verification on certificates of an IKE peer.

The undo certificate-check disable command restores the default configuration.

By default, the device verifies certificates of an IKE peer.

Format

certificate-check disable

undo certificate-check disable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When IPSec uses certificate authentication, users cannot update certificates after they become invalid, leading to unavailable certificates and IPSec authentication failure. If users still want to use these invalid certificates, run the certificate-check disable command to disable validity verification on certificates of an IKE peer. If users do not want to verify certificates of all IKE peers, run the ike certificate-check disable command.

Precautions

Disabling validity verification on certificates will lead to security risks.

Example

# Configure the device not to verify certificates of an IKE peer.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] certificate-check disable

Related Topics

certificate-request empty-payload enable

Function

The certificate-request empty-payload enable command configures a router to send certificate requests with empty payload.

The undo certificate-request empty-payload enable command restores the default configuration.

By default, certificate requests sent from a router carries CA information in the payload.

Format

certificate-request empty-payload enable

undo certificate-request empty-payload enable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When a router acting as a gateway in the headquarters uses an IPSec policy configured using a policy template and authenticates branches by digital certificates, you can run the certificate-request empty-payload enable command to send certificate requests with empty payload, allowing access from branches using certificates issued by different CAs. The router can then perform certificate authentication based on certificate information provided by each branch.

Precautions

Do not configure this command if access devices cannot process certificate request packets with an empty authentication and authorization field. Otherwise, IKE negotiation fails.

Example

# Configure the router to send certificate requests with empty payload.

<Huawei> system-view
[Huawei] ike peer a20
[Huawei-ike-peer-a20] certificate-request empty-payload enable

config-exchange

Function

The config-exchange command enables the device to request or set subnet route information.

The undo config-exchange command disables the device from requesting or setting subnet route information.

By default, the device cannot request or set subnet route information.

Format

config-exchange { request | set { accept | send } }

undo config-exchange { request | set [ accept | send ] }

Parameters

Parameter	Description	Value
request	Enables the device to request subnet route information from a remote device.	-
set { accept \| send }	Enables the device to accept subnet route information from a remote device or send local subnet route information.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A headquarters gateway sets up an IPSec tunnel with a branch gateway in virtual tunnel mode. In this case, you can run the config-exchange command to enable the gateways to request or set subnet route information.

The config-exchange request command can only be used on the initiator to enable it to request subnet information from the responder.
The config-exchange set { accept | send } command can be configured on both the initiator and the responder.
- The config-exchange set accept command enables the local device to accept subnet route information sent by the remote device.
- The config-exchange set send command enables the local device to send subnet route information to the remote device.
If the config-exchange set send command is configured on the local device, the config-exchange set accept command must be configured on the remote device.

Prerequisites

Before you configure the config-exchange set send command to enable the local device to send subnet route information, the following operations must have been completed in the AAA service scheme.

Run the route set acl acl-number command to configure local subnet route information.
Run the route set interface command to configure interface addresses to which the IPSec profile is applied.

Precautions

This command is supported by IKEv2 only.

If the config-exchange set accept command is configured on the local device, the route accept command must also be configured before the local device can accept subnet route information sent by the remote device and generate routes.

Example

# Enable the IKE peer named peer1 to accept subnet route information from the remote device.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] config-exchange set accept

Related Topics

route accept

connect track

Function

The connect track command configures the device to control IPSec tunnel setup according to the NQA test instance, NQA group, BFD session, or BFD group status.

The undo connect track command cancels the configuration.

By default, the device is configured not to control IPSec tunnel setup according to the NQA test instance, NQA group, BFD session, or BFD group status.

Format

connect track { nqa admin-name test-name | nqa-group nqa-group-name | bfd-session bfd-session-name | bfd-session-group bfd-group-name } { up | down }

undo connect track { nqa | nqa-group | bfd-session | bfd-session-group }

Parameters

Parameter	Description	Value
nqa admin-name test-name	Configures the device to control IPSec tunnel setup according to the NQA test instance status. admin-name and test-name specify the administrator name and name of the NQA test instance respectively.	The administrator name or name of an NQA test instance must have been created.
nqa-group nqa-group-name	Configures the device to control IPSec tunnel setup according to the NQA group status. nqa-group-name specifies the name of the NQA group.	The value is a string of 1 to 32 case-sensitive characters without spaces. NOTE: If the character string is quoted by quotation marks, the character string can contain spaces.
bfd-session bfd-session-name	Configures the device to control IPSec tunnel setup according to the BFD session status. bfd-session-name specifies the name of the BFD session.	The BFD session name must have been created.
bfd-session-group bfd-group-name	Configures the device to control IPSec tunnel setup according to the BFD group status. bfd-group-name specifies the name of the BFD group.	The value is a string of 1 to 15 case-sensitive characters without spaces. NOTE: If the character string is quoted by quotation marks, the character string can contain spaces.
up	Indicates that an IPSec tunnel is set up when the NQA test instance, NQA group, BFD session, or BFD group status is Up.	-
down	Indicates that an IPSec tunnel is set up when the NQA test instance, NQA group, BFD session, or BFD group status is Down.	-

Views

View of the IPSec policy established in ISAKMP mode

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a live network, to improve network reliability, a branch gateway connects to the headquarters using multiple links. The branch gateway needs to determine on which link an IPSec tunnel is established. You can associate IPSec with NQA or BFD so that the branch gateway controls IPSec tunnel setup according to the NQA test instance, NQA group, BFD session, or BFD group status, which ensures that only one link is available at any time.

Prerequisites

An NQA test instance has been created using the nqa command and the NQA test instance type has been set to ICMP using the test-type command if nqa admin-name test-name is specified.
A BFD session has been created using the bfd bind peer-ip command and the BFD session has been set the local and remote discriminators using the discriminator command if bfd-session bfd-session-name is specified.

Precautions

The device supports only association between IPSec and the NQA test instance of ICMP.
The NQA test instance, NQA group, BFD session, and BFD group cannot be configured simultaneously in this scenario. That is, the device controls IPSec tunnel setup using a specified IPSec policy according to one of the NQA test instance, NQA group, BFD session, BFD group, and VRRP group status.
When nqa-group nqa-group-name is specified, you do not need to create an NQA group first. However, the configuration takes effect only when the NQA group is created and configured using the nqa-group and nqa (nqa-group view) commands respectively.
When bfd-session-group bfd-group-name is specified, you do not need to create a BFD group first. However, the configuration takes effect only when the BFD group is created and configured using the bfd-group and track bfd commands respectively.
connect track needs to be used with disconnect track to implement link redundancy control.

Example

# Configure the device to establish an IPSec tunnel when the NAQ test instance (administrator name admin and instance name test) status is Up in the view of the IPSec policy policy1 established in ISAKMP mode.

<Huawei> system-view
[Huawei] nqa test-instance admin test
[Huawei-nqa-admin-test] test-type icmp
[Huawei-nqa-admin-test] quit
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] connect track nqa admin test up

# Configure the device to establish an IPSec tunnel when the status of the NAQ group ngroup is Down in the view of the IPSec policy policy2 established in ISAKMP mode.

<Huawei> system-view
[Huawei] ipsec policy policy2 200 isakmp
[Huawei-ipsec-policy-isakmp-policy2-200] connect track nqa-group ngroup down

# Configure the device to establish an IPSec tunnel when the status of the BFD session test is Up in the view of the IPSec policy policy1 established in ISAKMP mode.

<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] ip address 10.1.1.1 255.255.255.0
[Huawei-Ethernet2/0/0] quit
[Huawei] bfd
[Huawei-bfd] quit
[Huawei] bfd test bind peer-ip 10.1.1.2 interface ethernet 2/0/0
[Huawei-bfd-session-test] discriminator local 10
[Huawei-bfd-session-test] discriminator remote 20
[Huawei-bfd-session-test] quit
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] connect track bfd-session test up

# Configure the device to establish an IPSec tunnel when the status of the BFD group bfd-group1 is Down in the view of the IPSec policy policy2 established in ISAKMP mode.

<Huawei> system-view
[Huawei] ipsec policy policy2 200 isakmp
[Huawei-ipsec-policy-isakmp-policy2-200] connect track bfd-session-group bfd-group1 down

description

Function

The description command configures the description for an IKE user.

The undo description command deletes the description of an IKE user.

By default, the description of an IKE user is not configured.

Format

description description

undo description

Parameters

Parameter	Description	Value
description	Specifies the description of an IKE user.	The value is a string of 1 to 63 case-sensitive characters.

Views

IKE user view

Default Level

2: Configuration level

Usage Guidelines

To identify IKE users, run the description command to configure the description for the IKE users. For example, you can describe branches corresponding to IKE users,

Example

# Configure the description for an IKE user.

<Huawei> system-view
[Huawei] ike user-table 10
[Huawei-ike-user-table-10] user user1
[Huawei-ike-user-table-10-user1] description user1

Related Topics

display ike proposal (All views)

dh

Function

The dh command specifies a Diffie-Hellman (DH) group used for IKE negotiation.

The undo dh command restores the default DH group for IKE negotiation.

By default, group14 is used for IKE negotiation.

Format

dh { group1 | group2 | group5 | group14 | group19 | group20 | group21 }

undo dh

Parameters

Parameter	Description	Value
group1	Uses the 768-bit DH group in IKE negotiation phase 1.	-
group2	Uses the 1024-bit DH group in IKE negotiation phase 1.	-
group5	Uses the 1536-bit DH group in IKE negotiation phase 1.	-
group14	Uses the 2048-bit DH group in IKE negotiation phase 1.	-
group19	Uses the 256-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.	-
group20	Uses the 384-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.	-
group21	Uses the 521-bit Elliptic Curve Groups modulo a Prime (ECP) DH group in IKE negotiation phase 1.	-

Views

IKE proposal view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The DH algorithm is a public key algorithm. Two communicating parties calculate a shared key based on data exchanged between them, without transmitting the key. A third party (such as a hacker) cannot calculate the actual key even if it obtains all exchanged data for key calculation.

Precautions

Both ends of an IPSec tunnel must be configured with the same DH group. Otherwise, the negotiation fails.
The security level order of the DH groups is: group21 > group20 > group19 > group14 > group5 > group2 > group1.
The group1, group2, and group5 have potential security risks. The other DH groups are recommended.

Example

# Specify the 2048-bit DH group for IKE proposal 10.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] dh group14

# Specify the 2048-bit DH group for the IPSec Efficient VPN policy.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] dh group14

Related Topics

disconnect track

Function

The disconnect track command configures the device to control IPSec tunnel teardown according to the NQA test instance, NQA group, BFD session, or BFD group status.

The undo disconnect track command cancels the configuration.

By default, the device is configured not to control IPSec tunnel teardown according to the NQA test instance, NQA group, BFD session, or BFD group status.

Format

disconnect track { nqa admin-name test-name | nqa-group nqa-group-name | bfd-session bfd-session-name | bfd-session-group bfd-group-name } { up | down }

undo disconnect track { nqa | nqa-group | bfd-session | bfd-session-group }

Parameters

Parameter	Description	Value
nqa admin-name test-name	Configures the device to control IPSec tunnel teardown according to the NQA test instance status. admin-name and test-name specify the administrator name and name of the NQA test instance respectively.	The administrator name or name of an NQA test instance must have been created.
nqa-group nqa-group-name	Configures the device to control IPSec tunnel teardown according to the NQA group status. nqa-group-name specifies the name of the NQA group.	The value is a string of 1 to 32 case-sensitive characters without spaces. NOTE: If the character string is quoted by quotation marks, the character string can contain spaces.
bfd-session bfd-session-name	Configures the device to control IPSec tunnel teardown according to the BFD session status. bfd-session-name specifies the name of the BFD session.	The BFD session name must have been created.
bfd-session-group bfd-group-name	Configures the device to control IPSec tunnel teardown according to the BFD group status. bfd-group-name specifies the name of the BFD group.	The value is a string of 1 to 15 case-sensitive characters without spaces. NOTE: If the character string is quoted by quotation marks, the character string can contain spaces.
up	Indicates that an IPSec tunnel is torn down when the NQA test instance, NQA group, BFD session, or BFD group status is Up.	-
down	Indicates that an IPSec tunnel is torn down when the NQA test instance, NQA group, BFD session, or BFD group status is Down.	-

Views

View of the IPSec policy established in ISAKMP mode

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

On a live network, to improve network reliability, a branch gateway connects to the headquarters using multiple links. The link where an IPSec tunnel is established needs to be determined. You can associate IPSec with NQA or BFD so that the branch gateway controls IPSec tunnel teardown according to the NQA test instance, NQA group, BFD session, or BFD group status, which ensures that only one link is available at any time.

Prerequisites

An NQA test instance has been created using the nqa command and the NQA test instance type has been set to ICMP using the test-type command if nqa admin-name test-name is specified.
A BFD session has been created using the bfd bind peer-ip command and the BFD session has been set the local and remote discriminators using the discriminator command if bfd-session bfd-session-name is specified.

Precautions

The device supports only association between IPSec and the NQA test instance of ICMP.
When nqa-group nqa-group-name is specified, you do not need to create an NQA group first. However, the configuration takes effect only when the NQA group is created and configured using the nqa-group and nqa (nqa-group view) commands respectively.
When bfd-session-group bfd-group-name is specified, you do not need to create a BFD group first. However, the configuration takes effect only when the BFD group is created and configured using the bfd-group and track bfd commands respectively.
disconnect track needs to be used with connect track to implement link redundancy control.

Example

# Configure the device to terminate an IPSec tunnel when the NAQ test instance (administrator name admin and instance name test) status is Up in the view of the IPSec policy policy1 established in ISAKMP mode.

<Huawei> system-view
[Huawei] nqa test-instance admin test
[Huawei-nqa-admin-test] test-type icmp
[Huawei-nqa-admin-test] quit
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] disconnect track nqa admin test up

# Configure the device to terminate an IPSec tunnel when the status of the NAQ group ngroup is Down in the view of the IPSec policy policy2 established in ISAKMP mode.

<Huawei> system-view
[Huawei] ipsec policy policy2 200 isakmp
[Huawei-ipsec-policy-isakmp-policy2-200] disconnect track nqa-group ngroup down

# Configure the device to terminate an IPSec tunnel when the status of the BFD session test is Up in the view of the IPSec policy policy1 established in ISAKMP mode.

<Huawei> system-view
[Huawei] interface ethernet 2/0/0
[Huawei-Ethernet2/0/0] ip address 10.1.1.1 255.255.255.0
[Huawei-Ethernet2/0/0] quit
[Huawei] bfd
[Huawei-bfd] quit
[Huawei] bfd test bind peer-ip 10.1.1.2 interface ethernet 2/0/0
[Huawei-bfd-session-test] discriminator local 10
[Huawei-bfd-session-test] discriminator remote 20
[Huawei-bfd-session-test] quit
[Huawei] ipsec policy policy1 100 isakmp
[Huawei-ipsec-policy-isakmp-policy1-100] disconnect track bfd-session test up

# Configure the device to terminate an IPSec tunnel when the status of the BFD group bfd-group1 is Down in the view of the IPSec policy policy2 established in ISAKMP mode.

<Huawei> system-view
[Huawei] ipsec policy policy2 200 isakmp
[Huawei-ipsec-policy-isakmp-policy2-200] disconnect track bfd-session-group bfd-group1 down

display ike error-info

Function

The display ike error-info command displays information about IPSec tunnel negotiation failures using IKE.

Format

display ike error-info [ verbose ] [ peer remote-address ]

Parameters

Parameter	Description	Value
verbose	Displays details about IPSec tunnel negotiation failures using IKE.	-
peer remote-address	Displays information about IPSec tunnel negotiation failures using IKE with a specified remote IP address.	The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command output contains information of the latest 200 IPSec tunnel negotiation failures using IKE.

Example

# Display information about IPSec tunnel negotiation failures using IKE.

<Huawei> display ike error-info
                                                                                                         
 current info Num :2                                                                                                                
 Ike error information:                                                                                      
 current ike Error-info number :2                                                                                                   
  -----------------------------------------------------------------------------                                                        
  peer      port      error-reason                version     error-time                                                            
  -----------------------------------------------------------------------------                                                     
10.1.1.1   500       phase1 proposal mismatch     v1          2013-08-26 13:42:37                                                      
10.1.1.1   500       phase1 proposal mismatch     v1          2013-08-26 13:08:45

# Display details about IPSec tunnel negotiation failures using IKE.

<Huawei> display ike error-info verbose 

  current info Num :1 
  Ike error information: 
  current ike Error-info number :1
--------------------------------------------------------------------------
Peer       : 10.1.1.1   
Port       : 500
version    : v1                          
Reason     : phase1 proposal mismatch
Detail     : phase1 proposal mismatch
Error-time : 2013-08-26 12:02:37                                            
--------------------------------------------------------------------------

Table 11-16 Description of the display ike error-info command output

Item	Description
current info Num	Current information number.
Ike error information	Information about IPSec tunnel negotiation failures using IKE.
current ike Error-info number	Number of IPSec tunnel negotiation failures using IKE.
peer or Peer	Remote IP address.
port or Port	Peer UDP port number.
error-reason or Reason	Causes for IPSec tunnel negotiation failures using IKE: phase1 proposal mismatch: IKE proposal parameters of the two ends do not match. phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match. responder dh mismatch: The DH algorithm of the responder does not match. initiator dh mismatch: The DH algorithm of the initiator does not match. encapsulation mode mismatch: The encapsulation mode does not match. flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match. version mismatch: The IKE version number of the two ends does not match. peer address mismatch: The IKE peer address of the two ends does not match. config ID mismatch: The IKE peer of the specified ID is not found. exchange mode mismatch: The negotiation mode of the two ends does not match. authentication fail: Identity authentication fails. construct local ID fail: The local ID fails to be constructed. rekey no find old sa: The old SA is not found during re-negotiation. rekey fail: The old SA is going offline during re-negotiation. first packet limited: The rate of the first packet is limited. unsupported version: The IKE version number is not supported. malformed message: Malformed message. malformed payload: Malformed payload. critical drop: Unidentified critical payload. cookie mismatch: Cookie mismatch. invalid cookie: Invalid cookie. invalid length: Invalid packet length. unknown exchange type: Unknown negotiation mode. uncritical drop: Unidentified non-critical payload. route limit: The number of injected routes has reached the upper limit. ip assigned fail: IP address allocation fails. local address mismatch: The local IP address in IKE negotiation and interface IP address do not match. dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit. ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit. netmask mismatch: The mask does not match the configured mask after the IPSec mask filtering function is enabled. flow confict: A data flow conflict occurs. proposal mismatch or use sm in ikev2: IPSec proposals at both ends of the IPSec tunnel do not match or IKEv2 uses the SM algorithm. ikev2 not support sm in ipsec proposal ikev2: IKEv2 does not support the SM algorithm used in the IPSec proposal. no policy applied on interface: No policy is applied to an interface. nat detection fail: NAT detailed failed. fragment packet limit: Fragment packets exceed the limit. fragment packet reassemble timeout: Fragment packet reassembly times out. proposal mismatch or use sm in ikev2: The received IPSec proposal parameters do not match the local parameters or IKEv2 uses the SM algorithm.
version	IKE version.
Error-time/error-time	Time of IPSec tunnel negotiation failures using IKE.
Detail	Details about IPSec tunnel negotiation failures using IKE. phase1 proposal mismatch: IKE proposal parameters of the two ends do not match. phase2 proposal or pfs mismatch: IPSec proposal parameters, pfs algorithm, or security ACL of the two ends do not match. responder dh mismatch: The DH algorithm of the responder does not match. initiator dh mismatch: The DH algorithm of the initiator does not match. encapsulation mode mismatch: The encapsulation mode does not match. flow or peer mismatch: The security ACL or IKE peer address of the two ends does not match. version mismatch: The IKE version number of the two ends does not match. peer address mismatch: The IKE peer address of the two ends does not match. config ID mismatch: The IKE peer of the specified ID is not found. exchange mode mismatch: The negotiation mode of the two ends does not match. authentication fail: Identity authentication fails. construct local ID fail: The local ID fails to be constructed. rekey no find old sa: The old SA is not found during re-negotiation. rekey fail: The old SA is going offline during re-negotiation. first packet limited: The rate of the first packet is limited. unsupported version: The IKE version number is not supported. malformed message: Malformed message. malformed payload: Malformed payload. critical drop: Unidentified critical payload. cookie mismatch: Cookie mismatch. invalid cookie: Invalid cookie. invalid length: Invalid packet length. unknown exchange type: Unknown negotiation mode. uncritical drop: Unidentified non-critical payload. route limit: The number of injected routes has reached the upper limit. ip assigned fail: IP address allocation fails. local address mismatch: The local IP address in IKE negotiation and interface IP address do not match. dynamic peers number reaches limitation: The number of IKE peers reaches the upper limit. ipsec tunnel number reaches limitation: The number of IPSec tunnels reaches the upper limit. netmask mismatch: The mask does not match the configured mask after the IPSec mask filtering function is enabled. flow confict: A data flow conflict occurs. proposal mismatch or use sm in ikev2: IPSec proposals at both ends of the IPSec tunnel do not match or IKEv2 uses the SM algorithm. ikev2 not support sm in ipsec proposal ikev2: IKEv2 does not support the SM algorithm used in the IPSec proposal. no policy applied on interface: No policy is applied to an interface. nat detection fail: NAT detailed failed. fragment packet limit: Fragment packets exceed the limit. fragment packet reassemble timeout: Fragment packet reassembly times out. proposal mismatch or use sm in ikev2: The received IPSec proposal parameters do not match the local parameters or IKEv2 uses the SM algorithm. receive phase1 proposal mismatch: The received IKE proposal parameters do not match the local parameters. receive phase2 proposal mismatch: The received IPSec proposal parameters do not match the local parameters. phase2 proposal mismatch: IPSec proposal parameters on both ends do not match. receive flow or peer mismatch: The received security ACL or IKE peer address does not match the local one. (peer local or tunnel local or interface) address mismatch: The peer's local IP address, local tunnel IP address or interface IP address does not match the local one. remote auth method mismatch: The peer authentication method does not match. proc cert fail or inband cert validate fail: Failed to process or verify the certificate. outband cert validate fail(rsa-signature): Certificate verification failed during RSA signature authentication. hash value not equal(pre-share-key): The hash values are different during pre-shared key authentication. hash value not equal(digital-envelope): The hash values are different during digital signature authentication. verify sig data fail(rsa-signature): Failed to verify the signature. proc auth payload fail(pre-share-key): Failed to process the authentication payload during pre-shared key authentication. proc auth payload fail(rsa-signature): Failed to process the authentication payload during RSA signature authentication. recv peer auth fail notification: An authentication failure notification from the peer end is received. recv peer auth fail notification(pre-share-key): An authentication failure notification from the peer end is received during pre-shared key authentication. recv peer auth fail notification(rsa-signature): An authentication failure notification from the peer end is received during RSA signature authentication. recv peer auth fail notification(digital-envelope): An authentication failure notification from the peer end is received during digital signature authentication. proc and auth ID payload fail(pre-share-key): The peer ID fails to be authenticated during pre-shared key authentication. proc and auth ID payload fail(rsa-signature): The peer ID fails to be authenticated during RSA signature authentication. can not find key by cert: Failed to obtain the key pair corresponding to the certificate. the cert is not valid: The certificate is invalid. cert revoked by CRL: The certificate is revoked by the CRL. unable to get issuer cert: The issuer cannot be found. ocsp valid fail: Failed to check the certificate online. cert filter check mismatch: The certificate filtering verification does not match. no corresponding CRL: No corresponding CRL exists. inband cert validate fail: Failed to verify the certificate. receive proposal mismatch or use sm in ikev2: The received IPSec proposal parameters do not match the local parameters or IKEv2 uses the SM algorithm.

display ike global config

Function

The display ike global config command displays the global IKE configuration.

Format

display ike global config

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view the global IKE configuration, such as the local name used in IKE negotiation, interval at which an IKE SA sends a heartbeat packet, timeout interval of heartbeat packets, and interval at which an IKE SA sends an NAT keepalive packet.

Example

# Display the global IKE configuration.

<Huawei> display ike global config
IKE Global Config:                                   
--------------------------------------------------------------
  IKE local-name                   : huawei
  IKE heartbeat-timer interval     : 30
  IKE heartbeat-timer timeout      : 100
  IKE nat-keepalive-timer interval : 52
  IKE sm-encryption-key-length     : disable
  IKE certificate-check            : disable
  IKEv2 prf aes-xcbc-128 compatible: enable
--------------------------------------------------------------

Table 11-17 Description of the display ike global config command output

Item	Description
IKE Global Config	Global configuration of IKE.
IKE local-name	Local name used in IKE negotiation. To set the local name used in IKE negotiation, run the ike local-name command. If ike local-name is not configured on the local end, the name specified by the sysname command is used for IKE negotiation.
IKE heartbeat-timer interval	Interval at which an IKE SA sends a heartbeat packet, in seconds. To set the interval at which an IKE SA sends a heartbeat packet, run the ike heartbeat-timer interval command.
IKE heartbeat-timer timeout	Timeout interval of heartbeat packets, in seconds. To set the timeout interval of heartbeat packets, run the ike heartbeat-timer timeout command.
IKE nat-keepalive-timer interval	Interval at which an IKE SA sends an NAT keepalive packet, in seconds. To set the interval at which an IKE SA sends an NAT keepalive packet, run the ike nat-keepalive-timer interval command.
IKE sm-encryption-key-length	Whether IKE negotiation packets carry the SM encryption key length when IKE uses a digital envelope for authentication. enable disable
IKE certificate-check	Whether validity verification on certificates of all IKE peers is enabled. enable disable To configure this function, run the ike certificate-check disable command.
IKEv2 prf aes-xcbc-128 compatible	Whether the IKEv2 PRF AES-XCBC-128 algorithm is a non-standard RFC algorithm: enable disable This function is configured using the ikev2 prf aes-xcbc-128 compatible command. NOTE: V200R010C10 and later versions support this parameter.

display ike offline-info

Function

The display ike offline-info command displays information about deleted IPSec tunnels established through IKE negotiation.

Format

display ike offline-info [ peer remote-address ]

Parameters

Parameter	Description	Value
peer remote-address	Displays information about deleted IPSec tunnels with a specified remote IP address and established through IKE negotiation.	The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The command output contains the possible causes and time of the latest 200 IPSec tunnel deletions.

Example

Display information about deleted IPSec tunnels established through IKE negotiation.

<Huawei> display ike offline-info

  Current info Num :3 
  Ike offline information:
-----------------------------------------------------------------------------
  peer               offline-reason       version     offline-time
-----------------------------------------------------------------------------------------------------
  10.10.10.10         dpd-timeout         v2          2015/08/01  16:05:55
  3.3.3.3             dpd-timeout         v2          2015/08/01  16:05:55
  10.2.2.2            hardware-timeout    v2          2015/08/01  15:05:55
-----------------------------------------------------------------------------------------------------

Table 11-18 Description of the display ike offline-info command output

Item	Description
Current info Num	Current number of information records.
peer	Peer IP address of a deleted IPSec tunnel.
offline-reason	Causes for deletion of IPSec tunnels established through IKE negotiation: dpd timeout: Dead peer detection (DPD) times out. peer request: The remote end has sent a message, asking the local end to tear down the tunnel. config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted. phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received). phase2 hard expiry: Hard lifetime expires in phase 2. heartbeat timeout: heartbeat detection times out. modecfg address soft expiry: The IP address lease applied by the remote end from the server expires. re-auth timeout: An SA is deleted due to reauthentication timeout. aaa cut user: The AAA module disconnects users. peer address switch: An SA is deleted due to change of the peer address. hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number. kick old sa with same flow: The old SA is deleted for the same incoming flow. spi conflict: An SPI conflict occurs. phase1 sa replace: The new IKE SA replaces the old IKE SA. phase2 sa replace: The new IPSec SA replaces the old IPsec SA. nhrp notify: NHRP notifies the device that the SA needs to be deleted. disconnect track nqa/bfd/vrrp: The IPSec tunnel is torn down based on the NQA test instance, NQA group, VRRP, BFD session, or BFD group status. receive invalid spi notify: The device receives an invalid SPI notification. dns resolution status change: DNS resolution status changes. ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
version	IKE version.
offline-time	IPSec tunnel deletion time.

display ike identity

Function

The display ike identity command displays information about an identity filter set.

Format

display ike identity [ name identity-name ]

Parameters

Parameter	Description	Value
name identity-name	Specifies the name of the identity filter set.	The value is an existing identity filter name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to display information about an identity filter set.

Example

# Display information about all identity filter sets.

<Huawei> display ike identity
                                                                                
Number of identity: 2                                                           
                                                                                
IKE identity: identity1                                                         
 FQDN       : R1                                                                
 DN         : c=cn,st=jiangsu,l=nanjing,o=huawei,ou=vpn,cn=ipsec                
 User-FQDN  : liming@huawei.com                                                   
 User-FQDN  : zhangsan@huawei.com                                           
 IP address : 1.1.1.0 255.255.255.0                                             
 IP address : 2.2.2.0 255.255.255.0                                             
 IP address : 3.3.3.0 255.255.255.0                                             
                                                                                
IKE identity: 1                                                                 
 FQDN       : R2                                                             
 IP address : 4.1.1.0 255.255.255.0                                           
 IP address : 4.1.2.0 255.255.255.0

# Display information about the identity filter set named identity1.

<Huawei> display ike identity name identity1
                                                                                
IKE identity: identity1                                                           
 FQDN       : R1                                                                
 DN         : c=cn,st=jiangsu,l=nanjing,o=huawei,ou=vpn,cn=ipsec                
 User-FQDN  : liming@huawei.com                                                   
 User-FQDN  : zhangsan@huawei.com                                           
 IP address : 1.1.1.0 255.255.255.0                                              
 IP address : 2.2.2.0 255.255.255.0                                             
 IP address : 3.3.3.0 255.255.255.0                                             
 IP address : 6.6.6.0 255.255.255.0

Table 11-19 Description of the display ike identity command output

Item	Description
IKE identity	Name of the identity filter set. To set this parameter, run the ike identity command.
Name	Name of the allowed peer for IKE negotiation. To set this parameter, run the fqdn command.
DN	DN of the allowed peer. To set this parameter, run the dn command.
User-FQDN	User-FQDN of the allowed peer. To set this parameter, run the user-fqdn command.
IP address	IP address of the allowed peer. To set this parameter, run the ip address command.

Related Topics

interface tunnel-template

display ike peer (all views)

Function

The display ike peer command displays the IKE peer configuration.

Format

display ike peer [ brief | name peer-name ]

Parameters

Parameter	Description	Value
brief	Displays brief information about IKE peers.	-
name peer-name	Displays detailed information about the IKE peer with a specified name.	The value must be an existing IKE peer name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

The display ike peer command output contains the following information:

Name of the IKE peer
Negotiation mode
Authentication key
IKE proposal
Type of the local ID
IP address of the IKE peer
Name of the IKE peer
Whether NAT traversal is enabled

Example

# Display brief configuration of the IKE peer.

<Huawei> display ike peer brief
Current ike peer number: 3                                                      
                                                                                
---------------------------------------------------------------------------     
Peer name        Version  Exchange-mode   Proposal   Id-type   RemoteAddr       
---------------------------------------------------------------------------     
1                v1v2     main            11         IP                         
peer1            v1v2     main            12         IP                       
huawei           v1v2     main            13         IP

Table 11-20 Description of the display ike peer brief command output

Item	Description
Current ike peer number	Current number of IKE peers that have been configured.
Peer name	Number of an IKE peer. To configure an IKE peer, run the ike peer command.
Version	IKE version of the IKE peer: v1: IKEv1 is enabled. v2: IKEv2 is enabled. v1v2: Both IKEv1 and IKEv2 are enabled. To configure an IKE version, run the version command.
Exchange-mode	IKEv1 negotiation mode: main aggressive -: not supported. The value is displayed when the IKE peer uses only IKEv2. To configure a negotiation mode, run the exchange-mode command.
Proposal	Name of the referenced IKE proposal. To configure an IKE proposal, run the ike-proposal command.
Id-type	Local ID type in IKE negotiation. To set the local ID type, run the local-id-type command.
RemoteAddr	IP address of the remote IKE peer. To configure an IP address of the remote IKE peer, run the remote-address (IKE peer view) command.

# Display configuration of the IKE peer.

<Huawei> display ike peer
              
Number of IKE peers: 1
------------------------------------------ 
   Peer name                               : 1
   IKE version                             : v1v2
   VPN instance                            : vpn1
   Remote IP                               : 1.1.1.1
   Remote IP                               : 2.2.2.2
   Authentic IP address                    : - 
   Proposal                                : 1 
   Pre-shared-key                          : %^%#G7(t:%yFw/PVF>Jsva;"zx]oL!sw-8z\C;I}%%RY%^%#
   Local ID type                           : IP
   Local ID                                : - 
   Remote ID type                          : any
   Remote ID                               : - 
   certificate peer-name                   : abc
   PKI realm                               : test
   Inband OCSP                             : Enable
   Inband CRL                              : Disable
   cert-request empty-payload              : Enable
   VPN instance bound to the SA            : vpna
   NAT-traversal                           : Enable
   Service-scheme name                     : a
   Re-authentication interval(s)           : 333
   IKE user-table                          : 1
   AAA authorization domain                : a
   DSCP                                    : - 
   Lifetime-notification-message           : Enable
   DPD                                     : Enable
   DPD type                                : on-demand
   DPD retry-limit                         : 3
   DPD retransmit-interval(s)              : 30
   DPD idle-time(s)                        : 60
   DPD msg                                 : seq-hash-notify
   RSA encryption-padding                  : PKCS1
   RSA signature-padding                   : PKCS1 
   ipsec sm4 version                       : standard  
   Certificate-check                       : Disable   
   Resource acl                            : - 
   Local ID Certificate Preference         : Enable
   IKEv2 Local ID Reflect                  : Enable 
------------------------------------------

Table 11-21 Description of the display ike peer command output

Item	Description
Number of IKE peers	Number of IKE peers that have been configured.
Peer name	Name of an IKE peer. To configure an IKE peer, run the ike peer command.
IKE version	IKE version of the IKE peer: v1: IKEv1 is enabled. v2: IKEv2 is enabled. v1v2: Both IKEv1 and IKEv2 are enabled. To configure an IKE version, run the version command.
VPN instance	VPN instance name. To configure a VPN instance name, run the remote-address (IKE peer view) command.
Remote IP	IP address of the remote IKE peer. To configure an IP address of the remote IKE peer, run the remote-address (IKE peer view) command.
Authentic IP address	IP address used for IKE negotiation authentication before NAT translation. To configure the IP address used for IKE negotiation authentication before NAT translation, run the remote-address (IKE peer view) command.
Proposal	Referenced IKE proposal. This parameter is available only when the IKE proposal has been configured using the ike-proposal command.
Pre-shared-key	Pre-shared key used for authentication. When an IKE proposal referenced by an IKE peer uses pre-shared key authentication, the pre-shared key is used for identity authentication. To configure a pre-shared key, run the pre-shared-key command.
Local ID type	Local ID type in IKE negotiation. To set the local ID type, run the local-id-type command.
Local ID	Local ID used in IKE negotiation. To set the local ID used in IKE negotiation, run the ike local-name or local-id command.
Remote ID type	Remote ID type in IKE negotiation. To set the remote ID type, run the remote-id-type command.
Remote ID	Remote ID used in IKE negotiation. To configure the remote ID used in IKE negotiation, run the remote-id command.
certificate peer-name	Peer name in the specified certificate.
PKI realm	PKI realm bound to the IKE peer. To bind a PKI realm to an IKE peer, run the pki realm command.
Inband OCSP	Whether IKEv2 is used to transmit Online Certificate Status Protocol (OCSP) requests and responses: Enable Disable To this function, run the inband ocsp command.
Inband CRL	Whether IKEv2 is used to transmit certificate revocation list (CRL) requests and responses: Enable Disable To this function, run the inband crl command.
cert-request empty-payload	Whether the certificate request payload is empty: Enable Disable To configure the device to send certificate requests with empty payload, run the certificate-request empty-payload enable command.
VPN instance bound to the SA	Name of the VPN instance bound to the IPSec tunnel. To bind a VPN instance to an IPSec tunnel, run the sa binding vpn-instance command.
NAT-traversal	Whether NAT traversal is enabled: Enable Disable To enable NAT traversal, run the nat traversal command.
Service-scheme name	AAA scheme referenced by an IKE peer. To configure an AAA scheme, run the service-scheme command.
Re-authentication interval(s)	IKEv2 re-authentication interval. To configure an IKEv2 re-authentication interval, run the re-authentication interval command.
IKE user-table	IKE user table referenced by an IKE peer. To configure an IKE user table, run the user-table command.
AAA authorization domain	AAA authorization domain referenced by an IKE peer. To configure an AAA authorization domain, run the aaa authorization command.
DSCP	DSCP value of IKE packets of an IKE peer. To configure a DSCP value, run the dscp command.
Lifetime-notification-message	Whether the device is enabled to send notification messages of the IKE SA lifetime: Enable Disable To enable this function, run the lifetime-notification-message enable command.
DPD	Whether the DPD function is enabled: Enable Disable
DPD type	DPD mode of an IKE peer. on-demand: DPD is performed on demand. periodic: DPD is performed periodically. To specify a DPD mode, run the dpd type command.
DPD retry-limit	Number of times that an IKE peer can retransmit DPD packets. To specify the number of retransmission times, run the dpd command.
DPD retransmit-interval(s)	Interval at which an IKE peer retransmits DPD packets. To configure the retransmission interval, run the dpd command.
DPD idle-time(s)	DPD idle time of an IKE peer. To configure a DPD idle time, run the dpd command.
DPD msg	Sequence of the payload in DPD packets. seq-hash-notify: indicates that in a DPD packet, the hash payload is before the notify payload. seq-notify-hash: indicates that in a DPD packet, the notify payload is before the hash payload. To configure the sequence of the payload, run the dpd msg command.
RSA encryption-padding	Padding mode of RSA encryption.
RSA signature-padding	Padding mode of an RSA signature. To specify the padding mode, run the rsa signature-padding command.
ipsec sm4 version	Version of the SM4 algorithm.
Certificate-check	Whether validity verification on certificates of an IKE peer is enabled: Enable Disable To disable validity verification on certificates of an IKE peer, run the certificate-check disable command.
Resource acl	ACL information to be pushed by the headquarters device to the branch. To configure ACL information, run the resource acl command.
Local ID Certificate Preference	Whether to enable the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation: Enable Disable To enable this function, run the local-id-preference certificate enable command.
IKEv2 Local ID Reflect	Whether the local ID of the responder is used as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation: Enable Disable To enable this function, run the local-id-reflect enable command.

display ike peer ctrl-plane

Function

The display ike peer ctrl-plane command displays the IKE peer configuration on control plane.

Format

display ike peer [ brief | name peer-name ] ctrl-plane

Parameters

Parameter	Description	Value
brief	Displays brief information about the IKE peer.	-
name peer-name	Specifies the name of IKE peer.	The value is an existing ike peer name.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

The output of the display ike peer ctrl-plane command is as follows:

Name of the IKE peer
Negotiation mode
Authentication key
IKE proposal
Type of the local ID
IP address of the peer
Name of the peer
Whether NAT traversal is enabled

Example

# Display configuration of the IKE peer.

<Huawei> display ike peer ctrl-plane
Number of IKE peers: 1
------------------------------------------ 
   Peer name                               : 1
   IKE version                             : v1v2
   VPN instance                            : vpn1
   Remote IP                               : 1.1.1.1
   Remote IP                               : 2.2.2.2
   Authentic IP address                    : - 
   Proposal                                : 1 
   Pre-shared-key                          : %^%#G7(t:%yFw/PVF>Jsva;"zx]oL!sw-8z\C;I}%%RY%^%#
   Local ID type                           : IP
   Local ID                                : - 
   Remote ID type                          : any
   Remote ID                               : - 
   certificate peer-name                   : abc
   PKI realm                               : test
   Inband OCSP                             : Enable
   Inband CRL                              : Disable
   cert-request empty-payload              : Enable
   VPN instance bound to the SA            : vpna
   NAT-traversal                           : Enable
   Service-scheme name                     : a
   Re-authentication interval(s)           : 333
   IKE user-table                          : 1
   AAA authorization domain                : a
   DSCP                                    : - 
   Lifetime-notification-message           : Enable
   DPD                                     : Enable
   DPD type                                : on-demand
   DPD retry-limit                         : 3
   DPD retransmit-interval(s)              : 30
   DPD idle-time(s)                        : 60
   DPD msg                                 : seq-hash-notify
   RSA encryption-padding                  : PKCS1
   RSA signature-padding                   : PKCS1 
   ipsec sm4 version                       : standard  
   Certificate-check                       : Disable   
   Resource acl                            : - 
   Local ID Certificate Preference         : Enable
   IKEv2 Local ID Reflect                  : Enable 
------------------------------------------

# Display brief configuration of the IKE peer.

<Huawei> display ike peer brief ctrl-plane
Current ike peer number: 3                                                      
                                                                                
---------------------------------------------------------------------------     
Peer name        Version  Exchange-mode   Proposal   Id-type   RemoteAddr       
---------------------------------------------------------------------------     
1                v1v2     main            11         IP                         
peer1            v1v2     main            12         IP                       
huawei           v1v2     main            13         IP

Table 11-22 Description of the display ike peer ctrl-plane command output

Item	Description
Number of IKE peers	Number of IKE peers that have been configured.
Peer name	Name of the IKE peer.
IKE version/Version	IKE version of the IKE peer: v1: IKEv1 is enabled. v2: IKEv2 is enabled. v1v2: Both IKEv1 and IKEv2 are enabled.
VPN instance	VPN instance name.
Exchange-mode	IKEv1 negotiation mode: main aggressive -: not supported. The value is displayed when the IKE peer uses only IKEv2.
Remote IP/RemoteAddr	IP address of the remote IKE peer.
Authentic IP address	IP address used for IKE negotiation authentication before NAT translation.
Proposal	Name of the IKE proposal.
Pre-shared-key	Pre-shared key used in pre-shared key authentication.
Local ID type/Id-type	Local ID type in IKE negotiation.
Local ID	Local ID used in IKE negotiation.
Remote ID type	Remote ID type in IKE negotiation.
Remote ID	Remote ID used in IKE negotiation.
certificate peer-name	Peer name in the specified certificate.
PKI realm	PKI domain bound to the IKE peer.
Inband OCSP	Whether the IKEv2 for Online Certificate Status Protocol (OCSP) requests and responses is enabled for the IKE peer.
Inband CRL	Whether IKEv2 for certificate revocation list (CRL) requests and responses is enabled for an IKE peer.
cert-request empty-payload	Whether the certificate request payload carries CA information.
VPN instance bound to the SA	Name of the VPN instance bound to the IPSec tunnel.
NAT-traversal	Whether NAT traversal is enabled.
Service-scheme name	AAA scheme referenced by an IKE peer.
Re-authentication interval(s)	IKEv2 re-authentication interval.
IKE user-table	IKE user table referenced by an IKE peer.
AAA authorization domain	AAA authorization domain referenced by an IKE peer.
DSCP	DSCP value of IKE packets of an IKE peer.
Lifetime-notification-message	Whether the device is enabled to send notification messages of the IKE SA lifetime.
DPD	Whether the DPD function is enabled.
DPD type	DPD mode of an IKE peer. on-demand: DPD is performed on demand. periodic: DPD is performed periodically.
DPD retry-limit	Number of times that an IKE peer can retransmit DPD packets.
DPD retransmit-interval(s)	Interval at which an IKE peer retransmits DPD packets.
DPD idle-time(s)	DPD idle time of an IKE peer.
DPD msg	Sequence of the payload in DPD packets. seq-hash-notify seq-notify-hash
RSA encryption-padding	Padding mode of RSA encryption.
RSA signature-padding	Padding mode of a RSA signature.
ipsec sm4 version	Version of the SM4 algorithm.
Certificate-check	Whether validity verification on certificates of an IKE peer is enabled.
Resource acl	ACL information to be pushed by the headquarters device to the branch.
Local ID Certificate Preference	Whether to enable the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation. Enable Disable To enable this function, run the local-id-preference certificate enable command.
IKEv2 Local ID Reflect	Whether the local ID of the responder is used as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation. Enable Disable To enable this function, run the local-id-reflect enable command.

display ike proposal (All views)

Function

The display ike proposal command displays the IKE proposal configuration.

Format

display ike proposal [ number proposal-number ]

display ike proposal default

Parameters

Parameter	Description	Value
number proposal-number	Specifies the number of an IKE proposal. A smaller IKE proposal number indicates a higher priority.	The value is an integer that ranges from 1 to 99.
default	Displays a default IKE proposal information.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

IKE proposals are displayed in ascending order of IKE proposal number.

Example

# Display the configuration of all IKE proposals.

<Huawei> display ike proposal
                                                                                
Number of IKE Proposals: 2                                                      
                                                                                
-------------------------------------------                                     
 IKE Proposal: 1                                                                
   Authentication Method      : PRE_SHARED                                      
   Authentication Algorithm   : SHA2-256                                        
   Encryption Algorithm       : AES-256                                         
   Diffie-Hellman Group       : MODP-2048
   SA Duration(Seconds)       : 86400
   Integrity Algorithm        : HMAC-SHA2-256                                   
   Prf Algorithm              : HMAC-SHA2-256                                   
-------------------------------------------                                     
                                                                                
-------------------------------------------                                     
 IKE Proposal: Default                                                          
   Authentication Method      : PRE_SHARED                                      
   Authentication Algorithm   : SHA2-256                                        
   Encryption Algorithm       : AES-256                                         
   Diffie-Hellman Group       : MODP-1024                                       
   SA Duration(Seconds)       : 86400                                           
   Integrity Algorithm        : HMAC-SHA2-256                                   
   Prf Algorithm              : HMAC-SHA2-256                                   
-------------------------------------------

Table 11-23 Description of the display ike proposal command output

Item	Description
Number of IKE Proposals	Number of the IKE proposal.
IKE Proposal	IKE proposal number. To configure an IKE proposal, run the ike proposal command.
Authentication Method	Authentication method used in the IKE proposal: PRE_SHARED: pre-shared key authentication RSA-SIGNATURE: RSA signature authentication To configure an authentication method, run the authentication-method command.
Authentication Algorithm	Authentication algorithm used in the IKE proposal: MD5: uses a 128-bit key. SHA1: uses a 160-bit key. SHA2-256: uses a 256-bit key. SHA2-384: uses a 384-bit key. SHA2-512: uses a 512-bit key. To configure an authentication algorithm, run the authentication-algorithm command. NOTE: The MD5 and SHA-1 algorithms have potential security risks. The SHA2 algorithm is recommended.
Encryption Algorithm	Encryption algorithm used in the IKE proposal: 3DES: 168-bit 3DES-CBC encryption algorithm AES-128: 128-bit AES encryption algorithm AES-192: 192-bit AES encryption algorithm AES-256: 256-bit AES encryption algorithm DES: DES-CBC encryption algorithm To configure an encryption algorithm, run the encryption-algorithm command. NOTICE: The DES and 3DES algorithms have potential security risks. The AES algorithm is recommended.
Diffie-Hellman Group	DH group in the IKE proposal: MODP-768: 768-bit Diffie-Hellman group MODP-1024: 1024-bit Diffie-Hellman group MODP-1536: 1536-bit Diffie-Hellman group MODP-2048: 2048-bit Diffie-Hellman group ECP-256: 256-bit ECP Diffie-Hellman group ECP-384: 384-bit ECP Diffie-Hellman group ECP-521: 521-bit ECP Diffie-Hellman group To configure a DH group, run the dh command.
SA Duration(Seconds)	IKE SA lifetime. To set the IKE SA lifetime, run the sa duration command.
Integrity Algorithm	Integrity algorithm in the IKE proposal: AES-XCBC-96: AES-XCBC-96 algorithm HMAC-MD5-96: HMAC-MD5-96 algorithm HMAC-SHA1-96: HMAC-SHA1-96 algorithm HMAC-SHA2-256: HMAC-SHA2-256 algorithm HMAC-SHA2-384: HMAC-SHA2-384 algorithm HMAC-SHA2-512: HMAC-SHA2-512 algorithm Only IKEv2 negotiation requires the integrity algorithm. To configure an integrity algorithm, run the integrity-algorithm command. NOTE: The HMAC-MD5-96 and HMAC-SHA1-96 algorithms have potential security risks. The HMAC-SHA2-256, HMAC-SHA2-384, or HMAC-SHA2-512 algorithm is recommended.
Prf Algorithm	Algorithm used to generate a pseudo random number in the IKE proposal: AES-XCBC-128: AES-XCBC-128 algorithm HMAC-MD5: HMAC-MD5 algorithm HMAC-SHA1: HMAC-SHA1 algorithm HMAC-SHA2-256: HMAC-SHA2-256 algorithm HMAC-SHA2-384: HMAC-SHA2-384 algorithm HMAC-SHA2-512: HMAC-SHA2-512 algorithm Only IKEv2 requires the PRF algorithm. To specify an algorithm used to generate a pseudo random number, run the prf command. NOTE: The HMAC-MD5 and HMAC-SHA1 algorithms have potential security risks. The AES-XCBC-128, HMAC-SHA2-256, HMAC-SHA2-384, or HMAC-SHA2-512 algorithm is recommended.

Related Topics

ike proposal

ike-proposal

display ike proposal ctrl-plane

Function

The display ike proposal ctrl-plane command displays the IKE proposal configuration on control plane.

Format

display ike proposal [ number proposal-number ] ctrl-plane

Parameters

Parameter	Description	Value
number proposal-number	Specifies the number of an IKE proposal. A smaller IKE proposal number indicates a higher priority.	The value is an integer that ranges from 1 to 99.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

None.

Example

# Display the configuration of all IKE proposals.

<Huawei> display ike proposal number 10 ctrl-plane
-------------------------------------------                                     
 IKE Proposal: 10                                                               
   Authentication Method      : PRE_SHARED                                      
   Authentication Algorithm   : SHA2-256                                        
   Encryption Algorithm       : AES-256                                         
   Diffie-Hellman Group       : MODP-1024                                       
   SA Duration(Seconds)       : 86400                                           
   Integrity Algorithm        : HMAC-SHA2-256                                   
   Prf Algorithm              : HMAC-SHA2-256                                   
-------------------------------------------

Table 11-24 Description of the display ike proposal ctrl-plane command output

Item	Description
IKE Proposal	IKE proposal number.
Authentication Method	Authentication mode in the IKE proposal: PRE_SHARED: pre-shared key authentication. RSA-SIGNATURE: RSA signature authentication. DIGITAL-ENVELOPE: digital envelope authentication.
Authentication Algorithm	Authentication algorithm in the IKE proposal: MD5: uses a 128-bit key. SHA1: uses a 160-bit key. SHA2-256: uses a 256-bit key. SHA2-384: uses a 384-bit key. SHA2-512: uses a 512-bit key.
Encryption Algorithm	Encryption algorithm in the IKE proposal: 3DES: 168-bit 3DES-CBC encryption algorithm. AES-128: 128-bit AES encryption algorithm. AES-192: 192-bit AES encryption algorithm. AES-256: 256-bit AES encryption algorithm. DES: DES-CBC encryption algorithm.
Diffie-Hellman Group	DH group in the IKE proposal: MODP-768: 768-bit Diffie-Hellman group. MODP-1024: 1024-bit Diffie-Hellman group. MODP-1536: 1536-bit Diffie-Hellman group. MODP-2048: 2048-bit Diffie-Hellman group. MODP-3072: 3072-bit Diffie-Hellman group. MODP-4096: 4096-bit Diffie-Hellman group.
SA Duration(Seconds)	ISAKMP SA Duration used in the IKE proposal.
Integrity Algorithm	Integrity algorithm in the IKE proposal: AES-XCBC-96: AES-XCBC-96 algorithm. HMAC-MD5-96: HMAC-MD5-96 algorithm. HMAC-SHA1-96: HMAC-SHA1-96 algorithm. HMAC-SHA2-256: HMAC-SHA2-256 algorithm. HMAC-SHA2-384: HMAC-SHA2-384 algorithm. HMAC-SHA2-512: HMAC-SHA2-512 algorithm.
Prf Algorithm	Algorithm used to generate a pseudo random number in the IKE proposal: AES-XCBC-128: AES-XCBC-128 algorithm. HMAC-MD5: HMAC-MD5 algorithm. HMAC-SHA1: HMAC-SHA1 algorithm. HMAC-SHA2-256: HMAC-SHA2-256 algorithm. HMAC-SHA2-384: HMAC-SHA2-384 algorithm. HMAC-SHA2-512: HMAC-SHA2-512 algorithm.

display ike sa

Function

The display ike sa command displays information about SAs established through IKE negotiation.

Format

display ike sa [ remote ipv4-address ]

display ike sa [ remote-id-type remote-id-type ] remote-id remote-id

display ike sa verbose { remote ipv4-address | connection-id connection-id | [ remote-id-type remote-id-type ] remote-id remote-id }

Parameters

Parameter	Description	Value
remote ipv4-address	Specifies the IPv4 address of the remote peer.	The value is in dotted decimal notation.
remote-id-type remote-id-type	Specifies a remote ID type.	The remote ID type can be ip, dn, key-id, fqdn, or user-fqdn.
remote-id remote-id	Specifies the remote ID.	The remote ID must be an existing one.
verbose	Displays detailed information about SAs.	-
connection-id connection-id	Specifies the connection ID of an SA.	The value is an integer that ranges from 1 to 4294967295.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ike sa command to check the following SA information: connection ID, peer IP address, VPN instance name, SA phase, remote ID type, remote ID, and SA status.

After an IPSec tunnel is established successfully, the display ike sa command does not display the latest local ID or remote ID until the IPSec tunnel is re-negotiated if the local ID or remote ID is modified.

Example

# Display IKE SAs and IPSec SAs.

<Huawei> display ike sa
IKE SA information :
    Conn-ID       Peer            VPN   Flag(s)   Phase   RemoteType  RemoteID
  ----------------------------------------------------------------------------------
    117477244     10.100.1.1:4500 vrf1  RD|M      v2:2    IP          10.100.1.1
    117477243     10.100.1.1:4500 vrf1  RD|M      v2:2    IP          10.100.1.1
    117477242     10.100.1.1:4500 vrf1  RD|M      v2:1    IP          10.100.1.1
                                                                                
   Number of IKE SA : 3                                                    
  ----------------------------------------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Table 11-25 Description of the display ike sa command output

Item	Description
IKE SA information	Configuration of SAs.
Conn-ID	Connection ID of an SA.
Peer	IP address and UDP port number of the peer.
VPN	VPN instance bound to the interface where the IPSec policy was applied to.
Flag(s)	SA status: RD--READY: The SA has been established successfully. ST--STAYALIVE: This end is the initiator of tunnel negotiation. RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time. FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires. TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout. HRT--HEARTBEAT: The local IKE SA sends heartbeat packets. LKG--LAST KNOWN GOOD SEQ NO: It is the last known sequence number. BCK--BACKED UP: The SA is backed up. M--ACTIVE: The IPSec policy group is in active state. S--STANDBY: The IPSec policy group is in standby state. A--ALONE: The IPSec policy group is not backed up. NEG--NEGOTIATING: The devices are negotiating an SA. Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.
Phase	Phases of the SA: v1:1 or v2:1: v1 and v2 are IKE versions. The digit 1 indicates the phase during which a security channel, that is IKE SA, is established. v1:2 or v2:2: v1 and v2 are IKE versions. The digit 2 indicates the phase during which a security service, that is IPSec SA, is negotiated.
RemoteType	Remote ID type.
RemoteID	Remote ID.

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv1 to negotiate IPSec SAs.

<Huawei> display ike sa verbose remote 10.100.1.1
 
IKE SA information :
-----------------------------------------------
Ike Sa phase   : 2
Establish Time : 2015-09-18 18:58:24
PortCfg Index  : 0xe
IKE Peer Name  : zhe
Connection Id  : 67126707
Version        : v1
Flow VPN       :
Peer VPN       :
------------------------------------------------
Intiator Cookie         : 0x a7b1c107a7a67b1
Responder Cookie        : 0xf70b111e391f79a9
Local Address           : 10.2.1.1
Remote Address          : 10.1.1.1:4500
PFS                     : dh-group14 
Flags                   : RD|ST|S
------------------------------------------------

------------------------------------------------
Ike Sa phase   : 1
Establish Time :
PortCfg Index  : 0xe
IKE Peer Name  : zhe
Connection Id  : 67125326
Version        : v1
Exchange Mode  : Main 
Flow VPN       :
Peer VPN       :
------------------------------------------------
Intiator Cookie                : 0x a7b1c107a7a67b1
Responder Cookie               : 0xf70b111e391f79a9
Local Address                  : 10.2.1.1
Remote Address                 : 10.1.1.1:4500
Encryption Algorithm           : AES-256
Authentication Algorithm       : SHA2-256
Authentication Method          : Pre-Shared key
DPD Capability                 : Yes
DPD Enable                     : Yes 
Remaining Duration             : 11168
Reference Counter              : 60
Flags                          : RD|ST|S
Remote Id Type                 : IP
Remote Id                      : 10.136.24.108
DH Group                       : group14
NAT Traversal Version          : RFC3947
ModeCfg IP                     : 10.10.1.36
------------------------------------------------
                                                                                
   Number of IKE SA : 2
------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

# Display detailed information about established IKE SAs and IPSec SAs when the peers use IKEv2 to negotiate IPSec SAs.

<Huawei> display ike sa verbose remote 10.100.1.1
  
Ike sa verbose information : 
------------------------------------------------                                
Ike Sa phase   : 2                                                              
Establish Time : 2015-09-18 18:58:24                                            
PortCfg Index  : 0x4                                                            
IKE Peer Name  : ptest                                                          
Connection Id  : 117440514                                                      
Version        : v2                                                             
Flow VPN       :                                                                
Peer VPN       :                                                                
------------------------------------------------                                
Intiator Cookie         : 0x10dbb95cdb031726                                    
Responder Cookie        : 0x4ba2840bddcf74fd                                    
Local Address           : 10.2.1.1
Remote Address          : 10.1.1.1:4500
PFS                     : dh-group14 
Flags                   : RD|ST|A
------------------------------------------------                                
                                                                                
------------------------------------------------                                
Ike Sa phase   : 1                                                              
Establish Time : 2015-09-18 18:58:24                                            
PortCfg Index  : 0x4                                                            
IKE Peer Name  : ptest                                                          
Connection Id  : 117440513                                                      
Version        : v2 
Flow VPN       :                                                                
Peer VPN       :                                                                
------------------------------------------------                                
Intiator Cookie                        : 0x10dbb95cdb031726                                    
Responder Cookie                       : 0x4ba2840bddcf74fd                                    
Local Address                          : 10.2.1.1 
Remote Address                         : 10.1.1.1:4500
Encryption Algorithm                   : AES-256                                               
Authentication Method                  : Pre-Shared key                                        
Integrity Algorithm                    : hmac-sha2-256                                         
Prf Algorithm                          : hmac-sha2-256
DPD Capability                         : Yes
DPD Enable                             : Yes 
Remaining Duration                     : 11168
Reference Counter                      : 1                                                     
Flags                                  : RD|ST|A 
Remote Id Type                         : IP
Remote Id                              : 10.136.24.108
DH Group                               : group2
Re-authentication remaining time (sec) : -  
ModeCfg IP                             : 10.10.1.36
------------------------------------------------                                
                                                                                
   Number of IKE SA : 2
------------------------------------------------
                                                                                
  Flag Description:                                                             
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT           
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP                
  M--ACTIVE   S--STANDBY   A--ALONE  NEG--NEGOTIATING

Table 11-26 Description of the display ike sa verbose command output

Item	Description
Ike Sa phase	Phases of the SA: 1: IKE peers establish an IPSec tunnel. An IKE SA is established in this phase. 2: IKE peers negotiate security services. An IPSec SA is established in this phase.
Establish Time	Time when the SA was created.
PortCfg Index	Index of the interface where the IPSec policy was applied to.
IKE Peer Name	IKE peer name. To configure an IKE peer, run the ike peer command.
Connection Id	Connection ID of an SA.
Version	IKE version of the IKE peer: v1: IKEv1 is enabled. v2: IKEv2 is enabled. v1v2: Both IKEv1 and IKEv2 are enabled. To configure an IKE version, run the version command.
Exchange Mode	Negotiation mode of the IKEv1 phase 1. Main: main mode. Aggressive: aggressive mode. To configure the negotiation mode, run the exchange-mode command.
Flow VPN	VPN to which the data flow belongs, run the sa binding vpn-instance command.
Peer VPN	VPN to which the peer belongs, run the sa binding vpn-instance command.
Intiator Cookie	Cookie of the initiator.
Responder Cookie	Cookie of the responder.
Local Address	Local IP address of an IPSec tunnel. To configure the local IP address of an IPSec tunnel, run the tunnel local command.
Remote Address	Remote IP address and UDP port number of an IPSec tunnel. To configure the remote IP address of an IPSec tunnel, run the tunnel remote command.
Encryption Algorithm	Encryption algorithm in the IKE proposal. To configure an encryption algorithm, run the encryption-algorithm command.
Authentication Algorithm	Authentication algorithm in the IKE proposal. To configure an authentication algorithm, run the authentication-algorithm command.
Authentication Method	Authentication method in the IKE proposal. To configure an authentication method, run the authentication-method command.
Integrity Algorithm	Integrity algorithm used in an IKEv2 proposal. To configure an integrity algorithm, run the integrity-algorithm command.
Prf Algorithm	Pseudo-random function (PRF) used in an IKEv2 proposal. To configure a PRF algorithm, run the prf command.
DPD Capability	Whether DPD capability is successfully negotiated. Yes No
DPD Enable	Whether the DPD function is enabled. Yes No To enable this function, run the dpd type command.
Remaining Duration	Remaining lifetime of an SA.
Reference Counter	Number of IPSec SAs negotiated by the IKE SA.
Flags	SA status: RD--READY: The SA has been established successfully. ST--STAYALIVE: This end is the initiator of tunnel negotiation. RL--REPLACED: This SA has been replaced by a new one and will be deleted after a period of time. FD--FADING: A soft timeout has occurred, but the SA is still in use. The SA will be deleted when the hard lifetime expires. TO--TIMEOUT: This SA has not received any heartbeat packet after the last heartbeat timeout. The SA will be deleted if it still does not receive any heartbeat packet till the next heartbeat timeout. HRT--HEARTBEAT: The local IKE SA sends heartbeat packets. LKG--LAST KNOWN GOOD SEQ NO.: It is the last known sequence number. BCK--BACKED UP: The SA is backed up. M--ACTIVE: The IPSec policy group is in active state. S--STANDBY: The IPSec policy group is in standby state. A--ALONE: The IPSec policy group is not backed up. NEG--NEGOTIATING: The devices are negotiating an SA. Empty: IKE SA negotiation is being performed because the settings at the two ends of the tunnel are inconsistent.
PFS	Perfect Forward Secrecy (PFS) when the local end initiates negotiation. To enable this function, run the pfs command.
Remote Id Type	Remote ID type. To configure the remote ID type, run the remote-id-type command.
Remote Id	Remote ID for IKE negotiation. To configure the remote ID, run the remote-id command.
DH Group	DH group in the IKE proposal. To configure a DH group, run the dh command.
NAT Traversal Version	Version of NAT traversal. draft-ietf-ipsec-nat-t-ike-00 draft-ietf-ipsec-nat-t-ike-02 RFC3947
Re-authentication remaining time (sec)	Remaining time for IKEv2 to initiate re-authentication, in seconds. When the IKEv2 re-authentication interval is set on the device and the device functions as the responder, it does not initiate IKEv2 re-authentication. Therefore, the remaining time for IKEv2 to initiate re-authentication displays - in the command output. You can view the remaining time on the initiator.
ModeCfg IP	IP address allocated through mode configuration.
Number of IKE SA	Total number of IKE SAs and IPSec SAs.

display ike statistics

Function

The display ike statistics command displays IKE statistics.

Format

display ike statistics { v1 | v2 }

Parameters

Parameter	Description	Value
v1	Displays IKEv1 statistics.	-
v2	Displays IKEv2 statistics.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

When a fault occurs on the IPSec tunnel that is established through IKE negotiation, you can check statistics about IKE peers, IKE SAs, and DPD packets to diagnose and locate the fault.

Example

# Display IKEv1 statistics.

<Huawei> display ike statistics v1  
--------------------------------------------------------------------------------
 IKE V1 statistics information                                                  
 
 Number of total peers                        : 7                               
 Maximum of total peers in history            : 0
 Begin time of total peers                    : 2015-04-08 21:23:10             
 Maximum time of total peers                  : 2015-04-08 21:23:10             
 Number of proposals                          : 4                               
 Number of established V1 phase 1 SAs         : 0                               
 Number of established V1 phase 2 SAs         : 0                               
 Number of total V1 phase 1 SAs               : 0                               
 Number of total V1 phase 2 SAs               : 0                               
 Number of total SAs                          : 0                               
 Maximum of V1 phase 1 SAs in history         : 0                               
 Begin time of V1 phase 1 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V1 phase 1 SAs               : 2015-04-08 21:23:10             
 Maximum of V1 phase 2 SAs in history         : 0                               
 Begin time of V1 phase 2 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V1 phase 2 SAs               : 2015-04-08 21:23:10             
 Maximum of total SAs in history              : 0                               
 Begin time of total SAs                      : 2015-04-08 21:23:10             
 Maximum time of total SAs                    : 2015-04-08 21:23:10             
 Number of messages in V1 fast queue          : 0                               
 Number of messages in V1 slow queue          : 0                               
 Number of DPD request sent                   : 0                               
 Number of DPD ack received                   : 0                               
 Number of DPD request received               : 0                               
 Number of DPD ack sent                       : 0
--------------------------------------------------------------------------------

# Display IKEv2 statistics.

<Huawei> display ike statistics v2                                                    
--------------------------------------------------------------------------------
 IKE V2 statistics information                                                  
 
 Number of total peers                        : 0                               
 Maximum of total peers in history            : 0
 Begin time of total peers                    : 2015-04-08 21:23:10             
 Maximum time of total peers                  : 2015-04-08 21:23:10             
 Number of proposals                          : 4                               
 Number of established V2 phase 1 SAs         : 0                               
 Number of established V2 phase 2 SAs         : 0                               
 Number of total V2 phase 1 SAs               : 0                               
 Number of total V2 phase 2 SAs               : 0                               
 Number of total SAs                          : 0                               
 Maximum of V2 phase 1 SAs in history         : 0                               
 Begin time of V2 phase 1 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V2 phase 1 SAs               : 2015-04-08 21:23:10             
 Maximum of V2 phase 2 SAs in history         : 0                               
 Begin time of V2 phase 2 SAs                 : 2015-04-08 21:23:10             
 Maximum time of V2 phase 2 SAs               : 2015-04-08 21:23:10             
 Maximum of total SAs in history              : 0                               
 Begin time of total SAs                      : 2015-04-08 21:23:10             
 Maximum time of total SAs                    : 2015-04-08 21:23:10             
 Number of messages in V2 fast queue          : 0                               
 Number of messages in V2 slow queue          : 0                               
 Number of DPD request sent                   : 0                               
 Number of DPD ack received                   : 0                               
 Number of DPD request received               : 0                               
 Number of DPD ack sent                       : 0
--------------------------------------------------------------------------------

Table 11-27 Description of the display ike statistics command output

Item	Description
IKE V1 statistics information	IKEv1 statistics.
IKE V2 statistics information	IKEv2 statistics.
Number of total peers	Total number of peers.
Maximum of total peers in history	Historical maximum number of IKE peers.
Begin time of total peers	Time when the system started to count the number of IKE peers.
Maximum time of total peers	Time when the total number of IKE peers reached the maximum value.
Number of proposals	Number of IKE proposals.
Number of established V1/V2 phase 1 SAs	Total number of IKE SAs that have been established successfully.
Number of established V1/V2 phase 2 SAs	Total number of IPSec SAs that have been established successfully.
Number of total V1/V2 phase 1 SAs	Total number of IKE SAs.
Number of total V1/V2 phase 2 SAs	Total number of IPSec SAs.
Number of total SAs	Total number of SAs.
Maximum of V1/V2 phase 1 SAs in history	Maximum number of IKE SAs in the history.
Begin time of V1/V2 phase 1 SAs	Time when the system started to count the number of IKE SAs.
Maximum time of V1/V2 phase 1 SAs	Time when the total number of IKE SAs reaches the maximum value.
Maximum of V1/V2 phase 2 SAs in history	Maximum number of IPSec SAs in the history.
Begin time of V1/V2 phase 2 SAs	Time when the system started to count the number of IPSec SAs.
Maximum time of V1/V2 phase 2 SAs	Time when the total number of IPSec SAs reached the maximum value.
Maximum of total SAs in history	Maximum number of total SAs in the history.
Begin time of total SAs	Time when the system started to count the total number of SAs.
Maximum time of total SAs	Time when the total number of SAs reached the maximum value.
Number of messages in V1/V2 fast queue	Number of IKE messages in high-priority queues.
Number of messages in V1/V2 slow queue	Number of IKE messages in low-priority queues.
Number of DPD request sent	Number of DPD request packets sent from the local end.
Number of DPD ack received	Number of DPD ack packets received by the local end.
Number of DPD request received	Number of DPD request packets received by the local end.
Number of DPD ack sent	Number of DPD ack packets sent from the local end.

display ikev2 statistics

Function

The display ikev2 statistics command displays statistics on IPSec tunnels negotiated using IKEv2.

Format

display ikev2 statistics { eap | error | notify-info | packet | sa }

Parameters

Parameter	Description	Value
eap	Displays EAP statistics on IPSec tunnels negotiated using IKEv2.	-
error	Displays error statistics on IPSec tunnels negotiated using IKEv2.	-
notify-info	Displays notification message statistics on IPSec tunnels negotiated using IKEv2.	-
packet	Displays packet statistics on IPSec tunnels negotiated using IKEv2.	-
sa	Displays SA statistics on IPSec tunnels negotiated using IKEv2.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to view error, packet, SA, EAP, and notification message statistics on IPSec tunnels negotiated using IKEv2.

Example

# Display EAP statistics on IPSec tunnels negotiated using IKEv2.

<Huawei> display ikev2 statistics eap

Ikev2 eap and modecfg statistics:
-------------------------------------------------------------------------------
Eap user auth success                                       :0
Eap auth timeout                                            :0
Eap auth fail                                               :0
Eap user get authorized IP address                          :0
Eap user go online number                                   :0
Eap user go offline number                                  :0
Eap user cut message                                        :0
Send ip address allocation request                          :0
Send ip address allocation request timeout                  :0
Receive ip address allocation request ack                   :0
Receive ip address allocation request nack                  :0
Send ip address release request                             :0
Receive ip address release request nack                     :0
Fail to process the ip address allocation                   :0
Ip address allocated fail to save                           :0
Ip address allocated exist but receive duplicate ip request :0
-------------------------------------------------------------------------------

Table 11-28 Description of the display ikev2 statistics eap command output

Item	Description
Ikev2 eap and modecfg statistics	IKEv2 EAP and mode configuration statistics.
Eap user auth success	EAP users pass the authentication successfully.
Eap auth timeout	EAP authentication timed out.
Eap auth fail	EAP authentication failed.
Eap user get authorized IP address	EAP users obtained authorized IP addresses.
Eap user go online number	Number of times EAP users go online.
Eap user go offline number	Number of times EAP users go offline.
Eap user cut message	Number of times EAP users are forced offline.
Send ip address allocation request	The device sends an IP address allocation request message.
Send ip address allocation request timeout	The IP address request message times out.
Receive ip address allocation request ack	The device receives an ACK message for the IP address allocation request.
Receive ip address allocation request nack	The device receives an NACK message for the IP address allocation request.
Send ip address release request	The device sends an IP address release request message.
Receive ip address release request nack	The device receives an NACK message for the IP address release request.
Fail to process the ip address allocation	The device fails to process the reply message for the IP address allocation request.
Ip address allocated fail to save	The allocated IP address is not saved in the SA.
Ip address allocated exist but receive duplicate ip request	The device receives a duplicate IP address request message.

# Display error statistics on IPSec tunnels negotiated using IKEv2.

<Huawei> display ikev2 statistics error

Error statistics:
-------------------------------------------------------------------------------
Config error:
Version error            :0
Peer address can not match with any ike peer config                  :0
Phase1 proposal mismatch :0           Phase2 proposal or pfs mismatch:0
Responder dh mismatch    :0           Initiator dh mismatch          :0
Flow mismatch            :1
ID can not match with any ike peer config                            :0
Construct local id fail                                              :0
Authentication fail (may be pre-shared-key error)                    :0
Peer's flow netmask range is too wide                                :0
-------------------------------------------------------------------------------
Packet or payload error:
Invalid length           :0
Message-id unordered     :0
Unknown exchange type    :0
Invalid cookie           :6
Shortpacket              :0
Malformed message        :4
Malformed payload        :0
Rekey, not find old child:0           Rekey, old child close         :14
Exchange-type or role(initiator or responder) mismatch               :0
Unexpected critical payload, drop                                    :0
Unexpected uncritical payload, ignore                                :0
-------------------------------------------------------------------------------
Maybe ddos attack:
Responder request IKEV2_COOKIE                                       :0
Responder receive invalid cookie for IKEV2_COOKIE request            :0
Responder receive no cookie for IKEV2_COOKIE request                 :0
-------------------------------------------------------------------------------
System abnormal:
Fail decrypt             :0           Fail encrypt                   :0
Fail integrity check     :0
No memory, fail send packet                                          :0
No memory, fail process packet                                       :0
-------------------------------------------------------------------------------
System limited:
First packet speed limited :0               License limited          :0
-------------------------------------------------------------------------------

Table 11-29 Description of the display ikev2 statistics error command output

Item	Description
Error statistics	Error statistics.
Config error	Configurations are incorrect.
Version error	The IKE version does not match.
Peer address can not match with any ike peer config	The corresponding IKE peer is not found based on the peer address.
Phase1 proposal mismatch	The phase 1 IPSec proposal does not match.
Phase2 proposal or pfs mismatch	The phase 2 IPSec proposal or PFS does not match.
Responder dh mismatch	DH group match on the responder failed. (If a matching DH group is available in the algorithm list of the initiator, the responder will send an information message to the initiator to instruct the initiator to start negotiation using the matching DH group. If the initiator accepts the information message, the negotiation succeeds.)
Initiator dh mismatch	DH group match on the initiator failed. (The initiator failed to process the message requesting a matching DH group.)
Flow mismatch	The data flow does not match.
ID can not match with any ike peer config	The peer ID does not match that configured in the IKE peer.
Construct local id fail	Local ID construction failed.
Authentication fail (may be pre-shared-key error)	Authentication failed. The possible cause is that the pre-shared key does not match.
Peer's flow netmask range is too wide	The mask length of the peer flow is too large.
Packet or payload error	Incorrect packet or payload.
Invalid length	Invalid length.
Message-id unordered	Message ID out of order.
Unknown exchange type	Unknown exchange type.
Invalid cookie	Invalid cookie: The corresponding SA does not exist in the received IKEv2 message that does not trigger negotiation. The cookie in the IKEv2 message that triggers negotiation is 0.
Shortpacket	The packet is too short.
Malformed message	Invalid message.
Malformed payload	Invalid payload.
Rekey, not find old child	The old IPSec SA is not found for re-negotiation.
Rekey, old child close	The old IPSec SA is offline for re-negotiation.
Exchange-type or role(initiator or responder) mismatch	The exchange type or role (initiator or responder) does not match.
Unexpected critical payload, drop	The unidentified key payload is dropped.
Unexpected uncritical payload, ignore	The unidentified key payload is ignored.
Maybe ddos attack	Maybe DDoS attacks occur.
Responder request IKEV2_COOKIE	The device requests a cookie when the SA in negotiation status exceeds the threshold.
Responder receive invalid cookie for IKEV2_COOKIE request	The received cookie is invalid.
Responder receive no cookie for IKEV2_COOKIE request	No cookie is received.
System abnormal	The system is abnormal.
Fail decrypt	Decryption failed.
Fail encrypt	Encryption failed.
Fail integrity check	Integrity check failed.
No memory, fail send packet	Packet sending failed due to insufficient memory.
No memory, fail process packet	Packet parsing failed due to insufficient memory.
System limited	System restriction.
First packet speed limited	The rate of the first packet is limited.
License limited	License restriction.

# Display notification message statistics on IPSec tunnels negotiated using IKEv2.

<Huawei> display ikev2 statistics notify-info

Ikev2 notification statistics:
-------------------------------------------------------------------------------
Notification:
INVALID_IKE_SPI notification                send:0          receive:0
INVALID_MAJOR_VERSION notification          send:0          receive:0
INVALID_SYNTAX notification                 send:0          receive:0
INVALID_IPSEC_SPI notification              send:0          receive:0
INVALID_KE_PAYLOAD notification             send:0          receive:0
SINGLE_PAIR_REQUIRED notification           send:0          receive:0
NO_ADDITIONAL_SA notification               send:0          receive:0
TS_UNACCEPTABLE notification                send:0          receive:0
INVALID_IPSEC_SELECTORS notification        send:0          receive:0
INITIAL_CONTACT payload                     send:0          receive:0
SET_WINDOW_SIZE payload                     send:0          receive:0
NAT_DETECTION_SOURCE_IP payload             send:0          receive:0
NAT_DETECTION_DESTINATION_IP payload        send:0          receive:0
USE_TRANSPORT_MODE notification             send:0          receive:0
REKEY_SA notification                       send:0          receive:0
ESP_TFC_PADDING_NOT_SUPPORTED payload       send:0          receive:0
AUTH_LIFETIME payload                       send:0          receive:0
REDIRECT payload                            send:0          receive:0
DELETE_OLD_CHILDSA notification             send:0          receive:0
DSCP payload                                send:0          receive:0
-------------------------------------------------------------------------------

Table 11-30 Description of the display ikev2 statistics notify-info command output

Item	Description
Ikev2 notification statistics	IKEv2 notification message statistics.
Notification	IKEv2 notification message.
INVALID_IKE_SPI notification	Invalid IKE SPI notification message.
INVALID_MAJOR_VERSION notification	Invalid Major version number notification message.
INVALID_SYNTAX notification	Invalid syntax notification message.
INVALID_IPSEC_SPI notification	Invalid IPSec SPI notification message.
INVALID_KE_PAYLOAD notification	Incorrect KE payload.
SINGLE_PAIR_REQUIRED notification	Single_Pair_Required notification message.
NO_ADDITIONAL_SA notification	No additional SA notification message.
TS_UNACCEPTABLE notification	Invalid TS payload.
INVALID_IPSEC_SELECTORS notification	Invalid IPSec Selectors notification message.
INITIAL_CONTACT payload	Initial_Contact notification message.
SET_WINDOW_SIZE payload	Set_Window_Size notification message.
NAT_DETECTION_SOURCE_IP payload	NAT source IP notification message.
NAT_DETECTION_DESTINATION_IP payload	NAT destination IP notification message.
USE_TRANSPORT_MODE notification	Transport mode notification message.
REKEY_SA notification	SA re-negotiation notification message.
ESP_TFC_PADDING_NOT_SUPPORTED payload	ESP_TFC_Padding_Not_Supported notification message.
AUTH_LIFETIME payload	Auth_Lifetime notification message.
REDIRECT payload	Redirection notification message.
DELETE_OLD_CHILDSA notification	Delete_Old_ChildSa notification message.
DSCP payload	DSCP notification message.
send	Number of sent messages.
receive	Number of received messages.

# Display packet statistics on IPSec tunnels negotiated using IKEv2.

<Huawei> display ikev2 statistics packet

Packet statistics:                                                              
------------------------------------------------------------------------------- 
Ike_init request send    :33          Ike_init response send   :0               
Ike_init request recv    :10          Ike_init response recv   :0               
Ike_auth request send    :10          Ike_auth response send   :0               
Ike_auth request recv    :10          Ike_auth response recv   :0               
Create_child req send    :91          Create_child resp send   :147             
Create_child req recv    :87          Create_child resp recv   :147             
Ike_info request send    :210         Ike_info response send   :31              
Ike_info request recv    :0           Ike_info response recv   :31              
Del_info request send    :209         Del_info response send   :26              
Del_info request recv    :0           Del_info response recv   :31              
Dpd_info request send    :4           Dpd_info response send   :0               
Dpd_info request recv    :0           Dpd_info response recv   :0
-------------------------------------------------------------------------------

Table 11-31 Description of the display ikev2 statistics packet command output

Item	Description
Packet statistics	IPSec packet statistics.
Ike_init request send	Number of sent IKE SA initialization exchange (ike_init) request packets.
Ike_init response send	Number of sent ike_init response packets.
Ike_init request recv	Number of received ike_init request packets.
Ike_init response recv	Number of received ike_init response packets.
Ike_auth request send	Number of sent IKE authentication exchange (ike_auth) request packets.
Ike_auth response send	Number of sent ike_auth response packets.
Ike_auth request recv	Number of received ike_auth request packets.
Ike_auth response recv	Number of received ike_auth response packets.
Create_child req send	Number of sent IPSec SA for sub-tunnel creation (create_child) request packets.
Create_child resp send	Number of sent create_child response packets.
Create_child req recv	Number of received create_child request packets.
Create_child resp recv	Number of received create_child response packets.
Ike_info request send	Number of sent IKE notification exchange (ike_info) request packets.
Ike_info response send	Number of sent ike_info response packets.
Ike_info request recv	Number of received ike_info request packets.
Ike_info response recv	Number of received ike_info response packets.
Del_info request send	Number of sent tunnel information deletion (del_info) request packets.
Del_info response send	Number of sent del_info response packets.
Del_info request recv	Number of received del_info request packets.
Del_info response recv	Number of received del_info response packets.
Dpd_info request send	Number of sent DPD information (dpd_info) request packets.
Dpd_info response send	Number of sent dpd_info response packets.
Dpd_info request recv	Number of received dpd_info request packets.
Dpd_info response recv	Number of received dpd_info response packets.

# Display SA statistics on IPSec tunnels negotiated using IKEv2.

<Huawei> display ikev2 statistics sa

Sa establish and offline statistic:
-------------------------------------------------------------------------------
Establish:
Initiator request phase1 negotiation                           :33
Initiator request phase2 negotiation                           :16
Initiator request and success phase1 negotiation               :10
Initiator request and success phase2 negotiation               :41
Responder response phase1 negotiation                          :0
Responder response phase2 negotiation                          :0
Responder response and success phase1 negotiation              :0
Responder response and success phase2 negotiation              :0
Offline:
Receive delete info      :1           Config modify            :0
Manual reset             :1           Dpd timeout              :0
Phase1 hardware expire   :0           Phase2 hardware expire   :0
Phase1 replace           :0           Phase2 replace           :0
Aaa cut user             :0           Reauth timeout           :0
Flow overlap             :0           IP address syn failed    :0
Port mismatch            :0           Kick old SA              :0
CPU table updated        :0           SPI conflict             :0
EAP delete old sa        :0   
-------------------------------------------------------------------------------

Table 11-32 Description of the display ikev2 statistics sa command output

Item	Description
Sa establish and offline statistic	SA establishment and deletion information.
Establish	Statistics on established IPSec tunnels.
Initiator request phase1 negotiation	Number of times that the initiator requests phase 1 negotiation.
Initiator request phase2 negotiation	Number of times that the initiator requests phase 2 negotiation.
Initiator request and success phase1 negotiation	Number of times that the initiator succeeds in requesting phase 1 negotiation.
Initiator request and success phase2 negotiation	Number of times that the initiator succeeds in requesting phase 2 negotiation.
Responder response phase1 negotiation	Number of times that the responder responds to phase 1 negotiation.
Responder response phase2 negotiation	Number of times that the responder responds to phase 2 negotiation.
Responder response and success phase1 negotiation	Number of times that the responder succeeds in responding to phase 1 negotiation.
Responder response and success phase2 negotiation	Number of times that the responder succeeds in responding to phase 2 negotiation.
Offline	Statistics on deleted IPSec tunnels.
Receive delete info	Number of times that the device receives tunnel deletion messages.
Config modify	Number of times that the tunnel is deleted by modifying the configuration.
Manual reset	Number of times that the tunnel is deleted manually.
Phase1 hardware expire	Number of times that the phase 1 tunnel is deleted due to hard timeout.
Phase2 hardware expire	Number of times that the phase 2 tunnel is deleted due to hard timeout.
Phase1 replace	Number of phase 1 tunnel re-negotiation times.
Phase2 replace	Number of phase 2 tunnel re-negotiation times.
Aaa cut user	Number of tunnel deletion times caused by forced user offline.
Dpd timeout	Number of tunnel deletion times caused by DPD timeout.
Reauth timeout	Number of tunnel deletion times caused by re-authentication timeout.
Flow overlap	Number of tunnel deletion times caused by the conflict between the IP address in the encrypted flow and remote IP address.
IP address syn failed	Number of tunnel deletion times caused by the failure to synchronize IP addresses.
Port mismatch	Number of tunnel deletion times caused by the UDP port mismatch.
Kick old SA	Number of tunnel deletion times caused by a flow conflict.
CPU table updated	Number of tunnel deletion times caused by a CPU table update.
SPI conflict	Number of tunnel deletion times caused by an SPI conflict.
EAP delete old sa	Number of times the device deletes the old SA during EAP authentication.

display ike user-table (all views)

Function

The display ike user-table command displays IKE user table information.

Format

display ike user-table [ number user-table-id [ user-name user-name ] ]

Parameters

Parameter	Description	Value
number user-table-id	Specifies the ID of an IKE user table. If this parameter is not specified, the command displays information about all IKE user tables.	The value must be an existing IKE user table ID.
user-name user-name	Specifies a user name.	The value must be a user name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the user ID type, user ID, pre-shared key, and user description in an IKE user table.

Example

# Display information about all IKE user tables.

<Huawei> display ike user-table
Number of IKE User-tables: 1
                             
---------------------------------------------------------------------------
 IKE User-table: 10, Number of users: 1
---------------------------------------------------------------------------
                                                                                
  User Name              : user1                                                
  User ID-type           : IP                                                   
  User ID                : 1.1.1.1                                              
  Pre-shared-key         : %^%#D,Ul0!:u2RM;giQtp4KDzkbm*)=Y[NYF[N6s)SMQ%^%#     
  VPN instance           : vrf1                                                 
  Description            : USER1
  Interface-assign       : Tunnel0/0/1

Table 11-33 Description of the display ike user-table command output

Item	Description
Number of IKE User-tables	Number of IKE user tables.
Number of users	Number of IKE users.
IKE User-table	ID of an IKE user table.
User Name	IKE user name. To configure the IKE user name, run the user command.
User ID-type	Remote ID type of the IKE peer. ANY: The remote ID type of the IKE peer is of any type. ESN: The remote ID type of the IKE peer is an ESN. FQDN: The remote ID type of the IKE peer is a name. IP: The remote ID type of the IKE peer is an IP address. USER-FQDN: The remote ID type of the IKE peer is a user domain name. To configure the remote ID type of an IKE peer, run the id-type command.
User ID	Remote ID of the IKE peer. To configure the remote ID of an IKE peer, run the id-type command.
Pre-shared-key	Pre-shared key. To configure the pre-shared key, run the pre-shared-key (IKE user view) command.
VPN instance	Name of the VPN instance. To configure the name of a VPN instance, run the vpn-instance-traffic (IKE user view) command.
Description	Description of the IKE user table. To configure the description of an IKE user table, run the description command.
Interface-assign	Interface with which an IKE user associates. To specify an interface, run the interface-assign command.

display ike user-table ctrl-plane

Function

The display ike user-table ctrl-plane command displays IKE user table information on control plane.

Format

display ike user-table [ number user-table-id [ user-name user-name ] ] ctrl-plane

Parameters

Parameter	Description	Value
number user-table-id	Specifies the ID of an IKE user table. If the name of an IKE user table is not specified, information about all IKE user tables is displayed.	The ID of an IKE user table must already exist.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

You can run this command to check the user ID type, user ID, pre-shared key, and user description in an IKE user table.

Example

# Display information about all IKE user tables.

<Huawei> display ike user-table ctrl-plane
Number of IKE User-tables: 1
                             
---------------------------------------------------------------------------
 IKE User-table: 10, Number of users: 1
---------------------------------------------------------------------------
                                                                                
  User Name              : user1                                                
  User ID-type           : IP                                                   
  User ID                : 1.1.1.1                                              
  Pre-shared-key         : %^%#D,Ul0!:u2RM;giQtp4KDzkbm*)=Y[NYF[N6s)SMQ%^%#     
  VPN instance           : vrf1                                                 
  Description            : USER1

Table 11-34 Description of the display ike user-table ctrl-plane command output

Item	Description
Number of IKE User-tables	Number of IKE user tables.
Number of users	Number of IKE users.
IKE User-table	ID of an IKE user table.
User Name	IKE user name.
User ID-type	Remote ID type of the IKE peer.
User ID	Remote ID of the IKE peer.
Pre-shared-key	Pre-shared key.
VPN instance	Name of the VPN instance.
Description	Description of the IKE user table.

display interface tunnel-template

Function

The display interface tunnel-template command displays information about a tunnel template interface.

Format

display interface tunnel-template [ interface-number | main ]

Parameters

Parameter	Description	Value
interface-number	Specifies the number of a tunnel template.	The number must be an existing tunnel template.
main	Displays information about only a tunnel template interface. If a tunnel template interface has no sub-interface, the information about the tunnel template interface is displayed regardless of whether the main parameter is specified.	-

Parameter

Description

Value

interface-number

Specifies the number of a tunnel template.

The number must be an existing tunnel template.

main

Displays information about only a tunnel template interface.

If a tunnel template interface has no sub-interface, the information about the tunnel template interface is displayed regardless of whether the main parameter is specified.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

None.

Example

# Displays information about Tunnel template 0.

<Huawei> display interface tunnel-template 0
Tunnel-Template0 current state : UP                                             
Line protocol current state : DOWN                                              
Description:ith                                                                 
Route Port,The Maximum Transmit Unit is 1500                                    
Internet Address is unnumbered, using address of LoopBack0(1.1.1.1/32)      
Encapsulation is TUNNEL, loopback not set                                       
Tunnel protocol IPSEC                                                           
Current system time: 2013-10-24 14:58:00                                        
    300 seconds input rate 0 bits/sec, 0 packets/sec                            
    300 seconds output rate 0 bits/sec, 0 packets/sec                           
    0 seconds input rate 0 bits/sec, 0 packets/sec                              
    0 seconds output rate 0 bits/sec, 0 packets/sec                             
    0 packets input,  0 bytes                                                   
    0 input error                                                               
    0 packets output,  0 bytes                                                  
    0 output error                                                              
    Input bandwidth utilization  : --                                           
    Output bandwidth utilization : --

Table 11-35 Description of the display interface tunnel-template command output

Item	Description
Tunnel-Template0 current state	Physical status of the tunnel template interface: UP: The physical status of the tunnel template interface is Up. DOWN: The physical status of the tunnel template interface is Down.
Line protocol current state	Link layer protocol status of the tunnel template interface: UP: The link layer protocol status of the tunnel template interface is Up. DOWN: The link layer protocol of the tunnel template interface is Down or no IP address is assigned to the tunnel template interface.
Description	Description of the tunnel template interface.
Route Port	Indicates that the interface is a Layer 3 interface.
The Maximum Transmit Unit is 1500	MTU of the tunnel template interface. The default MTU is 1500 bytes. If the length of a packet is greater than the MTU, it is fragmented before being sent. If fragmentation is disabled, the packet is discarded.
Internet Address is unnumbered, using address of LoopBack0 (1.1.1.1/32)	Indicates that the interface IP address is borrowed from Loopback 0 (1.1.1.1/32).
Encapsulation is TUNNEL	Indicates that the tunnel template interface encapsulates packets in tunnel mode.
loopback not set	Indicates that the loopback mode is not set for the tunnel-template interface.
Tunnel protocol IPSEC	Indicates that the tunnel encapsulation protocol is IPsec.
Current system time	Current time of the system. If a time zone is configured and the daylight saving time begins, the time is displayed in the format of YYYY/MM/DD HH:MM:SS UTC±HH:MM DST.
300 seconds input rate 0 bits/sec, 0 packets/sec	Receive bit and packet rates on the tunnel template interface within the first 300 seconds. You can run the set flow-stat interval command to change the interval at which traffic statistics are collected. The interval must be an integer multiple of 10 and range from 10 to 600, in seconds.
300 seconds output rate 0 bits/sec, 0 packets/sec	Send bit and packet rates on the tunnel template interface within the first 300 seconds. You can run the set flow-stat interval command to change the interval at which traffic statistics are collected. The interval must be an integer multiple of 10 and range from 10 to 600, in seconds.
0 seconds input rate 0 bits/sec, 0 packets/sec	Receive bit and packet rates within the interval between two queries.
0 seconds output rate 0 bits/sec, 0 packets/sec	Send bit and packet rates within the interval between two queries.
0 packets input, 0 bytes	Total numbers of packets and bytes received by the tunnel template interface.
0 input error	Number of error packets received by the tunnel template interface.
0 packets output, 0 bytes	Total numbers of packets and bytes sent by the tunnel template interface.
0 output error	Number of error packets sent by the tunnel template interface.
Input bandwidth utilization	"--" indicates that this item is not supported.
Output bandwidth utilization	"--" indicates that this item is not supported.

Related Topics

display ipsec efficient-vpn

Function

The display ipsec efficient-vpn command displays Efficient VPN policy information.

Format

display ipsec efficient-vpn [ brief | capability | name efficient-vpn-name | remote ]

Parameters

Parameter	Description	Value
brief	Displays brief information about Efficient VPN policies.	-
capability	Displays the IPSec configuration supported by an Efficient VPN policy.	-
name efficient-vpn-name	Displays information about a specified Efficient VPN policy.	The value is an existing Efficient VPN policy name.
remote	Displays the running status of remote devices. remote only takes effect on the server.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After the Efficient VPN policy is configured, you can run this command to know the configuration information of the Efficient VPN policy, such as the name, interface, authentication method, IKE version, DH algorithm, and PFS algorithm of the Efficient VPN.

Example

# Display brief information about Efficient VPN policies.

<Huawei> display ipsec efficient-vpn brief
 Total number of IPSec efficient-vpn: 1

 Efficient-vpn name      Efficient-vpn mode
 ------------------------------------------
 v1                      client

# Display information about the Efficient VPN policy named easyvpn_1.

<Huawei> display ipsec efficient-vpn name easyvpn_1
===========================================
IPSec efficient-vpn name: easyvpn_1
Using interface         : GigabitEthernet1/0/0
===========================================
 IPSec Efficient-vpn Name  : easyvpn_1                                          
 IPSec Efficient-vpn Mode  : 3 (1:Client 2:Network 3:Network-plus 4:Network-auto-cfg)
 ACL Number                :                                                    
 Auth Method               : 8 (8:PSK 9:RSA)                                    
 VPN name                  :                                                    
 Local ID Type             : 1 (1:IP 2:Name 3:User-fqdn 9:DN 11:Key-id)
 IKE Version               : 1 (1:IKEv1 2:IKEv2)                                
 Remote Address            : 1.1.1.1                                          
 Pre Shared Key            : 
 DH Group                  : DH group 14
 PFS Type                  : DH group 14
 Remote Name               :         
 PKI Object                :
 Re-auth interval          : 300 seconds
 Anti-replay window size   : 32     
 Qos pre-classify          : 0 (0:Disable 1:Enable)
 Qos group                 : -
 Service-scheme name       : scheme
 DPD Msg Type
 Sim-based-username Type   : IMEI 
 RSA signature-padding     : PKCS1
 Interface loopback        : LoopBack100
 Interface loopback IP     : 1.2.1.1/25
 Dns server IP             : 2.2.2.2, 2.2.2.3 
 Wins server IP            : 3.3.3.2, 3.3.3.3  
 Dns default domain name   : mydomain.com.cn
 Auto-update url           : 
 Auto-update version       : 
 IP pool                   : 10.1.1.0/255.255.255.0
 Resource acl list         : 1
   IP address/mask         : 5.1.1.2/255.255.255.255
   Source port number      : 0
   Destination port number : 0
   Protocol ID             : 0
 Resource acl list         : 2
   IP address/mask         : 6.1.1.0/255.255.255.0
   Source port number      : 0
   Destination port number : 0
   Protocol ID             : 0

Table 11-36 Description of the display ipsec efficient-vpn command output

Item	Description
IPSec Efficient-vpn Name/Efficient-vpn name	Name of the Efficient VPN policy. To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command.
Using interface	Interface to which an Efficient VPN policy is applied.
IPSec Efficient-vpn Mode/Efficient-vpn mode	Mode used by the Efficient VPN policy. 1: client 2: network 3: network-plus 4: network-auto-cfg To configure an Efficient VPN policy, run the ipsec efficient-vpn (system view) command.
ACL Number	ACL used by the Efficient VPN policy. To configure an ACL referenced by an Efficient VPN policy, run the security acl command.
Auth Method	Authentication mode used by the Efficient VPN policy: 8: pre-shared key authentication 9: RSA signature authentication To configure an authentication mode, run the authentication-method command.
VPN name	Name of the VPN instance bound to the Efficient VPN policy. To bind a VPN instance to an Efficient VPN policy, run the sa binding vpn-instance (Efficient VPN policy view) command.
Local ID Type	Local ID type in IKE negotiation, to set the local ID type, run the local-id-type command.
IKE Version	Configured IKE version: 1: IKEv1 2: IKEv2
Remote Address	IP address of the remote IKE peer. To configure the remote IP address, run the remote-address command.
Pre Shared Key	Pre-shared key. To configure a pre-shared key, run the pre-shared-key command.
DH Group	DH group used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. To specify a DH group, run the dh command.
PFS Type	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. To specify a PFS, run the pfs command.
Remote Name	Remote name used in IKE negotiation. To configure the remote name used in IKE negotiation, run the remote-name command. When the local-id-type name command is used, the local and remote names are used for IKE negotiation. If ike local-name is not configured on the remote end, the name specified by the sysname command is used for IKE negotiation.
PKI Object	PKI domain bound to the Efficient VPN policy. To bind a PKI domain to an Efficient VPN policy, run the pki realm command.
Re-auth interval	IKEv2 re-authentication interval. To configure IKEv2 re-authentication interval, run the re-authentication interval command.
Anti-replay window size	IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command. When the value is 0, the IPSec anti-replay function is enabled in the system view. To enable this function, run the ipsec anti-replay enable command.
Qos pre-classify	Whether pre-extraction of original IP packets is enabled: 0: Pre-extraction of original IP packets is enabled. 1: Pre-extraction of original IP packets is disabled. To enable pre-extraction of original IP packets, run the qos pre-classify command.
Qos group	QoS group to which IPSec packets belong. To configure the QoS group, run the qos group command. - indicates that no QoS group is specified for IPSec packets.
Service-scheme name	Name of the bound service scheme. To configure the name of the bound service scheme, run the service-scheme (Efficient VPN policy view) command.
DPD Msg Type	Sequence of the payload in DPD packets. seq-notify-hash seq-hash-notify To configure the sequence of the payload, run the dpd msg command.
Sim-based-username Type	Type of the SIM card user name. IMEI: international mobile equipment identity. IMSI: international mobile subscriber identity.
RSA signature-padding	Padding mode of an RSA signature. To specify the padding mode, run the rsa signature-padding command.
Interface loopback	Number of the loopback interface. The loopback interface is dynamically created on the remote device and is used to establish an IPSec tunnel with the Efficient VPN server.
Interface loopback IP	IP address of the loopback interface, which is allocated by the Efficient VPN server to the remote device.
Dns server IP	DNS server IP address. To configure a DNS server IP address, run the dns command.
Wins server IP	WINS server IP address. To configure a WINS server IP address, run the wins command.
Dns default domain name	DNS domain name. To configure a DNS domain name, run the dns-name command.
Auto-update url	URL of the file used to upgrade a remote device. To configure the URL of the file used to upgrade a remote device, run the auto-update url command.
Auto-update version	Version number of the version file. To configure the version number of the version file, run the auto-update url command.
IP pool	IP address obtained from the address pool.
Resource acl list	Delivered ACL list. The value is the number of configured ACL rules. This field is available only when ACL delivery is enabled using the resource acl command.
IP address/mask	Delivered IP address or mask. To specify an IP address or port number, run the rule (advanced ACL view) command.
Source port number	Delivered source port number. To specify a source port number, run the rule (advanced ACL view) command.
Destination port number	Delivered destination port number. To specify a destination port number, run the rule (advanced ACL view) command.
Protocol ID	Delivered protocol ID. To specify a protocol ID, run the rule (advanced ACL view) command.

# Display the IPSec configuration supported by an Efficient VPN policy.

<Huawei> display ipsec efficient-vpn capability

  IKEv1 Global Supported Algorithms
-------------------------------------------------------
  Supported DH Groups:
    DH_GROUP1 | DH_GROUP2 | DH_GROUP5 | DH_GROUP14 | DH_GROUP19 | DH_GROUP20 | DH_GROUP21
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256
  Supported Authentication Algorithms:
    MD5 | SHA1 | SHA2-256 | SHA2-384 | SHA2-512
  Supported Authentication Methods:
    Pre Shared Key | RSA_SIG

  IKEv2 Global Supported Algorithms
-------------------------------------------------------
  Supported DH Groups:
    DH_GROUP1 | DH_GROUP2 | DH_GROUP5 | DH_GROUP14 | DH_GROUP19 | DH_GROUP20 | DH_GROUP21
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256
  Supported Integrity Algorithms:
    MD5 | SHA1 | AES-XCBC-96 | SHA2-256 | SHA2-384 | SHA2-512
  Supported PRF:
    PRF-MD5 | PRF-SHA1 | PRF-AES-XCBC-128 | PRF-SHA2-256 | PRF-SHA2-384 |
    PRF-SHA2-512

  IPSEC Global Supported Algorithms
-------------------------------------------------------
  Supported Security Protocols:
    ESP
  Supported Encapsulation Modes:
    TUNNEL
  Supported Authentication Algorithms:
    MD5 | SHA1 | SHA256 | SHA384 | SHA512 | NULL
  Supported Encryption Algorithms:
    DES | 3DES | AES128 | AES192 | AES256 | NULL

The MD5 and SHA-1 authentication algorithms have security risks; therefore, you are advised to use SHA-2 preferentially.
The DES and 3DES encryption algorithms have security risks; therefore, you are advised to use AES preferentially.
The PRF-MD5 and PRF-SHA1 algorithms have security risks; therefore, you are advised to use PRF-AES-XCBC-128 or SHA-2 preferentially.

Table 11-37 Description of the display ipsec efficient-vpn capability command output

Item	Description
IKEv1 Global Supported Algorithms	Supported algorithms when IKEv1 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device.
Supported DH Groups	Supported DH groups when IKEv1 or IKEv2 is used. To configure a DH group on the server, run the dh command.
Supported Encryption Algorithms	Supported encryption algorithms when IKEv1 or IKEv2 is used. To configure an authentication algorithm on the server, run the authentication-algorithm command.
Supported Authentication Algorithms	Supported authentication algorithms when IKEv1 is used. To configure an authentication algorithm on the server, run the authentication-algorithm command.
Supported Authentication Methods	Supported authentication algorithms when IKEv1 is used: Pre Shared Key: pre-shared key authentication RSA_SIG: RSA signature authentication To configure an authentication mode on the server, run the authentication-method command.
IKEv2 Global Supported Algorithms	Supported algorithms when IKEv2 is specified in the Efficient VPN policy. The server can use only the supported algorithms to negotiate with the remote device.
Supported Integrity Algorithms	Supported integrity algorithms when IKEv2 is used. To configure an integrity algorithm on the server, run the integrity-algorithm command.
Supported PRF	Supported PRF algorithms when IKEv2 is used. To configure a PRF algorithm on the server, run the prf command.
IPSEC Global Supported Algorithms	Algorithms supported by the system.
Supported Security Protocols	Security protocol supported by IPSec: ESP. To configure a security protocol, run the transform command.
Supported Encapsulation Modes	Encapsulation mode supported by IPSec: tunnel mode. To configure an encapsulation mode, run the encapsulation-mode command.
Supported Authentication Algorithms	Authentication algorithm supported by IPSec. To configure an authentication algorithm on the server, run the esp authentication-algorithm command.
Supported Encryption Algorithms	Encryption algorithm supported by IPSec. To configure an encryption algorithm on the server, run the esp encryption-algorithm command.

# Display running status of remote devices.

<Huawei> display ipsec efficient-vpn remote
 Total number of remote : 1

 Local interface         : GigabitEthernet0/0/2
 Client IP address       : 10.1.1.1:500
 Client system MAC       : 5489-98f4-78f4
 Client description      : 
 Client alloc address    : 10.1.1.254                                          
 Client version ID       : 2
 Client last upgrade info: Failed to get the upgrade information.

Table 11-38 Description of the display ipsec efficient-vpn remote command output

Item	Description
Total number of remote	Number of remote devices.
Local interface	Interface bound to an IPSec policy on the server. To bind an IPSec policy group to an interface, run the ipsec policy (interface view) command.
Client IP address	IP address of the remote device.
Client system MAC	MAC address of the remote device.
Client description	Device information and version information about the remote device.
Client alloc address	IP address delivered by the Efficient VPN server to the remote device.
Client version ID	Version number of the version file delivered from the server to the remote device.
Client last upgrade info	Information about the last automatic upgrade on the remote device.

Related Topics

ipsec efficient-vpn (interface view)

display ipsec history record

Function

The display ipsec history record command displays history information about IPSec tunnels.

Format

display ipsec history record [ remote-address remote-address ]

Parameters

Parameter	Description	Value
remote-address remote-address	Displays history information about the IPSec tunnel with the specified remote IP address.	The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ipsec history record command to view the reason and time of the last teardown of the IPSec tunnel.

Example

# Display history information about IPSec tunnels.

<Huawei> display ipsec history record
IPSec history record:
===============================
Interface              : GigabitEthernet1/0/1
remote-address         : 2.1.1.1
remote-port            : 500
VPN-name               : huawei
flow-source            : 10.1.1.1/255.255.255.255
flow-destination       : 10.2.2.2/255.255.255.255  
last-offline-reason    : peer request
last-offline-time      : 2017-07-17 20:25:31
offline-times-in-24Hour: 1

Table 11-39 Description of the display ipsec history record command output

Item	Description
IPSec history record	Display history information about IPSec tunnels.
Interface	Interface to which an IPSec policy is applied.
remote-address	Remote IP address of an IPSec tunnel.
remote-port	Remote UDP port number.
VPN-name	Name of a VPN instance.
flow-source	Source address segment of data flows.
flow-destination	Destination address segment of data flows.
last-offline-reason	Reason of the last teardown of an IPSec tunnel. dpd timeout: Dead peer detection (DPD) times out. peer request: The remote end has sent a message, asking the local end to tear down the tunnel. config modify or manual offline: An SA is deleted due to configuration modification or an SA is manually deleted. phase1 hard expiry: Hard lifetime expires in phase 1 (no new SA negotiation success message is received). phase2 hard expiry: Hard lifetime expires in phase 2. heartbeat timeout: heartbeat detection times out. modecfg address soft expiry: The IP address lease applied by the remote end from the server expires. re-auth timeout: An SA is deleted due to reauthentication timeout. aaa cut user: The AAA module disconnects users. peer address switch: An SA is deleted due to change of the peer address. hard expiry triggered by port mismatch: A hard timeout occurs due to mismatch NAT port number. kick old sa with same flow: The old SA is deleted for the same incoming flow. spi conflict: An SPI conflict occurs. phase1 sa replace: The new IKE SA replaces the old IKE SA. phase2 sa replace: The new IPSec SA replaces the old IPsec SA. nhrp notify: NHRP notifies the device that the SA needs to be deleted. disconnect track nqa/bfd/vrrp: The IPSec tunnel is torn down based on the NQA test instance, NQA group, VRRP, BFD session, or BFD group status. receive invalid spi notify: The device receives an invalid SPI notification. dns resolution status change: DNS resolution status changes. ikev1 phase1-phase2 sa dependent offline: The device deletes the associated IPSec SA when deleting an IKEv1 SA.
last-offline-time	Last time an IPSec tunnel was torn down.
offline-times-in-24Hour	Number of times an IPSec tunnel was torn down within 24 hours.

display ipsec global config

Function

The display ipsec global config command displays IPSec global configurations.

Format

display ipsec global config

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view IPSec global configurations, run the display ipsec global config command. The global configurations include the global SA lifetime and whether the anti-replay function is enabled.

Example

# Display IPSec global configurations.

<Huawei> display ipsec global config
IPSec Global Config:                                                            
--------------------------------------------------------------                  
  IPSec sa global-duration time-based(seconds)        : 3600
  IPSec sa global-duration traffic-based(kbytes)      : 1843200
  IPSec anti-replay                                   : enable
  IPSec df-bit                                        : copy 
  IPSec fragmentation                                 : disable
  IPSec nat-traversal source-port                     : 8000
  IPSec invalid-spi-recovery                          : disable
  IPSec netmask source                                : 24
  IPSec netmask destination                           : 24
--------------------------------------------------------------

Table 11-40 Description of the display ipsec global config command output

Item	Description
IPSec Global Config	IPSec global configurations.
IPSec sa global-duration time-based(seconds)	Time-based global SA lifetime, in seconds. To set the time-based global SA lifetime, run the ipsec sa global-duration time-based command.
IPSec sa global-duration traffic-based(kbytes)	Traffic-based global SA lifetime, in kilobytes. To set the traffic-based global SA lifetime, run the ipsec sa global-duration traffic-based command.
IPSec anti-replay	Whether the anti-replay function is enabled. To configure the anti-replay function, run the ipsec anti-replay enable command.
IPSec df-bit	IPSec tunnel don't fragment (DF) bit: clear: The DF bit is set to 0, allowing packets to be fragmented. set: The DF bit is set to 1, prohibiting packets from being fragmented. copy: The DF bit is that of original packets. To set the DF bit, run the ipsec df-bit command.
IPSec fragmentation	IPSec tunnel packet fragmentation mode: enable: Fragmentation before IPSec encryption. disable: Fragmentation after IPSec encryption To set the fragmentation mode, run the ipsec fragmentation before-encryption command.
IPSec nat-traversal source-port	Port number used for IPSec NAT traversal. To configure the port number used for IPSec NAT traversal, run the ipsec nat-traversal source-port command.
IPSec invalid-spi-recovery	Whether the invalid SPI recovery function is enabled: enable disable To configure the invalid SPI recovery function, run the ipsec invalid-spi-recovery enable command.
IPSec netmask source	Source address mask of data flows. To configure the source address mask of data flows, run the ipsec netmask command. When the source address mask is not configured, the mask length is 0.
IPSec netmask destination	Destination address mask of data flows. To configure the destination address mask of data flows, run the ipsec netmask command. When the destination address mask is not configured, the mask length is 0.

display ipsec interface brief

Function

The display ipsec interface brief command displays IPSec policies bound to an interface.

Format

display ipsec interface brief

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

After an IPSec policy is bound to an interface, you can run this command to view information about the bound IPSec policy, such as the policy name and interface to which the policy is bound.

Example

# Display IPSec policies bound to an interface.

<Huawei> display ipsec interface brief
------------------------------------------------                                
  IPSec policy        : policy1                                                    
  Using interface     : GigabitEthernet1/0/0
  IPSec policy number : 10                                                       
  IPSec policy Type   : policy                                           
------------------------------------------------

Table 11-41 Description of the display ipsec interface brief command output

Item	Description
IPSec policy	Sequence number of the IPSec policy bound to the interface. Name of the IPSec policy bound to an interface. To apply an IPSec policy to an interface, run the ipsec policy (interface view), ipsec profile (interface view), or ipsec efficient-vpn (interface view) command.
Using interface	Interface to which an IPSec policy is applied.
IPSec policy number	Sequence number of the IPSec policy bound to the interface. To configure an IPSec policy, run the ipsec policy (system view) or ipsec profile (system view) command.
IPSec policy Type	Type of the IPSec policy bound to an interface: policy: IPSec policy in manual or IKE negotiation mode profile: IPSec profile template: IPSec policy template efficient-vpn: Efficient VPN policy

display ipsec policy (all views)

Function

The display ipsec policy command displays IPSec policy information.

Format

display ipsec policy [ brief | name policy-name [ seq-number ] ]

Parameters

Parameter	Description	Value
brief	Displays brief information about all IPSec policies.	-
name policy-name	Displays detailed information about an IPSec policy with a specified name.	The value must be an existing IPSec policy name.
seq-number	Displays detailed information about an IPSec policy with a specified sequence number.	The value must be an existing IPSec policy sequence number.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If no parameter is specified, this command displays detailed information about all IPSec policies.

You can use the display ipsec policy brief command to check brief information about all IPSec policies, including:

Name and sequence number
Negotiation mode
ACL number
IKE peer
Local address
Remote address

Using the name parameter, you can view details on the specified IPSec policy. In this case, the information is displayed in detailed format. If you specify name policy-name and do not specify seq-number, the command displays detailed information about an IPSec policy group.

Example

# Display brief information about all the IPSec policies.

<Huawei> display ipsec policy brief
Number of policies group : 1 
Number of policies       : 1 
  
Policy name           Mode     ACL         Peer name   Local address    Remote address
--------------------------------------------------------------------------------------
policy1-100           isakmp   3002/IPv4   peer1

Table 11-42 Description of the display ipsec policy brief command output

Item	Description
Number of policies group	Number of IPSec policy groups. An IPSec policy is identified by its name and sequence number, and multiple IPSec policies with the same name constitute an IPSec policy group.
Number of policies	Number of IPSec policies.
Policy name	Name and sequence number of an IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.
Mode	Mode in which an IPSec policy is created: isakmp: The IPSec policy is created in IKE negotiation mode. template: The IPSec policy is created using an IPSec policy template. manual: The IPSec policy is created manually. To configure IPSec policy creation mode, run the ipsec policy (system view) command.
ACL	ACL referenced in the IPSec policy. To reference an ACL in an IPSec policy, run the security acl command.
Peer name	Name of the IKE peer referenced in the IPSec policy. To configure an IKE peer, run the ike-peer command.
Local address	Local IP address used in IPSec negotiation. To configure the local IP address used in IPSec negotiation, run the tunnel local command.
Remote address	Remote IP address used in IPSec negotiation. To configure the remote IP address used in IPSec negotiation, run the tunnel remote command.

# Display information about all IPSec policies.

<Huawei> display ipsec policy
===========================================    
IPSec policy group: "10"                               
Using interface: GigabitEthernet6/0/0  
===========================================                     
     Sequence number: 10 
     Policy Alias: map1-10  
     Security data flow: 3000/IPv4
     Peer name    :  rut2 
     Perfect forward secrecy: DH group 14
     Proposal name:  prop1 
     IPSec SA local duration(time based): 3600 seconds 
     IPSec SA local duration(traffic based): 1843200 kilobytes 
     SA trigger mode: Traffic-based
     Route inject: None 
     Route inject state: -
     Route inject nexthop: -                       
     Route inject preference: -  
     Policy state: Enable                                                        
     Anti-replay window size: 1024                                               
     Fragment before-encryption: Disable
     Respond-only: Enable
     Policy status  : Inactive
     Qos pre-classify: Disable
     Qos group: - 
     Sa keep-holding-to hard-duration : Disable

Table 11-43 Description of the display ipsec policy command output

Item	Description
IPSec policy group	Name of an IPSec policy group. To configure an IPSec policy group, run the ipsec policy (system view) command.
Using interface	Interface to which an IPSec policy group is applied.
Sequence number	Sequence number of an IPSec policy. To configure a sequence number, run the ipsec policy (system view) command.
Policy Alias	Alias of the IPSec policy. To configure an alias for an IPSec policy, run the alias command.
Security data flow	ACL referenced in the IPSec policy. To reference an ACL in an IPSec policy, run the security acl command.
Peer name	IKE peer referenced in the IPSec policy. To configure an IKE peer, run the ike-peer command.
Perfect forward secrecy	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. To configure the PFS used in IKE negotiation, run the pfs command.
Proposal name	IPSec proposal referenced in the IPSec policy. To reference an IPSec proposal, run the proposal command.
IPSec SA local duration(time based)	Time-based IPSec SA lifetime. To set the time-based lifetime of the local SA, run the sa duration time-based command in the IPSec policy view.
IPSec SA local duration(traffic based)	Traffic-based IPSec SA lifetime. To set the traffic-based lifetime of the local SA, run the sa duration traffic-based command in the IPSec policy view.
SA trigger mode	SA trigger mode: Automatic Traffic-based To configure an SA trigger mode, run the sa trigger-mode command.
Route inject state	Route injection status: Dynamic, Preference: Dynamic route injection is enabled and a priority is configured for the static routes generated through route injection. Static, Preference: Static route injection is enabled and a priority is configured for the static routes generated through route injection. None: Route injection is disabled. Dynamic: Dynamic route injection is enabled. Static: Static route injection is enabled. To configure route injection, run the route inject command.
Route inject nexthop	Next hop of a generated route. To configure route injection, run the route inject command.
Route inject preference	Priority of a generated route. To configure route injection, run the route inject command.
Policy state	Policy status: Enable Disable
Anti-replay window size	IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window command.
Fragment before-encryption	IPSec fragmentation mode: Enable: IPSec packets are fragmented before encryption. Disable: IPSec packets are fragmented after encryption. To configure an IPSec fragmentation mode, run the ipsec fragmentation before-encryption command.
Respond-only	Whether the local end is enabled to initiate IPSec negotiation when an IPSec policy in ISAKMP mode is used to create an IPSec tunnel. Enable: The local end functions as the IPSec responder and does not initiate IPSec negotiation. Disable: The local end initiates IPSec negotiation.
Policy status	IPSec policy status: Active Inactive To set an IPSec policy to the active state, run the policy enable command.
Qos pre-classify	Pre-extraction of original IP packets. To configure pre-extraction of original IP packets, run the qos pre-classify command.
Qos group	QoS group to which the IPSec packets belong. To configure the QoS group, run the qos group command.
Sa keep-holding-to hard-duration	Whether the device deletes the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation. Enable: The device will delete the original IPSec SA after the hard lifetime expires. Disable: The device deletes the original IPSec SA immediately. To configure the device to delete the original IPSec SA after the hard lifetime expires, run the sa keep-holding-to hard-duration command.

display ipsec policy ctrl-plane

Function

Using the display ipsec policy ctrl-plane command, you can view information about the IPSec policy on control plane.

Format

display ipsec policy [ brief | name policy-name [ seq-number ] ] ctrl-plane

Parameters

Parameter	Description	Value
brief	Displays brief information about all the IPSec policies.	-
name policy-name	Specifies the name of an IPSec policy.	The value is an existing IPSec policy name.
seq-number	Specifies the sequence number of an IPSec policy	The value is an existing IPSec policy number.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

If the policy name or the sequence number is not specified, detailed information about all IPSec policies is displayed.

Using the display ipsec policy brief ctrl-plane command, you can view the following brief information about all IPSec policies. In this case, the information is displayed in brief format.

Name and sequence number
Negotiation mode
ACL number
IKE peer
Local address
Remote address

Example

# Display brief information about all the IPSec policies.

<Huawei> display ipsec policy brief ctrl-plane
Number of policies group : 1 
Number of policies       : 1 
  
Policy name           Mode     ACL   Peer name   Local address    Remote address 
-------------------------------------------------------------------------------- 
policy1-100           isakmp   3002  peer1       60.1.1.1         60.1.1.2

Table 11-44 Description of the display ipsec policy brief ctrl-plane command output

Item	Description
Number of policies group	Number of IPSec policy groups. An IPSec policy is identified by its name and sequence number and multiple IPSec policies with the same IPSec policy name constitute an IPSec policy group.
Number of policies	Number of IPSec policies.
Policy name	Name and sequence number of an IPSec policy.
Mode	Mode in which an IPSec policy is created: isakmp: An IPSec policy is created in IKE negotiation mode. template: An IPSec policy is created using an IPSec policy template. manual: An IPSec policy is created manually.
ACL	ACL referenced by the IPSec policy.
Peer name	Name of the IKE peer referenced by the IPSec policy.
Local address	Local IP address used in IKE negotiation (Only the manual mode IPSec policies display the local address).
Remote address	Remote IP address used in IKE negotiation (Only the manual mode IPSec policies display the remote address).

# View the information about the security policy.

<Huawei> display ipsec policy ctrl-plane                
===========================================                   
IPSec policy group: "10"                                   
Using interface: {GigabitEthernet6/0/0}                    
=========================================== 
     Policy Alias: map1-10  
     Security data flow: 3000 
     Peer name    :  rut2 
     Perfect forward secrecy: None 
     Proposal name:  prop1 
     IPSec SA local duration(time based): 3600 seconds 
     IPSec SA local duration(traffic based): 1843200 kilobytes 
     SA trigger mode: Traffic-based                                              
     Route inject: None                                                          
     Policy state: Enable                                                        
     Anti-replay: -                                                              
     Anti-replay window size: 1024                                               
     Fragment before-encryption: Disable
     Respond-only: Disable  
     Policy status  : Inactive
     Qos pre-classify: Disable
     Qos group: -

Table 11-45 Description of the display ipsec policy ctrl-plane command output

Item	Description
IPsec policy group	Name of an IPSec policy group.
Using interface	Interface to which the IPSec policy group is applied.
sequence number	sequence number of an IPSec policy.
Security data flow	ACL used by an IPSec policy.
Peer name	IKE peer end used in the IPSec policy.
Perfect forward secrecy	DH group used by the PFS function: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2014-bit Diffie-Hellman group is used during IKE negotiation. None: PFS is not used during IKE negotiation.
Proposal name	IPSec proposal used by an IPSec policy.
IPSec SA local duration(time based)	Time-based IPSec SA duration.
IPSec SA local duration(traffic based)	traffic-based IPSec SA duration.
SA trigger mode	SA trigger mode: Automatic. Traffic-based.
Route inject	Route injection status: Dynamic, Preference: Dynamic route injection is enabled and a priority is configured for the static route generated through route injection. Static, Preference: Static route injection is enabled and a priority is configured for the static route generated through route injection. None: Route injection is disabled.
Policy state	Policy status: Enable. Disable.
Anti-replay	Whether the Anti-replay function is enabled.
Anti-replay window size	IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled.
Fragment before-encryption	IPSec fragment mode: Enable: fragment before encryption. Disable: Fragment after encryption.
Respond-only	Whether the local end is enabled to initiate IPSec negotiation when an IPSec policy in ISAKMP mode is used to create an IPSec tunnel. Enable: The local end functions as the IPSec responder and does not initiate IPSec negotiation. Disable: The local end initiates IPSec negotiation.
Policy status	IPSec policy status: Active. Inactive.
Qos Pre-classify	Pre-extraction of original IP packets.
Qos group	QoS group to which the IPSec packets belong.

display ipsec policy-template (all views)

Function

The display ipsec policy-template command displays IPSec policy template information.

Format

display ipsec policy-template [ brief | name policy-template-name [ seq-number ] ]

Parameters

Parameter	Description	Value
brief	Displays brief information about all IPSec policy templates.	-
name policy-template-name	Displays detailed information about the IPSec policy template with a specified name.	The value must be an existing IPSec policy template name.
seq-number	Displays detailed information about the IPSec policy template with a specified sequence number.	The value must be an existing IPSec policy template sequence number.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If no parameter is specified, this command displays detailed information about all IPSec policy templates.

You can use the display ipsec policy-template brief command to check the following brief information about all IPSec policy templates, including:

Template name and sequence number
ACL number
IKE Peer

If name is specified, the command displays detailed information about the IPSec policy template. If you specify name and do not specify seq-number, the command displays detailed information about an IPSec policy template group.

Example

# Display brief information about all IPSec policy templates.

<Huawei> display ipsec policy-template brief
Number of templates group : 1                                                    
Number of templates       : 1                                                    
                                                                                 
Policy template name     ACL           Peer name                                 
------------------------------------------------------                           
temp1-10                 3001/IPv4     rut3

Table 11-46 Description of the display ipsec policy-template brief command output

Item	Description
Number of templates group	Number of IPSec policy template groups. An IPSec policy template is identified by its name and sequence number. Multiple IPSec policy templates with the same IPSec policy template name constitute an IPSec policy template group.
Number of templates	Number of IPSec policy templates.
Policy template name	Name and sequence number of an IPSec policy template. To configure an IPSec policy template, run the ipsec policy-template command.
ACL	ACL referenced in the IPSec policy template. To reference an ACL in an IPSec policy template, run the security acl command.
Peer name	Name of the IKE peer referenced in the IPSec policy template. To reference an IKE peer, run the ike-peer command.

# Display information about a specified IPSec policy template group.

<Huawei> display ipsec policy-template name tem3
                                                                                
===============================================                                 
IPSec policy template group: "tem3"                                             
===============================================                                 
                                                                                
    Sequence number: 1                                                          
    Policy Alias: tem3-1                                                        
    Security data flow: 3001/IPv4
    Peer name    :  zc3                                                         
    Perfect forward secrecy: DH group 14
    Proposal name:  3                                                           
    IPSec SA local duration(time based): 3600 seconds                           
    IPSec SA local duration(traffic based): 1843200 kilobytes
    Anti-replay window size: 1024                                               
    Fragment before-encryption: Disable
    Route inject state: -
    Route inject nexthop: -                       
    Route inject preference: -  
    Policy state: Enable
    Qos pre-classify: Enable
    Qos group: -  
    Sa keep-holding-to hard-duration : Disable

Table 11-47 Description of the display ipsec policy-template name command output

Item	Description
IPSec policy template group	Name of an IPSec policy template. To configure an IPSec policy template, run the ipsec policy-template command.
Sequence number	Sequence number of an IPSec policy template. To configure an IPSec policy template, run the ipsec policy-template command.
Policy Alias	Alias of an IPSec policy template. To configure an alias, run the alias command.
Security data flow	ACL referenced in the IPSec policy template. To reference an ACL referenced in an IPSec policy template, run the security acl command.
Peer name	Name of the IKE peer referenced in the IPSec policy template. To reference an IKE peer, run the ike-peer command.
Perfect forward secrecy	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. To specify an algorithm used to generate a pseudo random number, run the pfs command.
Proposal name	Name of an IPSec proposal referenced in the IPSec policy template. To reference an IPSec proposal, run the proposal command.
IPSec SA local duration(time based)	Time-based lifetime of the local SA. To set the time-based lifetime of the local SA, run the sa duration time-based command.
IPSec SA local duration(traffic based)	Traffic-based lifetime of the local SA. To set the traffic-based lifetime of the local SA, run the sa duration traffic-based command.
Anti-replay window size	IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the ipsec anti-replay window command.
Fragment before-encryption	Packet fragmentation mode for an IPSec tunnel: Enable: IPSec packets are fragmented before encryption. Disable: IPSec packets are fragmented after encryption. To configure a packet fragmentation mode for an IPSec tunnel, run the ipsec fragmentation before-encryption command.
Route inject state	Route injection status. Dynamic: Dynamic route injection is enabled To configure route injection, run the route inject command.
Route inject nexthop	Next hop of a generated route. To configure route injection, run the route inject command.
Route inject preference	Priority of a generated route. To configure route injection, run the route inject command.
Policy state	Status of the IPSec policy that references the IPSec policy template: Enable: The IPSec policy is enabled. Disable: The IPSec policy is disabled. To set an IPSec policy to the state, run the policy enable command.
Qos pre-classify	Pre-extraction of original IP packets. To configure pre-extraction of original IP packets, run the qos pre-classify command.
Qos group	QoS group to which the IPSec packets belong. To configure the QoS group, run the qos group command.
Sa keep-holding-to hard-duration	Whether the device deletes the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation. Enable: The device will delete the original IPSec SA after the hard lifetime expires. Disable: The device deletes the original IPSec SA immediately. To configure the device to delete the original IPSec SA after the hard lifetime expires, run the sa keep-holding-to hard-duration command.

display ipsec policy-template ctrl-plane

Function

The display ipsec policy-template ctrl-plane command displays information about the IPSec policy template on control plane.

Format

display ipsec policy-template [ brief | name policy-template-name [ seq-number ] ] ctrl-plane

Parameters

Parameter	Description	Value
brief	Displays brief information about all the IPSec policy templates.	-
name policy-template-name	Specifies the name of an IPSec policy template.	The value is an existing IPSec policy template name.
seq-number	Specifies the sequence number of an IPSec policy template.	The value is an existing IPSec policy template number.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

If the no parameter is not specified, detailed information about all IPSec policy templates is displayed.

If brief is specified, you can view the following brief information about the IPSec policy template. In this case, the information is displayed in brief format.

Template name and sequence number
ACL number
IKE Peer

If name is specified, the command displays detailed information about the IPSec policy template.

Example

# Display information about all the IPSec policy template.

<Huawei> display ipsec policy-template brief ctrl-plane
Number of templates group : 1                                                    
Number of templates       : 1                                                    
                                                                                 
Policy template name     ACL           Peer name                                 
------------------------------------------------------                           
temp1-10                                rut3

Table 11-48 Description of the display ipsec policy-template brief ctrl-plane command output

Item	Description
Number of templates group	Number of IPSec policy template groups. An IPSec policy template is identified by its name and sequence number and multiple IPSec policy templates with the same IPSec policy template name constitute an IPSec policy template group.
Number of templates	Number of IPSec policy templates.
Policy template name	Name and sequence number of an IPSec policy template.
ACL	ACL used by an IPSec policy template.
Peer name	IKE peer involved.

# Display information about a specified IPSec policy template.

<Huawei> display ipsec policy-template name tem3 ctrl-plane
                                                                                
===============================================                                 
IPSec policy template group: "tem3"                                             
===============================================                                 
                                                                                
    Sequence number: 1                                                          
    Policy Alias: tem3-1                                                        
    Security data flow: 0                                                       
    Peer name    :  zc3                                                         
    Perfect forward secrecy: None                                               
    Proposal name:  3                                                           
    IPSec SA local duration(time based): 3600 seconds                           
    IPSec SA local duration(traffic based): 1843200 kilobytes                   
    Anti-replay: -                                                              
    Anti-replay window size: 1024                                               
    Fragment before-encryption: Disable                                         
    Route inject: None                                                          
    Policy state: Enable
    Qos pre-classify: Enable
    Qos group: -

Table 11-49 Description of the display ipsec policy-template name tem3 ctrl-plane command output

Item	Description
IPSec policy template group	Name of an IPSec policy template.
Sequence number	Sequence number in the IPSec policy template.
Policy Alias	Alias of the IPSec policy template.
Security data flow	ACL referenced by the IPSec policy template.
Peer name	Name of the IKE peer referenced by the IPSec policy template.
Perfect forward secrecy	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2014-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. None: PFS is not used during IKE negotiation.
Proposal name	Name of an IPSec proposal referenced by the IPSec policy template.
IPSec SA local duration(time based)	Time-based lifetime of the local SA.
IPSec SA local duration(traffic based)	Traffic-based lifetime of the local SA.
Anti-replay	Whether IPSec anti-replay is enabled in an IPSec policy template: Enable: IPSec anti-replay is enabled. -: IPSec anti-replay is disabled for an IPSec tunnel. The global IPSec anti-replay function is used.
Anti-replay window size	IPSec anti-replay window size.
Fragment before-encryption	Packet fragmentation mode for an IPSec tunnel: Enable: IPSec packets are fragmented before encryption. Disable: IPSec packets are fragmented after encryption.
Route inject	Route injection status: Dynamic , Preference: Dynamic route injection is enabled and a priority is configured for the route generated through route injection. Static , Preference: Dynamic route injection is enabled and a priority is configured for the route generated through route injection. None: Route injection is disabled.
Policy state	Status of the IPSec policy that references the IPSec policy template: Enable: The IPSec policy is enabled. Disable: The IPSec policy is disabled.
Qos Pre-classify	Pre-extraction of original IP packets.
Qos group	QoS group to which the IPSec packets belong.

display ipsec profile (all views)

Function

The display ipsec profile command displays IPSec profile information.

Format

display ipsec profile [ brief | name profile-name ]

Parameters

Parameter	Description	Value
brief	Displays brief information about all IPSec profiles.	-
name profile-name	Displays information about the specified IPSec profile.	The value must be an existing IPSec profile name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If no parameter is specified, you can view information about all IPSec profiles.

If the brief parameter is specified, you can view brief information about all IPSec policies.

If the name parameter is specified, you can view detailed information about the specified IPSec policy.

Example

# Display brief information about all IPSec profiles.

<Huawei> display ipsec profile brief
 Total number of IPSec profile: 1 
 Profile name      Peer name 
 ---------------------------------  
 a                 spub

Table 11-50 Description of the display ipsec profile brief command output

Item	Description
Total number of IPSec profile	Number of IPSec profiles on a device.
Profile name	Name of an IPSec profile. To configure an IPSec profile, run the ipsec profile (system view) command.
Peer name	Name of the IKE peer referenced by the IPSec profile. To reference an IKE peer, run the ike-peer command.

# Display information about IPSec profile a.

<Huawei> display ipsec profile name a
===========================================                                     
IPSec profile  : a                                                              
Using interface: Tunnel0/0/1   
===========================================                                     
 IPSec Profile Name        : a                                                   
 Peer Name                 : -
 PFS   Group               : DH group 14
 SecondsFlag               : 0 (0:Global 1:Local)                                
 SA Life Time Seconds      : 3600                                                
 KilobytesFlag             : 0 (0:Global 1:Local)                                
 SA Life Kilobytes         : 1843200                                             
 Anti-replay Window Size   : 1024                                                
 Fragment Before-encryption: Disable                                             
 Number of IPSec Proposals : 0                                                   
 IPSec Proposals Name      : -
 IKE Identity Name         : identity1
 Qos Pre-classify          : 0 (0:Disable 1:Enable)
 Qos group                 : -

Table 11-51 Description of the display ipsec profile name command output

Item	Description
IPSec profile	Name of an IPSec profile. To configure an IPSec profile, run the ipsec profile (system view) command.
Using interface	Interface to which an IPSec profile is applied.
IPSec Profile Name	Name of an IPSec profile. To configure an IPSec profile, run the ipsec profile (system view) command.
Peer Name	Name of the IKE peer referenced by the IPSec profile. To reference an IKE peer, run the ike-peer command.
PFS Group	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: 768-bit Diffie-Hellman group is used during IKE negotiation. DH group 2: 1024-bit Diffie-Hellman group is used during IKE negotiation. DH group 5: 1536-bit Diffie-Hellman group is used during IKE negotiation. DH group 14: 2048-bit Diffie-Hellman group is used during IKE negotiation. DH group 19: 256-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 20: 384-bit ECP Diffie-Hellman group is used during IKE negotiation. DH group 21: 521-bit ECP Diffie-Hellman group is used during IKE negotiation. To specify the PFS, run the pfs command.
SecondsFlag	Flag bit indicating aging of the SA. 0: The SA ages based on the time. The flag bit takes effect globally. To configure a global time-based SA lifetime, run the ipsec sa global-duration time-based command. 1: The SA ages based on the time. The flag bit takes effect in specified views only.
SA Life Time Seconds	Time-based IPSec SA lifetime.
KilobytesFlag	Flag bit indicating aging of the SA. 0: The SA ages based on the traffic. The flag bit takes effect globally. To configure a global traffic-based SA lifetime, run the ipsec sa global-duration traffic-based command. 1: The SA ages based on the traffic.
SA Life Kilobytes	Traffic-based IPSec SA lifetime.
Anti-replay Window Size	IPSec anti-replay window size. This field is valid only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window command.
Fragment Before-encryption	Packet fragmentation mode. Enable: IPSec packets are fragmented before encryption. Disable: IPSec packets are fragmented after encryption. To configure a packet fragmentation mode, run the ipsec fragmentation before-encryption command.
Number of IPSec Proposals	Number of IPSec proposals referenced by an IPSec profile.
IPSec Proposals Name	Name of the referenced IPSec proposal. To configure an IPSec proposal, run the proposal command.
IKE Identity Name	Name of the referenced IKE identity. To referenced an IKE identity, run the match ike-identity command.
Qos Pre-classify	Pre-extraction of original IP packets. To configure pre-extraction of original IP packets, run the qos pre-classify command.
Qos group	QoS group to which the IPSec packets belong. To configure the QoS group, run the qos group command.

display ipsec profile ctrl-plane

Function

The display ipsec profile ctrl-plane command displays information about an IPSec profile on the ctrl-plane.

Format

display ipsec profile [ brief | name profile-name ] ctrl-plane

Parameters

Parameter	Description	Value
brief	Displays brief information about all IPSec profiles.	-
name profile-name	Displays information about the specified IPSec profile.	The value is an existing IPSec profile name.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

If no parameter is specified, information about all IPSec profiles is displayed.

If the brief parameter is specified, you can view brief information about all IPSec policies.

If the name parameter is specified, you can view detailed information about the specified IPSec policy.

Example

# View information about the a IPSec profile.

<Huawei> display ipsec profile name a ctrl-plane
===========================================                                     
IPSec profile  : a                                                              
Using interface:                                                                
===========================================                                     
 IPSec Profile Name        :a                                                   
 Peer Name                 :                                                    
 PFS   Group               :DH group 14
 SecondsFlag               :0 (0:Global 1:Local)                                
 SA Life Time Seconds      :3600                                                
 KilobytesFlag             :0 (0:Global 1:Local)                                
 SA Life Kilobytes         :1843200                                             
 Anti-replay               :-                                                   
 Anti-replay Window Size   :1024                                                
 Fragment Before-encryption:Disable                                             
 Number of IPSec Proposals :0                                                   
 IPSec Proposals Name      :    
 IKE Identity Name         :identity1
 Qos Pre-classify          :0 (0:Disable 1:Enable)
 Qos group                 : -

Table 11-52 Description of the display ipsec profile name a ctrl-plane command output

Item	Description
IPSec profile	Name of an IPSec profile
Using interface	Interface to which an IPSec profile is applied
IPSec Profile Name	Name of an IPSec profile
Peer name	Name of the IKE peer referenced by the IPSec profile.
PFS Group	Perfect Forward Secrecy (PFS) used in IKE negotiation: DH group 1: Indicates the 768-bit Diffie-Hellman group during negotiation. DH group 2: Indicates the 1024-bit Diffie-Hellman group during negotiation. DH group 5: Indicates the 1536-bit Diffie-Hellman group during negotiation. DH group 14: Indicates the 2048-bit Diffie-Hellman group during negotiation.
SecondsFlag	Flag bits that the SA ages by time: 0: Global configurations aged by time 1: Local configurations aged by time
SA Life Time Seconds	Time-based IPSec SA duration.
KilobytesFlag	Flag bits that the SA ages by traffic: 0: Global configurations aged by traffic 1: Local configurations aged by traffic
SA Life Kilobytes	traffic-based IPSec SA duration.
Anti-replay	Whether the IPSec anti-replay function is enabled.
Anti-replay Window Size	IPSec anti-replay window size. This field is available only when the IPSec anti-replay function is enabled.
Fragment Before-encryption	IPSec fragment mode: Enable: fragment before encryption Disable: Fragment after encryption
Number of IPSec Proposals	Proposals referenced by the IPSec profile.
IPSec Proposals Name	Name of an IPSec proposal
IKE Identity Name	Name of the referenced IKE identity.
Qos Pre-classify	pre-extraction of original IP packets.
Qos group	QoS group to which the IPSec packets belong.

# View brief information about all IPSec profiles.

<Huawei> display ipsec profile brief ctrl-plane
 Total number of IPSec profile: 1 
 Profile name      Peer name 
 ---------------------------------  
 a                  spub

Table 11-53 Description of the display ipsec profile brief ctrl-plane command output

Item	Description
Total number of IPSec profile	Number of IPSec profiles on a device
Profile name	Name of an IPSec profile
Peer name	Name of the IKE peer referenced by the IPSec profile.

display ipsec proposal (All views)

Function

The display ipsec proposal command displays IPSec proposal information.

Format

display ipsec proposal [ brief | name proposal-name ]

Parameters

Parameter	Description	Value
brief	Displays brief information about IPSec proposals.	-
name proposal-name	Displays detailed information about an IPSec proposal with a specified name.	The value must be an existing IPSec proposal name.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

You can run the display ipsec proposal command to view the following information:

Name of the IPSec proposal
Encapsulation mode
Security protocol
Authentication and encryption algorithms defined in the security protocol

If no parameter is specified, this command displays detailed information about all IPSec proposals.

Example

# Display detailed information about all IPSec proposals.

<Huawei> display ipsec proposal
                                                                                
Number of proposals: 2                                                          
                                                                                
IPSec proposal name: 1                                                          
 Encapsulation mode: Tunnel                                                     
 Transform         : esp-new                                                    
 ESP protocol      : Authentication SHA2-HMAC-256
                     Encryption AES-256                                        
                                                                                
IPSec proposal name: 2                                                          
 Encapsulation mode: Tunnel                                                     
 Transform         : ah-esp-new                                                 
 AH protocol       : Authentication SHA2-HMAC-256                                 
 ESP protocol      : Authentication SHA2-HMAC-256                                 
                     Encryption     AES-256

# Display brief information about all IPSec proposals.

<Huawei> display ipsec proposal brief
                                                                                
Current ipsec proposal number: 5                                                
 ---------------------------------------------------------                      
 Proposal Name     Encapsulation mode    Transform                              
 ---------------------------------------------------------                      
 1                 Tunnel                 esp-new                               
 2                 Tunnel                 ah-esp-new                            
 3                 Tunnel                 ah-esp-new                            
 4                 Tunnel                 esp-new                               
 prop1             Tunnel                 esp-new

Table 11-54 Description of the display ipsec proposal command output

Item	Description
Number of proposals/Current ipsec proposal number	Current total number of IPSec proposals.
IPSec proposal name/Proposal Name	Name of the IPSec proposal. To configure an IPSec proposal, run the ipsec proposal command.
Encapsulation mode	Encapsulation mode in the IPSec proposal, which can be transport or tunnel. To configure an encapsulation mode, run the encapsulation-mode command.
Transform	Security protocol in the IPSec proposal. The value can be: ah-new esp-new ah-esp-new To configure a security protocol, run the transform command.
ESP protocol	Authentication and encryption algorithms used by ESP. To configure authentication and encryption algorithms, run the esp authentication-algorithm and esp encryption-algorithm commands.

display ipsec proposal ctrl-plane

Function

The display ipsec proposal ctrl-plane command displays information about the IPSec proposal on the ctrl-plane.

Format

display ipsec proposal [ brief | name proposal-name ] ctrl-plane

Parameters

Parameter	Description	Value
brief	Displays brief information about the IPSec proposal.	-
name proposal-name	Specifies the name of the proposal.	The value is an existing IPSec proposal name.

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

The output of the display ipsec proposal ctrl-plane command is as follows:

Name of the IPSec proposal
Adopted encapsulation mode
Adopted security protocol
Authentication and encryption algorithms defined in the security protocol

If the name of the IPSec proposal is not specified, all proposals are displayed.

Example

# Display detailed information about all IPSec proposals.

<Huawei> display ipsec proposal ctrl-plane
Number of proposals: 3                                                          
                                                                                
IPSec proposal name: newprop1                                                   
 Encapsulation mode: Tunnel                                                     
 Transform         : esp-new                                                    
 ESP protocol      : Authentication SHA2-HMAC-256                               
                     Encryption AES-256                                         
                                                                                
IPSec proposal name: prop1                                                      
 Encapsulation mode: Tunnel                                                     
 Transform         : ah-new                                                     
 AH protocol       : Authentication SHA2-HMAC-256                               
                                                                                
IPSec proposal name: prop                                                       
 Encapsulation mode: Tunnel                                                     
 Transform         : esp-new                                                    
 ESP protocol      : Authentication SHA2-HMAC-256                               
                     Encryption AES-256

# Display brief information about all IPSec proposals.

<Huawei> display ipsec proposal brief ctrl-plane
Current ipsec proposal number: 1 
-----------------------------------------------------  
Proposal Name      Encapsulation mode      Transform     
-----------------------------------------------------  
prop1              Tunnel                  esp-new

Table 11-55 Description of the display ipsec proposal ctrl-plane command output

Item	Description
Number of proposals/Current ipsec proposal number	Total number of IPSec proposals in the current system.
IPsec proposal name/Proposal Name	Name of the proposal
Encapsulation mode	Modes used by the proposal, including transport mode and tunnel mode
Transform	Security protocols used by the proposal, including AH and ESP
AH protocol	Authentication and encryption algorithms used by AH
ESP protocol	Authentication and encryption algorithms used by ESP

display ipsec proto-protect proposal

Function

The display ipsec proto-protect proposal command displays information about security proposals.

Format

display ipsec proto-protect proposal [ name proposal-name ]

Parameters

Parameter	Description	Value
name proposal-name	Specifies the name of a security proposal.	The value is a string of 1 to 15 case-insensitive characters.

Views

All views

Default Level

1: Monitoring Level

Usage Guidelines

Usage Scenario

After IPSec is configured, when valid packets are dropped between IPSec peers, you can run the display ipsec proto-protect proposal command to check whether the security proposal configurations on both IPSec peers are identical.

IPSec ensures security using the security proposal. You can run the display ipsec proto-protect proposal command to view the following information:

Name of the IPSec security proposal
Encapsulation mode defined in the security proposal
Security protocol defined in the security proposal
Authentication and encryption algorithms defined in the security proposal

Example

# Display information about all security proposals.

<Huawei> display ipsec proto-protect proposal
 Total IP security proposal number: 2

 IP security proposal name: proposal1
   encapsulation mode: transport
   transform: esp-new
   ESP protocol: authentication SHA1-HMAC-96, encryption 256-aes

 IP security proposal name: proposal2
   encapsulation mode: transport
   transform: ah-new
   AH protocol: authentication SHA1-HMAC-96

Table 11-56 Description of the display ipsec proto-protect proposal command output

Item	Description
Total IP security proposal number	Number of security proposals created
IP security proposal name	Name of a security proposal
encapsulation mode	Encapsulation mode: transport tunnel NOTE: Currently only transport mode is supported.
transform	Security protocol defined in the security proposal: esp-new: specifies the Encapsulating Security Payload (ESP). ah-new: specifies the Authentication Header (AH).
ESP protocol	ESP configuration.
AH protocol	AH configuration.

display ipsec proposal (User view)

Function

The display ipsec proposal command displays information about the IPSec proposal.

Format

display ipsec proposal [ brief | name proposal-name ] ctrl-plane

Parameters

Parameter	Description	Value
brief	Displays brief information about the IPSec proposal.	-
name proposal-name	Specifies the name of the proposal.	The value is an existing IPSec proposal name.
ctrl-plane	Displays information about the IPSec profiles on the ctrl-plane.	-

Views

User view

Default Level

1: Monitoring level

Usage Guidelines

The output of the display ipsec proposal command is as follows:

Name of the IPSec proposal
Adopted encapsulation mode
Adopted security protocol
Authentication and encryption algorithms defined in the security protocol

If the name of the IPSec proposal is not specified, all proposals are displayed.

Example

# Display detailed information about all IPSec proposals.

<Huawei> display ipsec proposal ctrl-plane
                                                                                
Number of proposals: 2                                                          
                                                                                
IPSec proposal name: 1                                                          
 Encapsulation mode: Tunnel                                                     
 Transform         : esp-new                                                    
 ESP protocol      : Authentication SHA2-HMAC-256
                     Encryption AES-256                                        
                                                                                
IPSec proposal name: 2                                                          
 Encapsulation mode: Tunnel                                                     
 Transform         : ah-esp-new                                                 
 AH protocol       : Authentication SHA2-HMAC-256                                 
 ESP protocol      : Authentication SHA2-HMAC-256                                 
                     Encryption     AES-256

# Display brief information about all IPSec proposals.

<Huawei> display ipsec proposal brief ctrl-plane
                                                                                
Current ipsec proposal number: 5                                                
 ---------------------------------------------------------                      
 Proposal Name     Encapsulation mode    Transform                              
 ---------------------------------------------------------                      
 1                 Tunnel                 esp-new                               
 2                 Tunnel                 ah-esp-new                            
 3                 Tunnel                 ah-esp-new                            
 4                 Tunnel                 esp-new                               
 prop1             Tunnel                 esp-new

Table 11-57 Description of the display ipsec proposal command output

Item	Description
Number of proposals/Current ipsec proposal number	Current total number of IPSec proposals.
IPSec proposal name/Proposal Name	Name of the IPSec proposal. To configure an IPSec proposal, run the ipsec proposal command.
Encapsulation mode	Encapsulation mode in the IPSec proposal, which can be transport or tunnel. To configure an encapsulation mode, run the encapsulation-mode command.
Transform	Security protocol in the IPSec proposal. The value can be: ah-new esp-new ah-esp-new To configure a security protocol, run the transform command.
ESP protocol	Authentication and encryption algorithms used by ESP. To configure authentication and encryption algorithms, run the esp authentication-algorithm and esp encryption-algorithm commands.

display ipsec sa

Function

The display ipsec sa command displays IPSec SA information.

Format

Parameters

Parameter	Description	Value
brief	Displays brief information about all IPSec SAs.	-
duration	Displays detailed information about IPSec SAs with specified lifetime.	-
efficient-vpn efficient-vpn-name	Displays SA information of an Efficient VPN policy with a specified name.	The value is an existing Efficient VPN policy name.
policy policy-name	Displays detailed information about IPSec SAs established using an IPSec policy with a specified name.	The value must be an existing IPSec policy name.
seq-number	Displays detailed information about IPSec SAs established using an IPSec policy with a specified sequence number.	The value must be an existing IPSec policy sequence number.
profile profile-name	Displays detailed information about IPSec SAs established using a specified IPSec profile.	The value must be an existing IPSec profile name.
remote ipv4-address	Displays detailed information about IPSec SAs with the specified remote IPv4 address.	The value is in dotted decimal notation.

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

If no parameter is specified, detailed information about all IPSec SAs is displayed.

If duration is specified, the command displays information about global IPSec SAs with specified time-based or traffic-based lifetime. For details, see the sa duration (ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view) command.

Example

# Display brief information about all IPSec SAs.

<Huawei> display ipsec sa brief
IPSec SA information:

  Src address    Dst address   SPI     VPN   Protocol    Algorithm       
------------------------------------------------------------------------------- 
  10.3.1.1       10.3.1.10     123456  vrf1   AH         A:SHA2_256_128       
  10.3.1.1       10.3.1.10     754321  vrf1   ESP        E:AES-256 A:SHA2_256_128
  10.3.1.10      10.3.1.1      123457  vrf1   ESP        E:AES-256 A:SHA2_256_128
  10.3.1.10      10.3.1.1      654321  vrf1   AH         A:SHA2_256_128    

Number of IPSec SA: 4
---------------------------------------------------------------------------------

# Display information about all IPSec SAs in the IPSec policy mode.

<Huawei> display ipsec sa
ipsec sa information: 
===============================
Interface: GigabitEthernet2/0/10
===============================                                                 
 -----------------------------                                                 
  IPSec policy name: "pc2"                                                      
  Sequence number  : 1                                                          
  Acl group        : 3061                                                       
  Acl rule         : 5                                                          
  Mode             : Template                                                   
  -----------------------------                                                 
    Connection ID     : 67108879                                                
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 4m 29s
    Tunnel local      : 10.0.0.1:500
    Tunnel remote     : 10.0.0.2:500
    Flow source       : 10.0.0.1/255.255.255.255 17/1701                       
    Flow destination  : 10.0.0.2/255.255.255.255 17/39725
    Flow dscp         : af11 
                                                                                
    [Outbound ESP SAs]                                                          
      SPI: 4055669516 (0xf1bc9b0c)                                              
      Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128
      SA remaining key duration (kilobytes/sec): 5242880/3355
      Outpacket count       : 0                                                 
      Outpacket encap count : 0                                                 
      Outpacket drop count  : 0
      Slice Failure: 0
      Max sent sequence-number: 2377                                            
      UDP encapsulation used for NAT traversal: N                               
                                                                                
    [Inbound ESP SAs]                                                           
      SPI: 1050491168 (0x3e9d3920)                                              
      Proposal: ESP-ENCRYPT-3DES-192 SHA2-256-128
      SA remaining key duration (kilobytes/sec): 5242880/3355
      Inpacket count        : 0                                                 
      Inpacket decap count  : 0                                                 
      Inpacket drop count   : 0
      Authentication Failure: 0
      Replay Failure: 0
      Decrypt Check Failure: 0 
      Max received sequence-number: 0
      UDP encapsulation used for NAT traversal: N                               
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024                                

===============================
Interface: Tunnel0/0/2                                                          
===============================                                                 
                                                                                
  -----------------------------                                                 
  IPSec profile name: "1"                                                       
  Mode              : PROF-ISAKMP                                               
  -----------------------------                                                 
    Connection ID     : 232                                                     
    Encapsulation mode: Tunnel
    Holding time      : 0d 0h 4m 29s
    Tunnel local      : 3.1.1.1:500
    Tunnel remote     : 2.1.1.1:500
    Flow source       : 10.0.0.1/255.255.255.255 47/0-65535
    Flow destination  : 10.0.0.2/255.255.255.255 47/0-65535
                                                                                
    [Outbound AH SAs]                                                           
      SPI: 12306225 (0xbbc731)                                                  
      Proposal: AH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 5242880/3355
      Outpacket count       : 1                                                 
      Outpacket encap count : 1                                                 
      Outpacket drop count  : 0
      Slice Failure: 0
      Max sent sequence-number: 1                                               
      UDP encapsulation used for NAT traversal: N                               
                                                                                
    [Inbound AH SAs]                                                            
      SPI: 2513644 (0x265aec)                                                   
      Proposal: AH-SHA2-256-128
      SA remaining key duration (kilobytes/sec): 5242880/3355
      Inpacket count        : 0                                                 
      Inpacket decap count  : 0                                                 
      Inpacket drop count   : 0
      Authentication Failure: 0
      Replay Failure: 0
      Decrypt Check Failure: 0 
      Max received sequence-number: 0                                           
      UDP encapsulation used for NAT traversal: N                               
      Anti-replay : Enable                                                      
      Anti-replay window size: 1024

Table 11-58 Description of the display ipsec sa command output

Item	Description
ipsec sa information	Information about the IPSec SA.
Interface	Interface to which the IPSec policy is applied.
IPSec policy name	Name of the IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.
IPSec profile name	Name of the IPSec profile. To configure an IPSec profile, run the ipsec profile (system view) command.
Sequence number	Sequence number of the IPSec policy. To configure an IPSec policy, run the ipsec policy (system view) command.
Acl group	ACL number used in the IPSec policy. To configure an ACL referenced by an IPSec policy, run the security acl command.
Acl rule	ID of the matched ACL rule. The ACL rule ID is not displayed if the IPSec tunnel is created manually.
Mode	Mode in which an IPSec policy is created: template: An IPSec policy is created using an IPSec policy template. isakmp: An IPSec policy is created in ISAKMP mode. manual: An IPSec policy is created manually. To configure an IPSec policy, run the ipsec policy (system view) command.
Connection ID	ID of the IPSec SA connection.
Encapsulation mode	Encapsulation mode in an IPSec proposal. tunnel indicates that the encapsulation mode is tunnel mode, and transport indicates that the encapsulation mode is transport mode. To configure an encapsulation mode, run the encapsulation-mode command.
Holding time	Time elapsed since an IPSec tunnel was created.
Tunnel local	IP address and NAT traversal port of the local interface. To configure the IP address and NAT traversal port of the local interface, run the tunnel local and ipsec nat-traversal source-port command.
Tunnel remote	IP address and NAT traversal port of the remote interface. To configure the IP address and NAT traversal port of the remote interface, run the tunnel remote/remote-address (IKE peer view) and ipsec nat-traversal source-port command.
Flow source	Source IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL.
Flow destination	Destination IP address segment of the data flow sent from the local end and the protocol number and port number of the ACL.
Flow dscp	DSCP value of the data flow sent from the local end.
Outbound ESP SAs	Outbound IPSec SA information using ESP.
SPI	SPI of an SA. To configure the SPI for the SA created using a manually configured IPSec policy, run the sa spi command. The SPI is automatically generated when an IPSec policy is created in IKE negotiation mode.
Proposal	Name of an IPSec proposal referenced by the IPSec policy. To reference an IPSec proposal, run the proposal command.
SA remaining key duration (kilobytes/sec)	Hard remaining lifetime of an SA, in kilobytes or seconds. To set the SA lifetime, run the sa duration (ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view) command.
Outpacket count	Number of packets that can be encrypted with the IPSec SA.
Outpacket encap count	Number of sent packets that are successfully encrypted.
Outpacket drop count	Number of discarded packets during encryption.
Max sent sequence-number	Maximum sequence number of sent packets. The sequence number increases during communication and is used for anti-replay.
Slice Failure	Number of packets that fail to be fragmented.
UDP encapsulation used for NAT traversal	Whether NAT traversal is enabled: Y N To enable NAT traversal, run the nat traversal command.
Inbound ESP SAs	Inbound IPSec SA information using ESP.
Inpacket count	Number of packets that can be decrypted with the IPSec SA.
Inpacket decap count	Number of received packets that are successfully decrypted.
Inpacket drop count	Number of discarded packets during decryption.
Authentication Failure	Number of packets that fail to be authenticated.
Replay Failure	Number of packets discarded by the anti-replay function.
Decrypt Check Failure	Number of packets discarded because of a failure in IPSec check.
Max received sequence-number	Maximum sequence number of received packets.
Anti-replay	Whether the anti-replay function is enabled for an IPSec tunnel: Enable disable To configure the anti-replay function for an IPSec tunnel, run the ipsec anti-replay enable command.
Anti-replay window size	IPSec anti-replay window size. This field is valid only when the IPSec anti-replay function is enabled. To set the IPSec anti-replay window size, run the anti-replay window or ipsec anti-replay window command.
Src address	IP address of the local interface. To configure the IP address of the local interface, run the tunnel local command.
Dst address	IP address of the remote interface. To configure the IP address of the remote interface, run the tunnel remote or remote-address (IKE peer view) command.
VPN	VPN instance that the IPSec tunnel belongs to. To configure a VPN instance that the IPSec tunnel belongs to, run the sa binding vpn-instance command.
Protocol	Security protocol used by the IPSec SA: AH: AH is used. AH-ESP: AH and ESP are used. ESP: ESP is used. To configure a security protocol, run the transform command.
Algorithm	Authentication and encryption algorithms used by a security protocol. A indicates the authentication algorithm, and E indicates the encryption algorithm. To configure an authentication algorithm, run the ah authentication-algorithm or esp authentication-algorithm command. To configure an encryption algorithm, run the esp encryption-algorithm command.

display ipsec proto-protect sa

Function

The display ipsec proto-protect sa command displays information about a Security Association (SA).

Format

display ipsec proto-protect sa [ name sa-name ] [ brief ]

Parameters

Parameter	Description	Value
name sa-name	Specifies the SA name.	The value is an existing IPSec Security Association name.
brief	Displays brief information of the SA, such as the SA name and the Security Parameter Index (SPI) value.	-

Views

All views

Default Level

1: Monitoring Level

Usage Guidelines

Usage Scenario

You can run the display ipsec proto-protect sa command to check whether the SA configurations for outgoing packets on the local end are identical with those for incoming packets on the peer end. The display ipsec proto-protect sa command output displays the following information:

SA name
Security proposal applied to the SA
Number of times the SA is applied
SA configurations for incoming Authentication Header (AH) packets
SA configurations for outgoing AH packets
SA configurations for incoming Encapsulating Security Payload (ESP) packets
SA configurations for outgoing ESP packets

Example

# Display configurations of the SA.

<Huawei> display ipsec proto-protect sa
IP security association name: sa1
Number of references: 0   
  proposal name: p1
  inbound AH setting: 
     AH spi: 267 (0x10b)
     AH string-key: 
     AH authentication hex key: %^%#'RCZaI8Z:_E!Q8T!3,AO_OKZ>\U!O]*>(U(9CS9!%^%#
  inbound ESP setting: 
     ESP spi: 789 (0x315)
     ESP string-key: DN]I8$];]3+Q=^Q`MAF4<1!!
     ESP encryption hex key: 
     ESP authentication hex key: 
  outbound AH setting: 
     AH spi: 267 (0x10b)
     AH string-key: 
     AH authentication hex key: %^%#'RCZaI8Z:_E!Q8T!3,AO_OKZ>\U!O]*>(U(9CS9!%^%#
  outbound ESP setting: 
     ESP spi: 789 (0x315)
     ESP string-key: DN]I8$];]3+Q=^Q`MAF4<1!!
     ESP encryption hex key: 
     ESP authentication hex key:

Table 11-59 Description of the display ipsec proto-protect sa command output

Item	Description
IP security association name	SA name
Number of references	Number of times the SA is applied
proposal name	Security proposal applied to the SA
inbound AH setting	SA configurations for incoming AH packets
AH spi	SPI for AH
AH string-key	Authentication key for AH in the string format displayed in cipher text
AH authentication hex key	Authentication key for AH in cipher text
inbound ESP setting	SA configurations for incoming ESP packets
ESP spi	SPI for ESP
ESP string-key	Authentication key for ESP in the string format displayed in cipher text
ESP encryption hex key	Encryption key for ESP in cipher format
ESP authentication hex key	Authentication key for ESP in cipher text
outbound AH setting	SA configurations for outgoing AH packets
outbound ESP setting	SA configurations for outgoing ESP packets

display ipsec statistics

Function

The display ipsec statistics command displays IPSec packet statistics.

Format

display ipsec statistics [ tunnel-number ]

Parameters

None.

Parameter	Description	Value
tunnel-number	Displays the number of IPSec tunnels.	-

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

Usage Scenario

You can run the display ipsec statistics command to view IPSec packet statistics, including statistics about incoming or outgoing packets that are protected, statistics about encrypted and decrypted packets, detailed statistics about discarded packets that are protected, and statistics about IKE negotiation related packets. The IPSec packet statistics facilitate IPSec fault diagnosis and maintenance.

Precautions

The display ipsec statistics command only displays the number of plaintext bytes.

Example

# Display statistics about all IPSec packets.

<Huawei> display ipsec statistics 
 IPSec statistics information:
 Number of IPSec tunnels: 1
 Number of standby IPSec tunnels: 0 
 the security packet statistics:                                                
   input/output security packets: 0/0                                           
   input/output security bytes: 0/0                                             
   input/output dropped security packets: 0/0                                   
   the encrypt packet statistics:                                               
     send chip: 0, recv chip: 0, send err: 0                                    
     local cpu: 0, other cpu: 0, recv other cpu: 0                              
     intact packet: 0, first slice: 0, after slice: 0                           
   the decrypt packet statistics:                                               
     send chip: 0, recv chip: 0, send err: 0                                    
     local cpu: 0, other cpu: 0, recv other cpu: 0                              
     reass  first slice: 0, after slice: 0                                      
   dropped security packet detail:                                              
     can not find SA: 0, wrong SA: 0  
     authentication: 0, replay: 0                                               
     front recheck: 0, after recheck: 0                                         
     change cpu enc: 0, dec change cpu: 0                                       
     fib search: 0, output l3: 0                                                
     flow err: 0, slice err: 0, byte limit: 0
  negotiate about packet statistics:                                            
    IKE fwd packet ok: 0, err: 0                                                
    IKE ctrl packet inbound ok: 0, outbound ok: 0                               
    SoftExpr: 0, HardExpr: 0, DPDOper: 0                                        
    trigger ok: 0, switch sa: 0, sync sa: 0                                     
    recv IKE nat keepalive: 0, IKE input: 0

# Display the number of IPSec tunnels.

<Huawei> display ipsec statistics tunnel-number
   IPSec tunnel totals: 0 
   IPSec tunnel specifications: 4000

Table 11-60 Description of the display ipsec statistics command output

Item	Description
IPSec statistics information	Statistics about IPSec packets.
Number of IPSec tunnels	Number of the IPSec tunnels.
Number of standby IPSec tunnels	Number of the standby IPSec tunnels.
the security packet statistics	Statistics about packets that are protected.
input/output security packets	Number of incoming or outgoing packets that are protected.
input/output security bytes	Number of incoming or outgoing bytes that are protected.
input/output dropped security packets	Number of discarded incoming or outgoing packets that are protected.
the encrypt packet statistics	Statistics about encrypted packets.
send chip	Number of packets sent to the hardware for encryption and decryption.
recv chip	Number of packets encrypted and decrypted by hardware.
send err	Number of packets that fail to be sent to hardware for encryption and decryption.
local cpu	Number of packets encrypted and decrypted by the local CPU.
other cpu	Number of packets forwarded to another CPU for encryption and decryption.
recv other cpu	Number of packets received from another CPU for encryption and decryption.
intact packet	Number of non-fragmented encrypted packets.
first slice	Number of initial fragmented packets.
after slice	Number of non-initial fragmented packets.
the decrypt packet statistics	Statistics about decrypted packets.
reass first slice	Number of initial packets that are reassembled.
after slice	Number of non-initial packets that are reassembled.
dropped security packet detail	Detailed statistics about discarded packets that are protected.
can not find SA	Number of packets for which SAs are not found.
wrong SA	Number of packets with invalid SAs.
authentication	Number of packets that fail to be authenticated.
replay	Number of discarded packets due to replay check.
front recheck	Number of discarded packets due to IPSec pre-check.
after recheck	Number of discarded packets due to IPSec post-check.
change cpu enc	Number of encrypted packets that fail to be forwarded.
dec change cpu	Number of decrypted packets that fail to be forwarded.
fib search	Number of encrypted packets that are discarded due to route searching failure.
output l3	Number of encrypted packets that fail to be sent.
flow err	Number of packets discarded because negotiation is triggered.
slice err	Number of IPSec packets that fail to be fragmented.
byte limit	Number of discarded packets due to traffic limit.
negotiate about packet statistics	Statistics about IKE negotiation packets.
IKE fwd packet ok	Number of IKE packets sent to the IKE process.
err	Number of IKE packets that fail to be sent to the IKE process.
IKE ctrl packet inbound ok	Number of IKE packets received by the control plane.
outbound ok	Number of IKE packets sent by the control plane.
SoftExpr	Number of traffic soft timeouts.
HardExpr	Number of traffic hard timeouts.
DPDOper	Number of times DPD is performed in on-demand DPD mode.
trigger ok	Number of times that negotiation is triggered.
switch sa	Number of times the local device receives data encrypted with the new SA and instructs the IKE process to replace the SA.
sync sa	Number of times the active device notifies the IKE process that the SA triplet (remote address, SPI, protocol ID) does not exist on the standby device.
recv IKE nat keepalive	Number of received IKE nat keepalive packets.
IKE input	Number of received IKE packets.
IPSec tunnel totals	Number of IPSec tunnels.
IPSec tunnel specifications	IPSec tunnel specifications.

Related Topics

reset ipsec statistics

display ipsec statistics route

Function

The display ipsec statistics route command displays IPSec route injection statistics.

Format

display ipsec statistics route

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

In an IPSec route injection scenario, you can run the display ipsec statistics route command to view IPSec route injection statistics for fault location.

Example

# Display IPSec route injection statistics.

<Huawei> display ipsec statistics route
IPSec route statistics information:

Route add                     send:1          receive:1
Route del                     send:0          receive:0
Route syn                     send:674        receive:674
Route syn  round              send:674        receive:674
Route syn                     add :0          del    :0
Route send to route module    add :2          del    :1
Route send to ipsec module    add :1          del    :0
Route msg ipc send error          :0
Route msg process error           :0
Route add:
  dest addr equal with peer addr          :0
  add no memery                           :0
  same route same slot                    :0
  same route diff slot or interface down  :1
  cpu not exist                           :0
  vrf invalid                             :0
Route del:
  route not exist                         :0
  not delete state                        :0
  same route send by other slot           :0

HA data
Route HA send num                         :675
Route HA receive num                      :0
Route HA send error num                   :0

Table 11-61 Description of the display ipsec statistics route command output

Item	Description
IPSec route statistics information	IPSec route statistics.
Route add	Routes are added from the LPU to MPU: send: indicates the number of routes sent by the LPU. receive: indicates the number of routes received by the MPU.
Route del	Routes are deleted by the LPU from the MPU: send: indicates the number of routes sent by the LPU. receive: indicates the number of routes received by the MPU.
Route syn	Routes are synchronized by the LPU with the MPU: send: indicates the number of routes sent by the LPU. receive: indicates the number of routes received by the MPU. add: indicates the number of routes added by the MPU because routes do not exist. del: indicates the number of routes deleted by the MPU due to residual routing entries.
Route syn round	Number of times the LPU synchronizes routes with the MPU: send: indicates the number of times the LPU sends routes to the MPU. receive: indicates the number of times the MPU receives routes from the LPU.
Route send to route module	Routes are added to or deleted from the routing module: add: indicates the number of added routes. del: indicates the number of deleted routes.
Route send to ipsec module	Routes are added to or deleted from the IPSec module: add: indicates the number of added routes. del: indicates the number of deleted routes.
Route msg ipc send error	Number of times IPC fails to send routing information.
Route msg process error	Number of times the LPU fails to process routing information.
Route add	Added routes.
dest addr equal with peer addr	Number of times the route destination address is consistent with the peer address specified in intelligent path selection during route addition.
add no memery	Number of failures to apply for memory during route addition.
same route same slot	Number of times the same slot has the same routes during route addition.
same route diff slot or interface down	Number of times boards in different slots have the same routes or have interfaces in Down state during route addition.
cpu not exist	Number of times the CPU does not exist during route addition.
vrf invalid	Number of times the VPN instance becomes invalid during route addition.
Route del	Deleted routes.
route not exist	Number of routes that do not exist during route deletion.
not delete state	Number of routes that do not exist in the routing table during route deletion.
same route send by other slot	Number of the same routes that boards in other slots send to the MPU during route deletion.
HA data	Active/standby backup data.
Route HA send num	Number of routes sent by the active device during active/standby backup.
Route HA receive num	Number of routes received by the standby device during active/standby backup.
Route HA send error num	Number of routes that fail to be sent by the active device during active/standby backup.

display ipsec proto-protect statistics

Function

Using the display ipsec proto-protect statistics command, you can view the statistics about packets processed by IPSec.

Format

display ipsec proto-protect statistics [ sa-name sa-name ]

Parameters

Parameter	Description	Value
sa-name sa-name	Specifies the IPSec Security Association (SA) name.	The value is an existing IPSec Security Association name.

Views

All views

Default Level

1: Monitoring Level

Usage Guidelines

Usage Scenario

After IPSec protection is configured for a routing protocol, you can run the display ipsec proto-protect statistics command to view information about transmitted packets and dropped packets. The details are as follows:

Number of received and sent packets
Number of received and sent bytes
Number of dropped incoming and outgoing packets
Detailed information about dropped packets

Example

# Display statistics about packets processed by IPSec.

<Huawei> display ipsec proto-protect statistics

  IPv6 security packet statistics:
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0

  IPv4 security packet statistics:
    input/output security packets: 0/0
    input/output security bytes: 0/0
    input/output dropped security packets: 0/0
    dropped security packet detail:
      memory process problem: 0
      can't find SA: 0
      queue is full: 0
      authentication is failed: 0
      wrong length: 0
      replay packet: 0
      too long packet: 0
      invalid SA: 0
      policy deny: 0
  the normal packet statistics:
    input/output dropped normal packets: 0/0

Table 11-62 Description of the display ipsec proto-protect statistics command output

Item	Description
input/output security packets	Indicates the number of received and sent packets
input/output security bytes	Indicates the number of received and sent bytes
input/output dropped security packets	Indicates the number of dropped incoming and outgoing packets
dropped security packet detail	Detailed information about dropped packets
memory process problem	Indicates the number of packets that are dropped due to a memory fault
can't find SA	Indicates the number of packets that are dropped because no SA is found
queue is full	Indicates the number of packets that are dropped because the queue is full
authentication is failed	Indicates the number of packets that are dropped due to authentication failure
wrong length	Indicates the number of packets that are dropped due to a packet length fault
replay packet	Indicates the number of packets that are dropped due to repeated transmission
too long packet	Indicates the number of packets that are dropped due to excess packet length
invalid SA	Indicates the number of packets that are dropped due to an invalid SA
policy deny	Indicates the number of packets that are dropped due to a deny action in the policy
the normal packet statistics	Statistics about normal packets
input/output dropped normal packets	Indicates the number of received/sent normal packets that are dropped

dn

Function

The dn command specifies the distinguished name (DN) of an allowed peer for IKE negotiation.

The undo dn command deletes the DN of an allowed peer.

By default, no DN of allowed peer for IKE negotiation is configured.

Format

dn name

undo dn name

Parameters

Parameter	Description	Value
name	Specifies the DN of an allowed peer for IKE negotiation.	The value is a string of 1 to 255 case-sensitive characters without spaces.

Views

Identity filter set view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to specify an allowed peer based on the DN (PKI domain configuration referenced in the IKE peer configured on a remote device) in the identity filter set for IKE negotiation.

Precautions

An IPSec tunnel can be established only when the remote end matches one or more parameters in the identity filter set and the IPSec negotiation parameters at both ends are consistent.

If you run this command in the same view multiple times, the latest configuration does not override earlier ones.

Example

# Set the name of the allowed peer for IKE negotiation to huawei.

<Huawei> system-view
[Huawei] ike identity identity1
[Huawei-ike-identity-identity1] dn c=cn,st=jiangsu,l=nanjing,o=huawei,ou=vpn,cn=ipsec

Related Topics

dpd

Function

The dpd command configures the dead peer detection (DPD) idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on the specified IKE peer.

The undo dpd command restores the default DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on the specified IKE peer.

By default, the DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on an IKE peer are 30s, 15s, and 3 respectively.

Format

dpd { idle-time interval | retransmit-interval interval | retry-limit times }

undo dpd { idle-time | retransmit-interval | retry-limit }

Parameters

Parameter	Description	Value
idle-time interval	Specifies the DPD idle time.	The value is an integer that ranges from 10 to 3600, in seconds.
retransmit-interval interval	Specifies the DPD packet retransmission interval.	The value is an integer that ranges from 2 to 60, in seconds.
retry-limit times	Specifies the maximum number of DPD packet retransmissions.	The value is an integer that ranges from 3 to 10.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When peers implement IPSec communication, the heartbeat mechanism can detect peer faults to avoid traffic loss. However, the periodic heartbeat message exchanges consume CPU resources on the two ends. The DPD mechanism enables a device to send DPD messages for peer detection only when the device does not receive IPSec packets from the peer within a period. This mechanism can detect peer faults and save CPU resources.

The device sets the DPD mode and enables the DPD function based on the dpd type command. Two DPD modes are available:

On-demand DPD

When the local end needs to send IPSec packets to the remote end, the local end sends a DPD request packet to the remote end for DPD detection.
Periodic DPD

If the local end does not receive IPSec packets or a DPD request packet from the remote end after the DPD idle time expires, it periodically sends a DPD request packet to the remote end.

The local end retransmits DPD request packets if it does not receive any DPD response packet from the remote end within the retransmission interval. If the local end still does not receive any DPD response packet within the retransmission interval after the maximum number of retransmissions is reached, the local end considers that the remote end is offline and deletes the involved IKE SA and IPSec SA.

Precautions

The dpd command must be used with the dpd type and dpd msg commands.
Parameters in the dpd command can be configured for each IKE peer separately and do not need to be the same as the parameters on the peer device.

Example

# Set the DPD idle time, DPD packet retransmission interval, and maximum number of DPD packet retransmissions on the IKE peer test to 300s, 10s, and 4.

<Huawei> system-view
[Huawei] ike peer test
[Huawei-ike-peer-test] dpd idle-time 300
[Huawei-ike-peer-test] dpd retransmit-interval 10
[Huawei-ike-peer-test] dpd retry-limit 4

Related Topics

dpd msg

dpd type

dpd msg

Function

The dpd msg command configures the payload sequence of DPD packets on the specified IKE peer.

The undo dpd msg command restores the default payload sequence of DPD packets on the specified IKE peer.

By default, the payload sequence of DPD packets on an IKE peer is seq-notify-hash.

Format

dpd msg { seq-hash-notify | seq-notify-hash }

undo dpd msg

Parameters

Parameter	Description	Value
seq-hash-notify	Indicates that in a DPD packet, the hash payload is before the notify payload.	-
seq-notify-hash	Indicates that in a DPD packet, the notify payload is before the hash payload.	-

Views

IKE peer view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

DPD packets carrying the notify payload and hash payload are exchanged bidirectionally. The notify payload sent by the initiator carries an R-U-THERE message equivalent to a Hello packet, and the notify payload sent by the responder carries an R-U-THERE-ACK message equivalent to an ACK packet.

The payload sequence of DPD packets sent by different devices may be different. IKE peers on both ends must send DPD packets with the same payload sequence; otherwise, DPD does not take effect. You can use the dpd msg command to set the same payload sequence of DPD packets on the two ends.

Precautions

This command applies only when an IKE peer uses IKEv1.

Example

# Set the payload sequence of DPD packets to hash-notify on the IKE peer huawei.

<Huawei> system-view
[Huawei] ike peer huawei
[Huawei-ike-peer-huawei] dpd msg seq-hash-notify

Related Topics

dpd type

display ipsec policy-template (all views)

dpd type

Function

The dpd type command configures the DPD mode on an IKE peer.

The undo dpd type command deletes the DPD mode on an IKE peer.

By default, the DPD mode is not configured on an IKE peer.

Format

dpd type { on-demand | periodic }

undo dpd type

Parameters

Parameter	Description	Value
on-demand	Configures on-demand DPD.	-
periodic	Configures periodic DPD.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The device sets the DPD mode and enables the DPD function based on the dpd type command. Two DPD modes are available:

On-demand DPD

When the local end needs to send IPSec packets to the remote end, the local end sends a DPD request packet to the remote end for DPD detection.
Periodic DPD

If the local end does not receive IPSec packets or a DPD request packet from the remote end after the DPD idle time expires, it periodically sends a DPD request packet to the remote end.

Precautions

The sequence of the payload in DPD packets configured on IKE peers using the dpd msg command must be the same. Otherwise, DPD does not take effect.

When multiple branches are connected to the headquarters, you are advised not to set the DPD mode of the headquarters to periodic detection. This is because an IPSec tunnel will frequently flap, causing high CPU usage, if the network is unstable. You are advised to set the DPD mode of the headquarters to on-demand detection or not to configure the DPD mode.

Example

# Configure on-demand DPD.

<Huawei> system-view
[Huawei] ike peer huawei
[Huawei-ike-peer-huawei] dpd type on-demand

Related Topics

dpd

dpd msg

dscp

Function

The dscp command sets the DSCP priority of IKE packets on a specified IKE peer.

The undo dscp command cancels the DSCP priority configuration.

By default, the DSCP priority of IKE packets on a specified IKE peer is 0.

Format

dscp dscp-value

undo dscp

Parameters

Parameter	Description	Value
dscp-value	Specifies the DSCP priority of IKE packets.	The value can be an integer or a string of characters. That is, the value can be an integer that ranges from 0 to 63, or a string of AF11 to AF13, AF21 to AF23, AF31 to AF33, AF41 to AF43, CS1 to CS7, EF, or default.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IKE packets are used for IKE SA and IPSec SA negotiation or DPD. When IKE packets are lost during transmission, IPSec SAs may fail to be negotiated. As a result, packets that need to be protected by IPSec are not protected. The DSCP priority of IKE packets can be improved so that IKE packets are processed preferentially. IKE packet transmission reliability is therefore improved.

To configure the DSCP priority for IKE packets of an IKE peer, run this command.

Precautions

The DSCP priority of IKE packets can be configured in the IKE peer view or system view. The system preferentially uses the DSCP priority configured in the IKE peer view. If the DSCP priority is not configured in the IKE peer view, the system uses the global DSCP priority.

Example

# Set the DSCP priority of IKE packets to CS2 for the IKE peer ik1.

<Huawei> system-view
[Huawei] ike peer ik1
[Huawei-ike-peer-ik1] dscp cs2

encapsulation-mode

Function

The encapsulation-mode command sets the IPSec encapsulation mode.

The undo encapsulation-mode command restores the default IPSec encapsulation mode.

By default, the tunnel mode is used.

Format

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Parameters

Parameter	Description	Value
transport	Encapsulates IP packets in transport mode.	-
tunnel	Encapsulates IP packets in tunnel mode.	-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec encapsulates IP packets by adding an AH or ESP header and ESP tail to original IP packets for authentication and encryption. The following two IPSec encapsulation modes are available:

Tunnel mode

In tunnel mode, IPSec adds a new IP header to an IP packet. The source and destination addresses of the new IP header are the IP addresses of two ends of a tunnel. The tunnel mode is more secure than the transport mode. In terms of performance, the tunnel mode consumes more bandwidth than the transport mode.

The tunnel mode is often used between two security gateways. The packets encrypted by one security gateway can only be decrypted by the other security gateway.
Transport mode

In transport mode, IPSec does not add a new header to an IP packet. The source and destination addresses of the original packet are the IP addresses of two ends of a tunnel. In transport mode, the two devices that encrypt and decrypt packets must be the original packet sender and final receiver respectively.

Since most data traffic between two security gateways is not communication traffic of the two gateways, the transport mode is not used between security gateways. The transport mode is suited for the communication between two hosts or between a host and a security gateway; however, the transport mode is not recommended because it provides low security.

Precautions

The two IPSec tunnel ends must use the same encapsulation mode.

When IKEv2 is used, the encapsulation mode in all the IPSec proposals configured on the IKE negotiation initiator must be the same; otherwise, IKE negotiation fails.

Example

# Set the IPSec encapsulation mode to the transport mode.

<Huawei> system-view
[Huawei] ipsec proposal newprop1
[Huawei-ipsec-proposal-newprop1] encapsulation-mode transport

encapsulation-mode (ipsec-proto-protect-proposal view)

Function

The encapsulation-mode command sets the encapsulation mode for IP packets.

The undo encapsulation-mode command restores the default encapsulation mode for IP packets.

By default, the encapsulation mode is set to tunnel.

Format

encapsulation-mode { transport | tunnel }

undo encapsulation-mode

Parameters

Parameter	Description	Value
transport	Sets the encapsulation mode to transport.	-
tunnel	Sets the encapsulation mode to tunnel.	-

Views

IPSec proto-protect proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can configure Authentication Header (AH) or Encapsulating Security Payload (ESP) to ensure security based on data confidentiality. If AH is configured, an AH header is generated; if ESP is configured, an ESP header, an ESP tail, and an ESP authentication field are generated. Two encapsulation modes are available for IPSec: transport and tunnel.

The transport mode is applicable to a scenario in which two hosts, or a host and a security gateway (such as a gateway workstation and a router), are communicating with each other. In transport mode, the two devices encrypting and decrypting packets must be the original packet sender and the final receiver, respectively.
The tunnel mode is generally applied to a scenario in which two security gateways (routers) are communicating with each other. The packets that are encrypted on the local security gateway can be decrypted only on the peer security gateway. Therefore, an IP packet must be encapsulated using the tunnel mode and an IP header embed. After arriving at the peer security gateway, the IP packet can be decrypted.

Precautions

The encapsulation modes on both IPSec peers must be identical.

Example

# Set the encapsulation mode to transport in the security proposal named prop2.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal prop2

[Huawei-ipsec-proto-protect-proposal-prop2] encapsulation-mode transport

encryption-algorithm

Function

The encryption-algorithm command configures an encryption algorithm for IKE negotiation.

The undo encryption-algorithm command restores the default configuration.

By default, the AES-256 encryption algorithm is used for IKE negotiation.

Format

encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256 }

undo encryption-algorithm

Parameters

Parameter	Description	Value
des	Configures the 56-bit Data Encryption Standard (DES) algorithm in Cipher Block Chaining (CBC) mode.	-
3des	Configures the 168-bit Triple Data Encryption Standard (3DES) algorithm in CBC mode.	-
aes-128	Configures the 128-bit AES algorithm in CBC mode.	-
aes-192	Configures the 192-bit AES algorithm in CBC mode.	-
aes-256	Configures the 256-bit AES algorithm in CBC mode.	-

Views

IKE proposal view

Default Level

2: Configuration level

Usage Guidelines

The following encryption algorithms used in IKE proposals are listed in descending order of security level: aes-256 > aes-192 > aes-128 > 3des > des.

The 3des and des algorithms provide low security and so are not recommended.

Example

# Set the AES-192 algorithm for IKE proposal 10.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] encryption-algorithm aes-192

esp authentication-algorithm

Function

The esp authentication-algorithm command configures the Encapsulating Security Payload (ESP) authentication algorithm.

The undo esp authentication-algorithm command configures ESP not to authenticate packets.

By default, the ESP authentication algorithm is Secure Hash Algorithm SHA2-256.

Format

esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo esp authentication-algorithm

Parameters

Parameter	Description	Value
md5	Specifies MD5 as the ESP authentication algorithm.	-
sha1	Specifies SHA1 as the ESP authentication algorithm.	-
sha2-256	Specifies SHA2-256 as the ESP authentication algorithm.	-
sha2-384	Specifies SHA2-384 as the ESP authentication algorithm.	-
sha2-512	Specifies SHA2-512 as the ESP authentication algorithm.	-

AR100-S&AR110-S&AR120-S&AR160-S series, AR151-S2, AR1220C-S, and AR2204-27GE-S do not support SHA2-384 and SHA2-512 authentication algorithms.

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

ESP supports the following encryption and authentication modes: both, encryption-only, authentication-only, and none. In the efficient VPN scenario, do not configure encryption or authentication algorithm for ESP when the remote device does not support IPSec encryption or authentication.

When ESP is not used to encrypt or authenticate packets, the IKEV2 version of the IPSec tunnel cannot be established.

Prerequisites

esp or ah-esp has been specified in the transform command.

Precautions

ESP authentication algorithms in the IPSec proposals referenced in the IPSec policies configured at both ends of an IPSec tunnel must be the same.

The undo esp authentication-algorithm command sets the ESP authentication algorithm to blank (non-authentication) and takes effect only when an ESP authentication algorithm has been specified.

The following algorithms are listed in descending order of security level: sha2-512 > sha2-384 > sha2-256 > sha1 > md5.

The sha2-256, sha2-384, and sha2-512 algorithms are recommended for security purposes. The md5 and sha1 algorithms are not recommended.

Example

# Set ESP and SHA2-256 in the IPSec proposal newprop1.

<Huawei> system-view
[Huawei] ipsec proposal newprop1
[Huawei-ipsec-proposal-newprop1] transform esp
[Huawei-ipsec-proposal-newprop1] esp authentication-algorithm sha2-256

Related Topics

esp authentication-algorithm (ipsec-proto-protect-proposal view)

Function

The esp authentication-algorithm command configures the authentication algorithm for Encapsulating Security Payload (ESP).

The undo esp authentication-algorithm command cancels the authentication algorithm for ESP.

By default, the authentication algorithm SHA2-256 is used for ESP.

Format

esp authentication-algorithm { md5 | sha1 | sha2-256 }

undo esp authentication-algorithm

Parameters

Parameter	Description	Value
md5	Indicates that the authentication algorithm MD5 is used for ESP. NOTE: To ensure high security, do not use the MD5 algorithm as the ESP authentication algorithm.	-
sha1	Indicates that the authentication algorithm Secure Hash Algorithm-1 (SHA-1) is used for ESP. NOTE: To ensure high security, do not use the SHA-1 algorithm as the ESP authentication algorithm.	-
sha2-256	Indicates the authentication algorithm SHA-2 256 is used for ESP.	-

Views

IPSec proto-protect proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec can use Authentication Header (AH) or ESP to authenticate packets, preventing packets from being intercepted or modified. When ESP is used, the authentication and encryption algorithms must be configured. You can run the transform command to configure AH or ESP. When ESP is used, you can run the esp authentication-algorithm command to specify an authentication algorithm for ESP.

ESP currently supports MD5, SHA-1 and SHA2-256 authentication algorithms.

MD5: generates a 128-bit message summary for an input message of any length.
SHA-1: generates a 160-bit message summary for an input message of less than 2⁶⁴ bits.
SHA2-256: generates a 256-bit message summary for an input message of less than 2⁶⁴ bits

MD5 is faster than SHA-1, but is less secure.

The undo esp authentication-algorithm command functions differently from the undo ah authentication-algorithm command. The undo esp authentication-algorithm command configures ESP not to authenticate packets, whereas the undo ah authentication-algorithm command restores the default authentication algorithm for AH.

Prerequisite

IPSec ensures security using AH or ESP. An authentication algorithm can be configured only after AH or ESP is specified. Therefore, you can configure an ESP authentication algorithm only after running the transform command to specify ESP.

Precautions

The encryption algorithm and authentication algorithm cannot be both set to NULL for ESP.

The authentication algorithms on both IPSec peers must be identical.

Example

# Set the authentication algorithm to SHA-1 for ESP.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal prop1

[Huawei-ipsec-proto-protect-proposal-prop1] transform esp

[Huawei-ipsec-proto-protect-proposal-prop1] esp authentication-algorithm sha1

esp encryption-algorithm

Function

The esp encryption-algorithm command configures the ESP encryption algorithm.

The undo esp encryption-algorithm command sets the ESP encryption algorithm to blank (non-encryption).

By default, the ESP encryption algorithm is Advanced Encryption Standard AES-256.

Format

esp encryption-algorithm { des | 3des | aes-128 | aes-192 | aes-256 }

undo esp encryption-algorithm

Parameters

Parameter	Description	Value
des	Configures the 56-bit Data Encryption Standard (DES) algorithm in Cipher Block Chaining (CBC) mode.	-
3des	Configures the 168-bit Triple Data Encryption Standard (3DES) algorithm in CBC mode.	-
aes-128	Configures the 128-bit AES algorithm in CBC mode.	-
aes-192	Configures the 192-bit AES algorithm in CBC mode.	-
aes-256	Configures the 256-bit AES algorithm in CBC mode.	-

Views

IPSec proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When ESP is not used to encrypt or authenticate packets, the IKEV2 version of the IPSec tunnel cannot be established.

Prerequisites

esp or ah-esp has been specified in the transform command.

Precautions

ESP encryption algorithms in the IPSec proposals referenced in the IPSec policies configured at both ends of an IPSec tunnel must be the same.

The undo esp encryption-algorithm command sets the ESP encryption algorithm to blank (non-encryption) and takes effect only when an ESP encryption algorithm has been specified.

The following encryption algorithms are listed in descending order of security level: aes-256 > aes-192 > aes-128 > 3des > des.

The aes-256, aes-192, and aes-128 algorithms are recommended for security purposes. The 3des and des algorithms are not recommended.

Example

# Set ESP and AES-128 in the IPSec proposal newprop1.

<Huawei> system-view
[Huawei] ipsec proposal newprop1
[Huawei-ipsec-proposal-newprop1] transform esp
[Huawei-ipsec-proposal-newprop1] esp encryption-algorithm aes-128

Related Topics

esp encryption-algorithm (ipsec-proto-protect-proposal view)

Function

The esp encryption-algorithm command configures the encryption algorithm for Encapsulating Security Payload (ESP).

The undo esp encryption-algorithm command configures ESP not to encrypt packets.

By default, the encryption algorithm AES 128 is used for ESP.

Format

esp encryption-algorithm { des | 3des | aes [ 128 | 192 | 256 ] }

undo esp encryption-algorithm

Parameters

Parameter	Description	Value
des	Indicates that ESP uses DES algorithm to encrypt packets. To ensure high security, do not use the DES algorithm as the ESP encryption algorithm.	-
3des	Indicates that ESP uses 3DES algorithm to encrypt packets.	-
aes	Indicates that ESP uses Advanced Encryption Standard (AES) algorithm to encrypt packets. By default, If 128, 192 and 256 are not configured, AES 128 bits algorithm is used for ESP to encrypt packets.	-
128	Indicates that ESP uses AES 128 bits algorithm to encrypt packets.	-
192	Indicates that ESP uses AES 192 bits algorithm to encrypt packets.	-
256	Indicates that ESP uses AES 256 bits algorithm to encrypt packets.	-

Views

IPSec proto-protect proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec uses authentication and encryption algorithms to protect IP packet transmission, preventing packets from being intercepted or modified. Therefore, specify an encryption algorithm before using ESP to ensure security.

DES: uses a 56-bit key to encrypt a 64-bit packet in plain text.
3DES: uses three 56-bit keys (in effect, a 168-bit key) to encrypt a packet in plain text.
AES: uses 128, 192, 256-bit keys respectively to encrypt a packet in plain text.

3DES is CPU incentive and encrypts packets slowly, but provides a more secure service than DES. AES is more secure and performance is also better than 3DES.

Prerequisite

You can configure an encryption algorithm only after ESP is used.

Precautions

The undo esp encryption-algorithm command does not restore the default encryption algorithm but configures ESP not to encrypt packets.

The encryption algorithm and authentication algorithm cannot be both set to NULL for ESP.

The encryption algorithms on both IPSec peers must be identical.

You cannot setup a peer with ESP encryption algorithm configuration.

Example

# Set the encryption algorithm to 3DES for ESP.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal prop1

[Huawei-ipsec-proto-protect-proposal-prop1] transform esp

[Huawei-ipsec-proto-protect-proposal-prop1] esp encryption-algorithm 3des

# Set the encryption algorithm to AES 128 bits for ESP.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal prop1

[Huawei-ipsec-proto-protect-proposal-prop1] transform esp

[Huawei-ipsec-proto-protect-proposal-prop1] esp encryption-algorithm aes 128

exchange-mode

Function

The exchange-mode command configures the IKEv1 phase 1 negotiation mode.

The undo exchange-mode command restores the default IKEv1 phase 1 negotiation mode.

By default, the main mode is used.

Format

exchange-mode { aggressive | main }

undo exchange-mode

Parameters

Parameter	Description	Value
aggressive	Configures the aggressive mode.	-
main	Configures the main mode.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Two key exchange and negotiation modes are defined in IKEv1 phase 1:

In main mode, key exchange information is separated from identity and authentication information to protect identity information.
In aggressive mode, only three messages are exchanged. Therefore, IKE SAs can be set up more quickly in aggressive mode. However, the first two messages exchanged in aggressive mode are not encrypted, and identity authentication is transmitted in plain text. This brings security risks.

When selecting a negotiation mode, you can determine the main or aggressive mode based on network requirements:

In the scenario where multiple pre-shared keys are configured in the IKE user table, if the IP address of the negotiation initiator is unknown or unstable and the two ends expect to set up SAs using the pre-shared key, only the aggressive mode can be used.
If the initiator knows the policy of the responder, IKE SAs can be set up more quickly in aggressive mode.

Example

# Configure the aggressive IKE negotiation mode for the IKE peer peer1.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] exchange-mode aggressive

Related Topics

fqdn

Function

The fqdn command specifies the name of an allowed peer for IKE negotiation.

The undo fqdn command deletes the name of an allowed peer.

By default, no name of allowed peer for IKE negotiation is configured.

Format

fqdn fqdn-name

undo fqdn fqdn-name

Parameters

Parameter	Description	Value
fqdn-name	Specifies the name of an allowed peer.	The value is a string of 1 to 255 case-sensitive characters without spaces.

Views

Identity filter set view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to specify an allowed peer based on the name (configured on a remote device using the ike local-name command) in the identity filter set for IKE negotiation.

Precautions

An IPSec tunnel can be established only when the remote end matches one or more parameters in the identity filter set and the IPSec negotiation parameters at both ends are consistent.

If you run this command in the same view multiple times, the latest configuration does not override earlier ones.

Example

# Set the name of the allowed peer for IKE negotiation to huawei.

<Huawei> system-view
[Huawei] ike identity identity1
[Huawei-ike-identity-identity1] fqdn huawei

Related Topics

pre-shared-key (IKE user view)

ike local-name

id-type

Function

The id-type command configures the IKE user ID type and ID.

The undo id-type command deletes the IKE user ID type and ID.

By default, the IKE user ID type and ID are not configured.

Format

id-type { any any-id | fqdn remote-fqdn | ip ipv4-address | user-fqdn remote-user-fqdn }

undo id-type

Parameters

Parameter	Description	Value
any any-id	Indicates that the remote ID type of an IKE peer can be any type and configures the remote ID.	The value is a string of 1 to 255 case-sensitive characters without question marks (?).
fqdn remote-fqdn	Uses the name as the remote ID of an IKE peer and configures the remote ID.	The value is a string of 1 to 255 case-sensitive characters without question marks (?).
ip ipv4-address	Uses the IPv4 address as the remote ID of an IKE peer and configures the remote ID.	The value is in dotted decimal notation.
user-fqdn remote-user-fqdn	Uses the domain name as the remote ID of an IKE peer and configures the remote ID.	The value is a string of 1 to 255 case-sensitive characters without question marks (?).

Views

IKE user view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a point-to-multipoint scenario, the device functions as the VPN gateway of the headquarters, an IPSec policy is created using an IPSec policy template, and the VPN gateway receives IPSec connection setup requests of different branches. When the pre-shared key is used for identity authentication and all branches use the same ID and pre-shared key, there are security risks. That is, if the ID and pre-shared key of one branch leak, the ID and pre-shared key of all branches leak. To prevent this problem, you are advised to run the id-type and pre-shared-key commands in the view of the IKE user in the IKE user table.

An IKE user table records the mapping between remote IDs of IKE peers and pre-shared keys. After an IKE peer references an IKE user table, the device searches for the pre-shared key matching the remote ID of the IKE peer in the IKE user table to complete identity authentication during IKE negotiation. In this manner, branches use different IDs and pre-shared keys.

Precautions

After an IKE peer references an IKE user table, the ID configured using this command can be used to find required resources, for example, the pre-shared key can be found based on the configured ID.
When IKEv1 in main mode and pre-shared key authentication is used, the value of id-type must be set to ip. In NAT traversal scenarios, ipv4-address should be set to the IP address that is translated using NAT.

Example

# Configure the IKE user ID type and ID.

<Huawei> system-view
[Huawei] ike user-table 10
[Huawei-ike-user-table-10] user user1
[Huawei-ike-user-table-10-user1] id-type ip 1.1.1.1

Related Topics

remote-id-type

remote-id

display ike global config

ike call admission limit in-negotiation-sa

Function

The ike call admission limit in-negotiation-sa command specifies the maximum number of IKE SAs waiting in a queue.

The undo ike call admission limit in-negotiation-sa command restores the default maximum number of IKE SAs waiting in a queue.

By default, the maximum number of IKE SAs waiting in a queue is 800 on a CPU.

Format

ike call admission limit in-negotiation-sa limit-value

undo ike call admission limit in-negotiation-sa

Parameters

Parameter	Description	Value
limit-value	Specifies the maximum number of IKE SAs waiting in a queue.	The value is an integer that ranges from 1 to 800.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

You can run this command to set the maximum number of IKE SAs waiting in a queue to defend against DOS attacks.

Example

# Set the maximum number of IKE SAs waiting in a queue to 100.

<Huawei> system-view
[Huawei] ike call admission limit in-negotiation-sa 100

ike certificate-check disable

Function

The ike certificate-check disable command disables validity verification on certificates of all IKE peers.

The undo ike certificate-check disable command restores the default configuration.

By default, the device verifies certificates of all IKE peers.

Format

ike certificate-check disable

undo ike certificate-check disable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When IPSec uses certificate authentication, users cannot update certificates after they become invalid, leading to unavailable certificates and IPSec authentication failure. If users still want to use these invalid certificates, run the ike certificate-check disable command to disable validity verification on certificates of all IKE peers. If users only want to disable validity verification on certificates of a specified IKE peer, run the certificate-check disable command.

Precautions

Disabling validity verification on certificates will lead to security risks.

Example

# Configure the device not to verify certificates of all IKE peers.

<Huawei> system-view
[Huawei] ike certificate-check disable

Related Topics

ike dscp

Function

The ike dscp command sets a global DSCP priority of IKE packets.

The undo ike dscp command cancels the DSCP priority configuration.

By default, the global DSCP priority of IKE packets is 0.

Format

ike dscp dscp-value

undo ike dscp

Parameters

Parameter	Description	Value
dscp-value	Specifies the global DSCP priority of IKE packets.	The value can be an integer or a string of characters. That is, the value can be an integer that ranges from 0 to 63, or a string of AF11 to AF13, AF21 to AF23, AF31 to AF33, AF41 to AF43, CS1 to CS7, EF, or default.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To configure the DSCP priority for IKE packets of all IKE peers, run this command.

Precautions

Example

# Set a global DSCP priority of IKE packets to CS2.

<Huawei> system-view
[Huawei] ike dscp cs2

ike heartbeat

Function

The ike heartbeat command sets heartbeat parameters.

The undo ike heartbeat command restores the default configuration.

By default, a heartbeat packet uses old type sequence number mechanism and does not carry the SPI list.

Format

ike heartbeat { seq-num { new | old } | spi-list }

undo ike heartbeat { seq-num | spi-list }

Parameters

Parameter

Description

Value

seq-num { new | old }

Configures the sequence number mechanism for heartbeat packets.

new: The sequence number mechanism conforms to draft-ietf-ipsec-heartbeats-00.txt.
old: The sequence number mechanism conforms to the standard that before draft-ietf-ipsec-heartbeats-00.txt emerges.

spi-list

Configures heartbeat packets to carry the SPI list.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In IPSec communication, if the local end becomes faulty and the remote end does not detect the fault because of system failures, the remote end still sends IPSec packets to the local end, causing traffic loss. Heartbeat detection solves this problem. After heartbeat detection is enabled, the local end periodically sends detection packets to the remote end. If the remote end does not receive packets after the heartbeat timer expires, the remote end considers the local end faulty. IKE can send heartbeat packets to detect IKE peer faults and maintain the IKE SA link status.

Precautions

The two ends must use the same heartbeat parameters.

If you run the ike heartbeat { seq-num { new | old } | spi-list } command multiple times, only the latest configuration takes effect.

Example

# Configure the sequence number mechanism for heartbeat packets to new.

<Huawei> system-view
[Huawei] ike heartbeat seq-num new

ike heartbeat-timer interval

Function

The ike heartbeat-timer interval command sets the interval for sending heartbeat packets through an IKE SA.

The undo ike heartbeat-timer interval command cancels the configuration.

By default, an IKE SA does not send heartbeat packets.

Format

ike heartbeat-timer interval interval

undo ike heartbeat-timer interval

Parameters

Parameter	Description	Value
interval	Specifies the interval for sending heartbeat packets through an IKE SA.	The value is an integer that ranges from 20 to 28800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After heartbeat detection is enabled, the local end periodically sends detection packets to the remote end. If the remote end does not receive packets after the heartbeat timer expires, the remote end considers the local end faulty. IKE can send heartbeat packets to detect IKE peer faults and maintain the IKE SA link status. This command sets the interval for sending heartbeat packets through an IKE SA.

The interval at which heartbeat packets are sent (configured using the ike heartbeat-timer timeout command) at the local end must be used with the timeout interval of heartbeat packets (configured using the ike heartbeat-timer timeout command) at the remote end. If the remote end does not receive any heartbeat packet within the timeout interval, it deletes the IKE SA with a timeout tag along with its corresponding IPSec SA. If the IKE SA does not have a timeout tag, it is marked as timeout.

Precautions

When the ike heartbeat-timer interval command is configured at one end, the ike heartbeat-timer timeout command must be used at the other end.

The timeout interval of heartbeat packets must be longer than the interval at which heartbeat packets are sent. On a network, packet loss seldom occurs more than three consecutive times. Therefore, it is recommended that the timeout interval of heartbeat packets be three times the interval at which heartbeat packets are sent.

Example

# Set the interval for sending heartbeat packets to 20 seconds.

<Huawei> system-view
[Huawei] ike heartbeat-timer interval 20

ike heartbeat-timer timeout

Function

The ike heartbeat-timer timeout command sets the timeout interval during which an IKE SA waits for a heartbeat packet.

The undo ike heartbeat-timer timeout command cancels the configuration.

By default, the timeout interval during which an IKE SA waits for a heartbeat packet is not configured.

Format

ike heartbeat-timer timeout seconds

undo ike heartbeat-timer timeout

Parameters

Parameter	Description	Value
seconds	Specifies the timeout interval during which an IKE SA waits for a heartbeat packet.	The value is an integer that ranges from 30 to 28800, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After heartbeat detection is enabled, the local end periodically sends detection packets to the remote end. If the remote end does not receive packets after the heartbeat timer expires, the remote end considers the local end faulty. IKE can send heartbeat packets to detect IKE peer faults and maintain the IKE SA link status. This command sets the timeout interval during which an IKE SA waits for a heartbeat packet.

Precautions

When the ike heartbeat-timer interval command is configured at one end, the ike heartbeat-timer timeout command must be used at the other end.

Example

# Set the timeout interval during which an IKE SA waits for a heartbeat packet to 60 seconds.

<Huawei> system-view
[Huawei] ike heartbeat-timer timeout 60

ike identity

Function

The ike identity command creates an identity filter set and enter the identity filter set view.

The undo ike identity command deletes an identity filter set.

By default, no identity filter set is configured.

Format

ike identity identity-name

undo ike identity identity-name

Parameters

Parameter	Description	Value
identity-name	Specifies the name of the identity filter set.	The value is a string of 1 to 31 case-sensitive characters without spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to control user access. The remote peer parameters defined in an identity filter set include the name, DN, IP address of the peer. Only initiators that match the identity filter set can establish an IPSec tunnel with the device, improving access security.

Follow-up Procedure

Configure an allowed peer in the identity filter set view and reference this identity filter set with match ike-identity command in the policy template view or IPSec profile view.

Precautions

An IPSec tunnel can be established only when the remote end matches one or more parameters in the identity filter set and the IPSec negotiation parameters at both ends are consistent.

Example

# Configure an identity filter set named identity1.

<Huawei> system-view
[Huawei] ike identity identity1
[Huawei-ike-identity-identity1]

Related Topics

match ike-identity

ike local-name

Function

The ike local-name command configures the local name for IKE negotiation.

The undo ike local-name command deletes the local name for IKE negotiation.

By default, no local name is configured for IKE negotiation.

Format

ike local-name local-name

undo ike local-name

Parameters

Parameter	Description	Value
local-name	Specifies a local name for IKE negotiation.	The value is a string of 1 to 255 case-sensitive characters without question marks (?).

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When identity authentication, If the ID type of an IKE peer is domain name, fully qualified domain name (FQDN), or USER-FQDN, the IKE peer uses the name for identity authentication. You can use the following methods to configure the local name:

Run the local-id command in the IKE peer view. After this command is used, only the IKE peer uses the configured name for identity authentication.
Run the local-id command in the system view. After this command is used, all IKE peers use the configured name for identity authentication.

The local name configured using the local-id command has a higher priority than that configured using the ike local-name command.

Example

# Set the local ID for IKE negotiation to Huawei.

<Huawei> system-view
[Huawei] ike local-name Huawei

ike nat-keepalive-timer interval

Function

The ike nat-keepalive-timer interval command configures the interval for sending NAT Keepalive packets.

The undo ike nat-keepalive-timer interval command restores the default setting.

By default, the interval for sending NAT Keepalive packets is 20 seconds.

Format

ike nat-keepalive-timer interval interval

undo ike nat-keepalive-timer interval

Parameters

Parameter	Description	Value
interval	Specifies the interval for sending NAT Keepalive packets.	The value is an integer that ranges from 5 to 300, in seconds.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When an NAT gateway exists between two IKE peers, to prevent NAT entries from being aged, the device on the private network side of the NAT gateway sends NAT Keepalive packets to its peer at a certain interval to maintain the NAT session.

Prerequisites

NAT traversal has been enabled using the nat traversal command.

Example

# Configure the interval for sending NAT Keepalive packets to 30 seconds.

<Huawei> system-view
[Huawei] ike nat-keepalive-timer interval 30

ike sm-encryption-key-length enable

Function

The ike sm-encryption-key-length enable command enables IKE negotiation packets to carry the SM encryption key length.

The undo ike sm-encryption-key-length enable command disables IKE negotiation packets from carrying the SM encryption key length.

By default, IKE negotiation packets do not carry the SM encryption key length.

Format

ike sm-encryption-key-length enable

undo ike sm-encryption-key-length enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When a digital envelop is used for IKE negotiation, the negotiation fails if packets sent by the initiator carry the SM encryption key length but the responder cannot process the SM encryption key length. To solve this problem, run the undo ike sm-encryption-key-length enable command on the IKE initiator to disable IKE negotiation packets from carrying the SM encryption key length.

Example

# Enable IKE negotiation packets to carry the SM encryption key length.

<Huawei> system-view
[Huawei] ike sm-encryption-key-length enable

Related Topics

display ike global config

ike user-table

Function

The ike user-table command creates an IKE user table and displays the IKE user table view, or directly displays the view of an existing IKE user table.

The undo ike user-table command deletes an IKE user table.

By default, no IKE user table is configured.

Format

ike user-table user-table-id

undo ike user-table user-table-id

Parameters

Parameter	Description	Value
user-table-id	Specifies the ID of an IKE user table.	The value is an integer and the value range depends on device types. AR120-S&AR150-S&AR160-S&AR200-S series: 1 to 7. AR1200-S series, AR2201-48FE-S, and AR2204-S: 1 to 200. AR2220-S and AR2240-S: 1 to 400. AR3200-S series: 1 to 400.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a point-to-multipoint scenario, the device functions as the VPN gateway of the headquarters, an IPSec policy is created using an IPSec policy template, and the VPN gateway receives IPSec connection setup requests of different branches. Some parameters (for example, pre-shared key and VPN instance) of IKE peers are configured on the headquarters gateway that connect to branch gateways, and the parameters are used by all branches. In this case, services of branches cannot be distinguished, and there are even security risks. When the pre-shared key is used for identity authentication and all branches use the same ID and pre-shared key, there are security risks. That is, if the ID and pre-shared key of one branch leak, the ID and pre-shared key of all branches leak.

You are advised to configure an IKE user table to prevent this problem. The IKE user table records the mapping between remote IDs of IKE peers and other parameters. After an IKE peer references the IKE user table, the device searches for the parameters matching the remote ID of the IKE peer in the IKE user table during IKE negotiation. By doing this, branches use different services.

Follow-up Procedure

Run the user-table command in the IKE peer view to reference the IKE user table.

Precautions

The IKE user table that has been referenced by an IKE peer cannot be deleted.

Example

# Create an IKE user table 10 and enter its view.

<Huawei> system-view
[Huawei] ike user-table 10
[Huawei-ike-user-table-10]

Related Topics

user-table

ike peer

Function

The ike peer command creates an IKE peer and displays the IKE peer view.

The undo ike peer command deletes the specified IKE peer.

By default, no IKE peer is configured.

Format

ike peer peer-name

undo ike peer peer-name

Parameters

Parameter	Description	Value
peer-name	Specifies the name of an IKE peer.	The value is a string of 1 to 15 case-sensitive characters without question marks (?) and spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the ike peer command to enter the IKE peer view and then define all parameters for the IKE peer, including:

Negotiation mode
ID type
NAT traversal
Pre-shared key
Remote address
Peer name

Follow-up Procedure

Run the ike-peer command to reference the IKE peer.

Example

# Create an IKE peer named peer1 and enter the IKE peer view.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1]

ike proposal

Function

The ike proposal command creates an IKE proposal and displays the IKE proposal view.

The undo ike proposal command deletes the IKE proposal.

By default, an IKE proposal Default with the lowest priority is available.

Table 11-63 describes the default configuration of an IKE proposal.

Table 11-63 Default configurations of an IKE proposal

Parameter	Default Configuration
Authentication method	Pre-shared key authentication
Encryption algorithm	AES-256
Diffie-Hellman (DH) group parameter	DH14
IKE SA lifetime	86400 seconds
IKEv1 authentication algorithm	SHA2-256
IKEv2 pseudo-random function algorithm	SHA2-256
IKEv2 integrity function algorithm	SHA2-256

Format

ike proposal proposal-number

ike proposal default

undo ike proposal proposal-number

Parameters

Parameter	Description	Value
proposal-number	Specifies the number of an IKE proposal. A smaller value indicates a higher priority.	The value is an integer that ranges from 1 to 99.
default	Specifies the default IKE proposal.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

An IKE proposal is a component of an IKE peer and defines IKE negotiation parameters, including the encryption algorithm, authentication method, authentication algorithm, DH group, and SA lifetime.

A smaller IKE proposal number indicates a higher priority. You can create multiple IKE proposals with different priorities. The negotiation succeeds if any IKE proposal is matched.

You can configure multiple IKE proposals for each IKE peer. The proposals will be tried in descending order of security level until a matching proposal is found. During an IKE negotiation, the initiator sends its IKE proposal to the remote end, and the remote end uses its IKE proposals starting from the highest priority to match the received proposal before a match is found. The matched IKE proposal will be used to create an IKE IPSec tunnel.

The negotiation mode of an IKE proposal varies depending on the IKE negotiation mode:

Main mode

In main mode, if an IKE proposal is specified in the IKE peer that initiates IKE negotiation, only the specified IKE proposal is sent during IKE negotiation. The responder searches for only the IKE proposal matching with that specified by the initiator. If such IKE proposal cannot be found, the negotiation fails.

If no IKE proposal is specified in the IKE peer that initiates IKE negotiation, all IKE proposals are sent during IKE negotiation. The responder searches for the IKE proposals matching with these proposals sent by the initiator one by one.
Aggressive mode

In aggressive mode, if an IKE proposal is specified in the IKE peer that initiates IKE negotiation, the case is the same as that in main mode.

If no IKE proposal is specified in the IKE peer that initiates IKE negotiation, only the default IKE proposal is sent during IKE negotiation. The responder also matches this IKE proposal with the default IKE proposal.

Follow-up Procedure

Run the ike-proposal command in the IKE peer view to reference the IKE proposal.

Example

# Configure IKE proposal 10 and enter the IKE proposal view.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10]

ike-peer

Function

The ike-peer command references an IKE peer in an IPSec policy.

The undo ike-peer command cancels the configuration.

By default, no IKE peer is referenced.

Format

ike-peer peer-name

undo ike-peer

Parameters

Parameter	Description	Value
peer-name	Specifies the name of the referenced IKE peer.	The value is an existing IKE peer name.

Views

ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When you configure IKE negotiation, you need to reference an IKE peer in the specified view.

The remote IP address of the IKE peer referenced in an IPSec policy must be unique. You are recommended to configure the remote address range of the IKE peer in an IPSec policy template.

Prerequisites

An IKE peer has been created using the ike peer command.

Follow-up Procedure

Run the ike-proposal command to reference a configured IKE proposal and run the remote-address (IKE peer view) command to configure the remote address or domain name.

Example

# Reference the IKE peer peer1 in the IPSec policy policy1.

<Huawei> system-view
[Huawei] ipsec policy policy1 1 isakmp
[Huawei-ipsec-policy-isakmp-policy1-1] ike-peer peer1

# Reference the IKE peer peer1 in the IPSec profile profile1.

<Huawei> system-view
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] ike-peer peer1

ike-proposal

Function

The ike-proposal command configures an IKE proposal for an IKE peer.

The undo ike-proposal command cancels the configuration.

By default, an IKE peer does not reference an IKE proposal.

Format

ike-proposal proposal-number

undo ike-proposal

Parameters

Parameter	Description	Value
proposal-number	Specifies the number of the IKE proposal to be used. A smaller value indicates a higher priority.	The value is an integer that ranges from 1 to 99.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Configure an IKE proposal using the ike proposal command before using this command.

IKE proposal negotiation complies with the following principles:

If a configured IKE proposal is referenced in the IKE peer view, only the referenced proposal is sent during IKE negotiation, and the responder searches its IKE proposals for a match. If no match is found, the negotiation fails.
If no IKE proposal is referenced in the IKE peer view (for example, pre-shared and certificate authentication modes are both supported), within the device specifications, a maximum 255 IKE proposals can be carried for IKE negotiation. The responder searches its IKE proposals for a match.

Example

# Configure IKE peer peer1 to reference an IKE proposal 10.

[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] ike-proposal 10

ikev1 phase1-phase2 sa dependent

Function

The ikev1 phase1-phase2 sa dependent command enables dependency between IPSec SA and IKE SA during IKEv1 negotiation.

The undo ikev1 phase1-phase2 sa dependent command cancels dependency between IPSec SA and IKE SA during IKEv1 negotiation.

By default, no dependency exists between IPSec SA and IKE SA during IKEv1 negotiation.

Format

ikev1 phase1-phase2 sa dependent

undo ikev1 phase1-phase2 sa dependent

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

During IKEv1 negotiation, an IKE SA is established during phase 1, and an IPSec SA is established during phase 2. By default, no dependency exists between IPSec SA and IKE SA, that is, the two SAs can be deleted separately. If the IKE SA is deleted but the corresponding IPSec SA still exists, traffic forwarding will be effected. To prevent this problem, you can run this command to enable dependency between IPSec SA and IKE SA.

Example

# Enable dependency between IPSec SA and IKE SA during IKEv1 negotiation.

<Huawei> system-view
[Huawei] ikev1 phase1-phase2 sa dependent

ikev2 authentication sign-hash

Function

The ikev2 authentication sign-hash command configures the certificate signature algorithm used by IKEv2.

The undo ikev2 authentication sign-hash command restores the default configuration.

By default, the certificate signature algorithm used by IKEv2 is SHA2-256.

Only V200R010C10 and later version support this command.

Format

ikev2 authentication sign-hash { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 }

undo ikev2 authentication sign-hash

Parameters

Parameter	Description	Value
md5	Specifies the certificate signature algorithm as MD5.	-
sha1	Specifies the certificate signature algorithm as SHA1.	-
sha2-256	Specifies the certificate signature algorithm as SHA2-256.	-
sha2-384	Specifies the certificate signature algorithm as SHA2-384.	-
sha2-512	Specifies the certificate signature algorithm as SHA2-512.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In an IKEv2 certificate authentication scenario, if the device functions as the sender, it uses the configured algorithm to sign the certificate. If the decryption algorithm used by the receiver is different from that used by the sender, the signature verification of the receiver fails. As a result, IKEv2 negotiation between the two ends fails. If the device functions as the receiver, it searches for a matching algorithm to verify the signature of packets. The device searches for the matching algorithm in the following sequence: sha2-256 algorithm, configured algorithm, and then other algorithms. If no matching algorithm is found, the signature verification fails, and IKEv2 negotiation between the two ends fails. To prevent this problem, ensure that the certificate signature algorithms used on the two ends are the same.

Precautions

The following certificate signature algorithms are listed in descending order of security level: sha2-512, sha2-384, sha2-256, sha1, and md5.

Example

# Set the certificate signature algorithm used by IKEv2 as SHA2-256.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] ikev2 authentication sign-hash sha2-256

ikev2 cookie-challenge

Function

The ikev2 cookie-challenge command sets the maximum number of half-open connections allowed by IKEv2.

The undo ikev2 cookie-challenge command restores the default setting.

By default, the maximum number of half-open connections allowed by IKEv2 is 25000.

Format

ikev2 cookie-challenge number

undo ikev2 cookie-challenge

Parameters

Parameter	Description	Value
number	Specifies the maximum number of half-open connections allowed by IKEv2.	The value is an integer that ranges from 1 to 1000.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

IKEv2 initial exchange messages are transmitted in plaintext. If an attack forges massive IKE_INIT_SA requests, the resources of the responder will be exhausted, causing DoS attacks.

Cookie exchange is defined in IKEv2. After receiving the first message from the sender, the responder replies an unprotected notify payload. In follow-up communications, the responder accepts only the IKE negotiation initiated by the sender of cookie-carrying notify payloads.

You can run this command for the device to determine whether and when to enable attack defense.

Example

# Enable the device to start attack defense when the number of half-open connections allowed by IKEv2 exceeds 200.

<Huawei> system-view
[Huawei] ikev2 cookie-challenge 200

ikev2 initial-contact enable

Function

The ikev2 initial-contact enable command enables the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

The undo ikev2 initial-contact enable command disables the device from sending the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

By default, the device is disabled to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

Format

ikev2 initial-contact enable

undo ikev2 initial-contact enable

Parameters

None

Views

System View

Default Level

2: Configuration level

Usage Guidelines

The INITIAL_CONTACT notify payload asserts that an IKE SA is the only active IKE SA between a pair of IKE peers. By default, the device will delete the old IKE SA without the INITIAL_CONTACT notify payload after the new IKE SA is created. When the remote end requires the INITIAL_CONTACT notify payload to delete the old IKE SA, configure this command.

When the local device restarts or expects to use the current IKE SA for establishing an IPSec tunnel only, run this command to enable the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request so that the remote device deletes the old IKE SA.

Example

# Enable the device to send the INITIAL_CONTACT notify payload in the first IKE_AUTH request.

<Huawei> system-view
[Huawei] ikev2 initial-contact enable

ikev2 id-match-certificate enable

Function

The ikev2 id-match-certificate enable command enables the device to check certificate identity information of the remote device during IKEv2 certificate negotiation.

The undo ikev2 id-match-certificate enable command disables the device from checking certificate identity information of the remote device during IKEv2 certificate negotiation.

By default, the device does not check certificate identity information of the remote device during IKEv2 certificate negotiation.

Format

ikev2 id-match-certificate enable

undo ikev2 id-match-certificate enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

By default, the device does not check certificate identity information of the remote device, such as the IP address, fully qualified domain name (FQDN), and email during IKEv2 certificate negotiation. If the certificate of a branch gateway is used by another device, it can establish an IPSec tunnel with the headquarters, causing security risks.

To prevent security risks, you can run the ikev2 id-match-certificate enable command to enable the local device to check certificate identity information of the remote device. If the information differs from the ID (IP address, FQDN, or User-FQDN) of the remote device, IKEv2 negotiation fails.

Precautions

You can run the display pki certificate command to view certificate identity information. The Subject field in the certificate corresponds to the DN, and the email corresponds to the User-FQDN.

Example

# Enable the device to check certificate identity information of the remote device during IKEv2 certificate negotiation.

<Huawei> system-view
[Huawei] ikev2 id-match-certificate enable

ikev2 prf aes-xcbc-128 compatible

Function

The ikev2 prf aes-xcbc-128 compatible command configures the IKEv2 PRF AES-XCBC-128 algorithm as a non-standard RFC algorithm.

The undo ikev2 prf aes-xcbc-128 compatible command restores the default configuration.

By default, the IKEv2 PRF AES-XCBC-128 algorithm is a standard RFC algorithm.

This command is supported in V200R010C10 and later versions.

Format

ikev2 prf aes-xcbc-128 compatible

undo ikev2 prf aes-xcbc-128 compatible

Parameters

None.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

When the device is connected to a device running V200R007 or an earlier version, if both ends use the IKEv2 PRF AES-XCBC-128 algorithm, run the ikev2 prf aes-xcbc-128 compatible command on the local device to configure the IKEv2 PRF AES-XCBC-128 algorithm as a non-standard RFC algorithm. Otherwise, the two ends cannot establish an IPSec tunnel.

Example

# Configure the IKEv2 PRF AES-XCBC-128 algorithm as a non-standard RFC algorithm.

<Huawei> system-view
[Huawei] ikev2 prf aes-xcbc-128 compatible

inband crl

Function

The inband crl command configures the device to validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.

The undo inband crl command restores the default configuration.

By default, the device does not validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.

Format

inband crl

undo inband crl

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When IKEv2 uses RSA signature authentication and the CRL is used for certificate validation, if the CA server is located in the private network of the headquarters, the branch cannot directly communicate with the CA server to obtain the CRL. As a result, the branch cannot use the latest CRL to validate the certificate in the headquarters. To enable the branch to obtain the CRL of the headquarters through IKEv2, run the inband crl command on the branch. After receiving the CRL sent from the headquarters through IKEv2, the branch uses this CRL to validate the certificate in the headquarters. If the certificate is not in the CRL, the certificate is considered valid and identity authentication succeeds. The branch can negotiate with the headquarters to establish an IPSec tunnel.

Precautions

When you run both the inband crl and inband ocsp commands, the certificate is considered valid only when it passes the validity check in both OCSP and CRL modes.

The IKEv2 protocol defines the payload length as 2 bytes (that is, the maximum length is 65535). Therefore, when the CRL length exceeds 65535, IKEv2 cannot construct the CRL payload. As a result, the certificate validity check fails.

Example

# Configure the device to validate the remote certificate based on the CRL sent from the remote device when IKEv2 uses RSA signature authentication.

<Huawei> system-view
[Huawei] ike peer mypeer
[Huawei-ike-peer-mypeer] version 2
[Huawei-ike-peer-mypeer] inband crl

inband ocsp

Function

The inband ocsp command configures the device to validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.

The undo inband ocsp command restores the default configuration.

By default, the device does not validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.

Format

inband ocsp

undo inband ocsp

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

When IKEv2 uses RSA signature authentication and OCSP is used for certificate validation, if the OCSP server is located in the private network of the headquarters, the branch cannot directly communicate with the OCSP server to validate the certificate in the headquarters. To enable the branch to obtain the OCSP validation result of the headquarters through IKEv2, run the inband ocsp command on the branch. After receiving the OCSP validation result sent from the headquarters through IKEv2, the branch uses the OCSP validation result to validate the certificate in the headquarters. If the OCSP validation result is valid, the certificate is considered valid and identity authentication succeeds. The branch can negotiate with the headquarters to establish an IPSec tunnel.

When you run both the inband ocsp and inband crl commands, the certificate is considered valid only when it passes the validity check in both OCSP and CRL modes.

Example

# Configure the device to validate the remote certificate based on the OCSP validation result sent from the remote device when IKEv2 uses RSA signature authentication.

<Huawei> system-view
[Huawei] ike peer mypeer
[Huawei-ike-peer-mypeer] version 2
[Huawei-ike-peer-mypeer] inband ocsp

integrity-algorithm

Function

The integrity-algorithm command configures an integrity algorithm for IKEv2 negotiation.

The undo integrity-algorithm command restores the default configuration.

By default, the HMAC-SHA2-256 integrity algorithm is used for IKEv2 negotiation.

Format

integrity-algorithm { aes-xcbc-96 | hmac-md5-96 | hmac-sha1-96 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 }

undo integrity-algorithm

Parameters

Parameter	Description	Value
aes-xcbc-96	Indicates that the integrity algorithm is AES-XCBC-96.	-
hmac-md5-96	Indicates that the integrity algorithm is HMAC-MD5-96.	-
hmac-sha1-96	Indicates that the integrity algorithm is HMAC-SHA1-96.	-
hmac-sha2-256	Indicates that the integrity algorithm is HMAC-SHA2-256.	-
hmac-sha2-384	Indicates that the integrity algorithm is HMAC-SHA2-384.	-
hmac-sha2-512	Indicates that the integrity algorithm is HMAC-SHA2-512.	-

Views

IKE proposal view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The integrity algorithms are listed as follows from the highest security level to the lowest security level: hmac-sha2-512 > hmac-sha2-384 > hmac-sha2-256 > aes-xcbc-96 > hmac-sha1-96 > hmac-md5-96.

Precautions

On the device running a version earlier than V200R008, the authentication-algorithm command serves the same function as the integrity-algorithm command.

Example

# Set the integrity algorithm to be used in IKEv2 proposal 10 to HMAC-SHA2-384.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] integrity-algorithm hmac-sha2-384

interface-assign

Function

The interface-assign command assigns an interface associated with an IKE user.

The undo interface-assign command deletes an interface associated with an IKE user.

By default, no interface on the device is associated with the IKE user.

Format

interface-assign interface-type interface-number

undo interface-assign

Parameters

Parameter

Description

Value

interface-type interface-number

Specifies the type and number of an interface.

Currently, the interface can only be a tunnel interface.

Views

IKE user view

Default Level

2: Configuration level

Usage Guidelines

In a point-to-multipoint scenario, the device functions as the VPN gateway of the headquarters. The IKE user table in the headquarters contains multiple IKE users for managing parameters for interconnection between the headquarters and branches, such as the pre-shared key. If one IPSec profile in the headquarters is applied to multiple tunnel interfaces, IPSec negotiation may fail because the IKE peer in the headquarters fails to match the tunnel interface of each branch. In this case, you can run the interface-assign command to assign a tunnel interface associated with an IKE user, so that IKE users can successfully match tunnel interfaces of branches.

Example

# Assign an interface associated with the IKE user.

<Huawei> system-view
[Huawei] interface tunnel 0/0/1
[Huawei] quit
[Huawei] ike user-table 10
[Huawei-ike-user-table-10] user user1
[Huawei-ike-user-table-10-user1] interface-assign tunnel 0/0/1

Related Topics

display interface tunnel-template

interface tunnel-template

Function

The interface tunnel-template command creates a tunnel template interface and enters the tunnel template interface view.

The undo interface tunnel-template command deletes the tunnel template interface.

By default, no tunnel template interface exists.

Format

interface tunnel-template interface-number

undo interface tunnel-template interface-number

Parameters

Parameter	Description	Value
interface-number	Specifies the number of the tunnel template interface.	The value range depends on the device.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A virtual tunnel template interface is similar to a virtual tunnel interface. You can create a tunnel template interface on the headquarters gateway and then apply an IPSec profile to the tunnel template interface and the tunnel interface of the branch gateway respectively to enable the gateways to send or accept subnet route information.

Follow-up Procedure

After creating a tunnel template interface, run the tunnel-protocol ipsec command to set the encapsulation mode of the tunnel template interface to IPSec.

Example

# Create a tunnel template interface.

<Huawei> system-view
[Huawei] interface tunnel-template 1
[Huawei-Tunnel-Template1]

Related Topics

ip address

Function

The ip address command specifies the IP address of an allowed peer for IKE negotiation.

The undo ip address command deletes the IP address of an allowed peer.

By default, no IP address of allowed peer for IKE negotiation is configured.

Format

ip address ip-address { mask | mask-length }

undo ip address ip-address { mask | mask-length }

Parameters

Parameter

Description

Value

ip-address { mask | mask-length }

Specifies the IP address of an allowed peer.

ip-address specifies the IP address.
mask specifies the mask of the IP address.
mask-length specifies the mask length of IP address.

The value of ip-address is in dotted decimal notation.
The value of mask is in dotted decimal notation.
The value of mask-length is an integer that ranges from 0 to 32.

Views

Identity filter set view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run this command to specify an allowed peer based on the IP address (configured on a remote device for establishing an IPSec tunnel) in the identity filter set for IKE negotiation.

Precautions

An IPSec tunnel can be established only when the remote end matches one or more parameters in the identity filter set and the IPSec negotiation parameters at both ends are consistent.

If you run this command in the same view multiple times, the latest configuration does not override earlier ones.

Example

# Configure the IP address 10.1.1.1 of an allowed peer for IKE negotiation.

<Huawei> system-view
[Huawei] ike identity identity1
[Huawei-ike-identity-identity1] ip address 10.1.1.1 24

Related Topics

ipsec fragmentation before-encryption

local-id-type

ip address ike-negotiated

Function

The ip address ike-negotiated command configures an IKE peer to request an IP address for an IPSec tunnel interface through IKEv2 negotiation.

The undo ip address ike-negotiated command cancels the configuration.

By default, an IKE peer does not request an IP address for an IPSec tunnel interface through IKEv2 negotiation.

Format

ip address ike-negotiated

undo ip address ike-negotiated

Parameters

None

Views

Tunnel interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After the ip address ike-negotiated command is used in scenarios where many branches connect to the headquarters, the headquarters pushes the IP address of the IPSec tunnel interface. This reduces the configuration and maintenance workload of branches.

Prerequisites

The tunneling protocol has been configured as IPSec on the IPSec tunnel interface using the tunnel-protocol ipsec command.

Precautions

If the ip address command has been used to configure an IP address for the IPSec tunnel interface, when you run the ip address ike-negotiated command, the system displays a message indicating a conflict. If the ip address ike-negotiated command has been configured on the IPSec tunnel interface, the ip address command executed later will take effect.

Example

# Configure an IKE peer to request an IP address for Tunnel0/0/1 through IKEv2 negotiation.

<Huawei> system-view
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol ipsec
[Huawei-Tunnel0/0/1] ip address ike-negotiated

Related Topics

tunnel-protocol

ipsec anti-replay enable

Function

The ipsec anti-replay enable command enables the anti-replay function globally.

The undo ipsec anti-replay enable command disables the anti-replay function globally.

By default, the anti-replay function is enabled globally.

Format

ipsec anti-replay enable

undo ipsec anti-replay enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Replayed packets refer to the packets that have been processed by the device. IPSec uses the sliding window (anti-replay window) to detect replayed packets. AH and ESP packet headers carry 32-bit sequence numbers. The sequence numbers carried in the AH or ESP packet headers of the same SA are in ascending order. If the sequence number of an authenticated packet is the same as that of a decapsulated packet or the sequence number is outside the sliding window, the packet is considered a replayed packet.

Decapsulating replayed packets consumes many resources and makes system performance deteriorate. Therefore, attackers may use replayed packets to initiate a DoS attack. After the anti-replay function is enabled, the system discards replayed packets to save system resources.

Precautions

Only SAs established in IKE negotiation mode support the anti-replay function. Manually configured SAs do not support the anti-replay function.

In some situations, for example, network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be different from those in common data packets. The device that has IPSec anti-replay enabled considers the packets replayed and discards them. You can disable global IPSec anti-replay to prevent packets from being discarded incorrectly or adjust the IPSec anti-replay window size to meet service requirements.

Example

# Enable the anti-replay function globally.

<Huawei> system-view
[Huawei] ipsec anti-replay enable

Related Topics

ipsec anti-replay window

Function

The ipsec anti-replay window command sets the global IPSec anti-replay window size.

The undo ipsec anti-replay window command restores the default global IPSec anti-replay window size.

By default, the global IPSec anti-replay window size is 1024 bits.

Format

ipsec anti-replay window window-size

undo ipsec anti-replay window

Parameters

Parameter	Description	Value
window-size	Specifies the global IPSec anti-replay window size.	The value can be 32, 64, 128, 256, 512, or 1024, in bits.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In some situations, for example, network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be unusual. The device that has IPSec anti-replay enabled considers the packets replayed and discards them. To prevent packets from being discarded incorrectly, you can disable global IPSec anti-replay or adjust the IPSec anti-replay window size to meet service requirements.

Prerequisites

The anti-replay function has been enabled. By default, the anti-replay function is enabled (through ipsec anti-reply enable command).

Precautions

When both anti-replay window and ipsec anti-replay window are used, the anti-replay window command takes effect. When anti-replay window is not configured, the ipsec anti-replay window command takes effect.

Example

# Set the global IPSec anti-replay window size to 128 bits.

<Huawei> system-view
[Huawei] ipsec anti-replay window 128

Related Topics

ipsec anti-replay enable

ipsec authentication sha2 compatible enable

Function

The ipsec authentication sha2 compatible enable command enables SHA-2 to be compatible with RFC standard algorithm versions.

The undo ipsec authentication sha2 compatible enable command disables SHA-2 from being compatible with RFC standard algorithm versions.

By default, the SHA-2 algorithm is not compatible with RFC standard algorithm versions.

Format

ipsec authentication sha2 compatible enable

undo ipsec authentication sha2 compatible enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When IPSec uses the SHA-2 algorithm, if the devices on two ends of an IPSec tunnel are from different vendors or run different software versions, they may use different encryption and decryption methods. In this situation, traffic between devices is interrupted.

To solve this problem, run the ipsec authentication sha2 compatible enable command to enable SHA-2 to be compatible with RFC standard algorithm versions.

Precautions

When AR routers are interconnected, ensure that the configuration are the same; otherwise, IPSec traffic fails to be transmitted.

This function takes effect only after you run the reset ike sa command.

Example

# Enable the SHA-2 algorithm to be compatible with RFC standard algorithm versions.

<Huawei> system-view
[Huawei] ipsec authentication sha2 compatible enable

ipsec decrypt check

Function

The ipsec decrypt check command enables a device to check decrypted IPSec packets.

The undo ipsec decrypt check command disables a device from checking decrypted IPSec packets.

By default, the device does not check decrypted IPSec packets.

Format

ipsec decrypt check

undo ipsec decrypt check

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

In tunnel mode, the IP header in the decrypted IPSec packet of the inbound SA may be not defined in an ACL, for example, the IP header of attack packets may be out of the range defined in the ACL. Therefore, the device checks whether the IP header of the decrypted IPSec packet is in the range defined by the ACL. If the decrypted IPSec packet matches the permit clause, the device continues to process the IPSec packet. If the decrypted IPSec packet does not match the permit clause, the device discards the IPSec packet. The device discards the IPSec packets failing the ACL check to improve network security.

When establishing an IPSec tunnel using a tunnel interface, if the ipsec decrypt check command is executed in the system view, packets decrypted by IPSec are check based on the ACL rule. Note the following points:

When the encapsulation mode is set to IPSec, the source and destination addresses in the ACL are both any, indicating that all data flows destined for the IPSec tunnel interface are protected.
When the encapsulation mode is set to GRE, the source and destination addresses in the ACL are the source and destination addresses of the IPSec tunnel interface respectively.

Example

# Disable the device from checking decrypted IPSec packets.

<Huawei> system-view
[Huawei] undo ipsec decrypt check

ipsec df-bit

Function

The ipsec df-bit command sets the don't fragment (DF) flag bit in an IPSec or a A2A VPN packet.

By default, the DF flag bit in an IPSec or a A2A VPN packet is the flag bit of original packets.

Format

ipsec df-bit { clear | set | copy }

Parameters

Parameter	Description	Value
clear	Sets the DF flag bit to 0, indicating that IP packets can be fragmented.	-
set	Sets the DF flag bit to 1, indicating that IP packets cannot be fragmented.	-
copy	Uses the flag bit of original packets.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an original packet is encapsulated, the packet length may exceed the MTU of the device outbound interface. To prevent packet loss, fragment the packets.

Precautions

If you run the ipsec df-bit command multiple times, only the latest configuration takes effect.

Example

# Set the DF flag bit to 0 in an IPSec or a A2A VPN packet.

<Huawei> system-view
[Huawei] ipsec df-bit clear

Related Topics

ipsec efficient-vpn (interface view)

Function

The ipsec efficient-vpn command binds an Efficient VPN policy to an interface.

The undo ipsec efficient-vpn command deletes the Efficient VPN policy from an interface.

By default, no Efficient VPN policy is applied to an interface.

Format

ipsec efficient-vpn efficient-vpn-name

undo ipsec efficient-vpn

Parameters

Parameter	Description	Value
efficient-vpn-name	Specifies the name of an Efficient VPN policy.	The value is an existing Efficient VPN policy name.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When many branches and traveling staff connect to the headquarters over IPSec tunnels, similar or duplicate IPSec configurations and other network resource configurations must be configured on the branch and headquarters gateways. The Efficient VPN solution uses centralized IPSec configurations on the headquarters gateway and simplified IPSec configuration on each branch gateway. This solution reduces the manual configuration workload, and facilitates IPSec VPN configuration and maintenance.

Prerequisites

An Efficient VPN policy has been created using the ipsec efficient-vpn (system view) command.

Precautions

If an Efficient VPN policy is used to establish an IPSec tunnel between the enterprise branch and headquarters, apply the Efficient VPN policy to the branch gateway and use an IPSec policy template on the headquarters gateway to create an IPSec policy.

Example

# Apply the Efficient VPN policy named evpn to Ethernet 1/0/2.

<Huawei> system-view
[Huawei] interface ethernet 1/0/2
[Huawei-Ethernet1/0/2] ipsec efficient-vpn evpn

Related Topics

Function

The ipsec efficient-vpn command creates an IPSec Efficient VPN policy and displays the IPSec Efficient VPN policy view.

The undo ipsec efficient-vpn command deletes an IPSec Efficient VPN policy.

By default, no IPSec Efficient VPN policy is created in the system.

Format

ipsec efficient-vpn efficient-vpn-name [ mode { client | network | network-auto-cfg | network-plus } ]

undo ipsec efficient-vpn efficient-vpn-name

Parameters

Parameter	Description	Value
efficient-vpn-name	Specifies the name of an Efficient VPN policy.	The value is a string of 1 to 12 case-sensitive characters without question marks (?) or spaces.
mode	Specifies the mode of the Efficient VPN policy.	-
client	Indicates the client mode.	-
network	Indicates the network mode.	-
network-auto-cfg	Indicates the network-auto-cfg mode. The Network-auto-cfg mode is supported in IKEv1 only.	-
network-plus	Indicates the network-plus mode.	-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The Efficient VPN policy has the following modes:

Client mode

When a remote device requests an IP address from the Efficient VPN server, a loopback interface is dynamically created on the remote device and the IP address obtained from the server is assigned to the loopback interface. The remote device automatically enables NAT to translate its original IP address into the obtained IP address, and then uses this IP address to establish an IPSec tunnel with the headquarters.

The client mode applies to scenarios where traveling staff or small-scale branches connect to the headquarters network through private networks. In client mode, devices connected to the Efficient VPN server or remote devices can use the same IP address. However, the number of devices allowed depends on the number of IP addresses assigned by the Efficient VPN server.
Network mode

In network mode, a remote device does not apply to the Efficient VPN server for an IP address. Instead, the remote device uses the original IP address to establish an IPSec tunnel with the headquarters. Therefore, NAT is not automatically enabled in network mode.

The network mode applies to scenarios where IP addresses of the headquarters and branches are planned uniformly. Ensure that IP addresses do not conflict.
Network-plus mode

Compared with the network mode, the remote device applies to the Efficient VPN server for an IP address in network-plus mode. IP addresses of branches and headquarters are configured beforehand. A remote device applies to the Efficient VPN server for an IP address. The Efficient VPN server uses the IP address to perform ping, Telnet, or other management and maintenance operations on the remote device. NAT is not automatically enabled on the remote device.
Network-auto-cfg mode

Compared with the network-plus mode, the remote device applies to the Efficient VPN server for an IP address pool in network-auto-cfg mode. The IP address pool is used for allocating addresses to users.

Follow-up Procedure

Configure negotiation parameters of Efficient VPN in the Efficient VPN policy view, and use the ipsec efficient-vpn (interface view) command to bind the Efficient VPN policy to an interface.

Example

# Create the Efficient VPN policy named vpn1 in client mode.

<Huawei> system-view
[Huawei] ipsec efficient-vpn vpn1 mode client
[Huawei-ipsec-efficient-vpn-vpn1]

Related Topics

ipsec efficient-vpn (interface view)

ipsec fragmentation before-encryption

Function

The ipsec fragmentation before-encryption command sets the fragmentation mode of packets to fragmentation before encryption for all IPSec tunnels or a A2A VPN.

The undo ipsec fragmentation before-encryption command restores the default packet fragmentation mode.

By default, the packet fragmentation mode for all IPSec tunnels or a A2A VPN is fragmentation after encryption.

Format

ipsec fragmentation before-encryption

undo ipsec fragmentation before-encryption

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After an original packet is encapsulated, the packet length may exceed the MTU of the device outbound interface. To prevent packet loss, the device fragments the packets. Two fragmentation modes are available:

Fragmentation before encryption: Before encapsulation, the encryption device calculates the predicted encapsulated packet length. If the packet length is larger than the MTU of the outbound interface, the encryption device fragments packets, and then encrypts the packets. In this situation, the decryption device requests the terminal to reassemble the packets, reducing the CPU usage on the decryption device.
Fragmentation after encryption: If the size of the encapsulated VPN packets exceeds the MTU of the outbound interface, the encryption device fragments the packets based on the MTU of the outbound interface. In this case, the peer decryption device assembles and decrypts VPN fragments and then sends decrypted packets to the terminal host.

Precautions

Before IPSec packets can be fragmented, the ipsec df-bit command must be configured to permit IPSec packet fragmentation.

This command just specifies how the IPSec tunnels process packets. However, whether a packet is fragmented depends on:

The DF bit in IP header of the original packet if the fragmentation before encryption mode is selected
The DF bit in IPSec header if the fragmentation after encryption mode is selected

For the established IPSec tunnels, you need to restart them after running this command. Otherwise, the command function does not take effect.

Example

# Set the fragmentation mode of IPSec or a A2A VPN packets to fragmentation before encryption.

<Huawei> system-view
[Huawei] ipsec fragmentation before-encryption

ipsec invalid-spi-recovery enable

Function

The ipsec invalid-spi-recovery enable command enables the invalid SPI recovery function.

The undo ipsec invalid-spi-recovery enable command disables the invalid SPI recovery function.

By default, the invalid SPI recovery function is disabled.

Format

ipsec invalid-spi-recovery enable

undo ipsec invalid-spi-recovery enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the IPSec SA is lost on Gateway_1 at one end of an IPSec tunnel, the corresponding IKE SA still exists on Gateway_1. However, Gateway_2 at the other end of the IPSec tunnel still maintains the IPSec SA. If Gateway_1 receives IPSec packets encapsulated by Gateway_2 using the IPSec SA, Gateway_1 discards the packets because it cannot find the corresponding IPSec SA. At the same time, Gateway_1 sends a DELETE SA INFORMATIONAL message to Gateway_2 by default. After receiving the message, Gateway_2 immediately deletes the IPSec SA matching the invalid SPI. When Gateway_2 continues sending IPSec packets to Gateway_1, the two ends re-negotiate an IPSec SA to restore the IPSec service.

However, when neither IKE SA nor IPSec SA exists on Gateway_1, Gateway_1 does not send a DELETE SA INFORMATIONAL message to Gateway_2 until dead peer detection (DPD) shows that the IPSec SA is invalid or the SA lifetime has expired. This causes lengthy IPSec service interruption. In this case, you can enable the invalid SPI recovery function to solve the problem. When Gateway_1 sends IPSec packets to Gateway_2, the two ends re-negotiate an IPSec SA to restore the IPSec service.

Precautions

The invalid SPI recovery function may lead to denial of service (DoS) attacks.

When the device uses an IPSec policy configured using an IPSec policy template or has the respond-only enable command configured, the ipsec invalid-spi-recovery enable command does not take effect.

Example

# Enable the invalid SPI recovery function.

<Huawei> system-view
[Huawei] ipsec invalid-spi-recovery enable

Related Topics

display ipsec global config

display ike statistics

ipsec nat-traversal source-port

Function

The ipsec nat-traversal source-port command configures a UDP port number for IPSec NAT traversal.

The undo ipsec nat-traversal source-port command restores the default UDP port number for IPSec NAT traversal.

By default, the UDP port number for IPSec NAT traversal is 4500.

Format

ipsec nat-traversal source-port port-number

undo ipsec nat-traversal source-port

Parameters

Parameter	Description	Value
port-number	Specifies the UDP port number for IPSec NAT traversal.	The value is an integer that ranges from 4501 to 49151.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, IPSec NAT traversal uses UDP port 4500. If you want to use another UDP port for IPSec NAT traversal, run the ipsec nat-traversal source-port command.

Example

# Set a UDP port number for IPSec NAT traversal.

<Huawei> system-view
[Huawei] ipsec nat-traversal source-port 4510

Related Topics

display ipsec global config

ipsec netmask

Function

The ipsec netmask command configures the IPSec mask filtering function.

The undo ipsec netmask command deletes the IPSec mask filtering function.

By default, IPSec mask filtering is not configured in the system.

Format

ipsec netmask { source source-mask | [ source source-mask ] destination destination-mask }

undo ipsec netmask [ source | destination ]

Parameters

Parameter	Description	Value
source source-mask	Specifies the source IPv4 address mask of data flows.	The value is an integer in the range from 1 to 32.
destination destination-mask	Specifies the destination IPv4 address mask of data flows.	The value is an integer in the range from 1 to 32.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In scenarios where branches connect to the headquarters, if a branch has a too large protection data flow range configured, traffic of other branches may be incorrectly diverted to the branch. In this case, you can run the ipsec netmask command to check and restrict the access of flow information negotiated by the IPSec tunnel. After this function is configured, the device checks the source and destination IP address masks of the peer device. If the mask values are greater than or equal to the configured values, subsequent negotiation continues. Otherwise, the IPSec SA negotiation fails.

Precautions

The device checks and restricts the access of flow information only when it adopts the IPSec policy template.

Example

# Configure the IPSec mask filtering function.

<Huawei> system-view
[Huawei] ipsec netmask source 24 destination 24

Related Topics

display ipsec global config

ipsec policy shared

Function

The ipsec policy shared command configures a security policy as a multi-link shared security policy.

The undo ipsec policy shared command cancels configuring a security policy as a multi-link shared security policy.

By default, no security policy is configured as a multi-link shared security policy.

Format

ipsec policy policy-name shared local-interface loopback interface-number

undo ipsec policy policy-name shared

Parameters

Parameter	Description	Value
policy-name	Specifies the name of a security policy. The security policy must have been configured in the system view.	The value is a string of 1 to 15 case-sensitive characters without question marks (?) or spaces.
local-interface loopback interface-number	Specifies the loopback interface number. The loopback interface must have been created.	The value is an integer that ranges from 0 to 1023.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

To improve network reliability, the enterprise gateway often connects to the Internet Service Provider (ISP) through two egress links, which work in backup or load balancing mode. When two outbound interfaces are configured with IPSec policies with the same parameter settings, services need to be smoothly switched between the two links corresponding to the two outbound interfaces. The two outbound interfaces negotiate with their peers to establish IPSec SAs respectively. When one interface alternates between Up and Down states and an active/standby switchover occurs, the two peers need to perform IKE negotiate again to generate IPSec SAs. The IKE re-negotiation causes IPSec service interruption in a short time.

You can configure a multi-link shared security policy and use a loopback interface on the local device to establish an IPSec tunnel with the remote device. When an active/standby switchover occurs, IPSec services are not interrupted. The two IPSec-enabled physical interfaces share the same IPSec SA. When services are switched between links corresponding to the physical interfaces, the IPSec SA is not deleted as long as the loopback interface status remains unchanged. In addition, IKE re-negotiation is not required because the same IPSec SA is used to protect IPSec services.

In an A2A VPN scenario, a GDOI policy can also be configured as a multi-link shared security policy. GMs then register with the KS using loopback interfaces and negotiate to generate one KEK SA. In this manner, multiple interfaces to which the GDOI policy is applied share the same KEK SA.

Precautions

One loopback interface maps to only one multi-link shared security policy.

Example

# Configure an IPSec policy as a multi-link shared security policy.

<Huawei> system-view
[Huawei] interface loopback 0
[Huawei-LoopBack0] quit
[Huawei] ipsec policy policy1 11 isakmp
[Huawei-ipsec-policy-isakmp-policy1-11] quit
[Huawei] ipsec policy policy1 shared local-interface loopback 0

# Configure a GDOI policy as a multi-link shared security policy.

<Huawei> system-view
[Huawei] interface loopback 1
[Huawei-LoopBack1] quit
[Huawei] ipsec policy policy2 12 gdoi
[Huawei-ipsec-policy-gdoi-policy2-12] quit
[Huawei] ipsec policy policy2 shared local-interface loopback 1

ipsec policy (interface view)

Function

The ipsec policy command binds an IPSec policy group to an interface.

The undo ipsec policy command unbinds an IPSec policy group from an interface.

By default, no IPSec policy group is bound to an interface.

Format

ipsec policy policy-name

undo ipsec policy

Parameters

Parameter	Description	Value
policy-name	Specifies the name of an IPSec policy group bound to an interface.	The value must be the name of an existing IPSec policy group on the device.

Views

Interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can bind an IPSec policy group to a physical or logical interface to protect data flows. In addition to physical interfaces such as serial interfaces and Ethernet interfaces, you can bind an IPSec policy group to virtual interfaces such as Tunnel interfaces. IPSec policy groups can be used according to actual networking requirements. If an IPSec policy group is unbound from an interface, the interface cannot provide IPSec functions.

After an IPSec policy group is bound to an interface, all IPSec policies in the group are bound to the interface to protect different data flows.

When sending a packet, an interface matches the packet with IPSec policies in an IPSec policy group in ascending order of sequence number. If the packet matches the ACL referenced by an IPSec policy, the packet is processed based on the IPSec policy. If the packet does not match an IPSec policy, it searches for the next policy. If no matching ACL is found after all IPSec policies are checked, the interface sends the packet directly without IPSec protection.

Precautions

IPSec policy group can not be bound to VLANIF interface and loopback interface.

Only one IPSec policy group can be bound to an interface, and an IPSec policy group can be bound to only one interface. To bind a new IPSec policy group to an interface, remove the previous one first.

When an IPSec policy group contains both an IPSec policy configured using an IPSec policy template and an IPSec policy in ISAKMP mode, to match the IPSec policy in ISAKMP mode, ensure that the sequence number of the IPSec policy in ISAKMP mode is smaller than that of the IPSec policy configured using an IPSec policy template.

In an IPSec policy group, if multiple policies are bound to different IKE peers, the remote addresses specified in the IKE peers cannot be the same. Otherwise, IKE negotiation of some IPSec policies fails.

If multiple IPSec policies are bound to the same IKE peer in an IPSec policy group, the same tunnel local address must be configured for these IPSec policies. Otherwise, IKE negotiation of some IPSec policies fails.

When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec policy command is run. After all the SAs are cleared, the CPU usage restores to the normal range.

In the PPPoE scenario, the application of IPSec policies on the VT interface of the PPPoE server is not supported.

A tunnel interface and the source interface that is referenced by the tunnel interface cannot be both bound to IPSec policies.

Example

# Apply the IPSec policy group policy1 to Eth1/0/2.

<Huawei> system-view
[Huawei] ipsec policy policy1 1 isakmp
[Huawei-ipsec-policy-isakmp-policy1-1] quit
[Huawei] interface ethernet 1/0/2
[Huawei-Ethernet1/0/2
] ipsec policy policy1

Related Topics

ipsec policy (interface view)

Function

The ipsec policy command creates an IPSec policy and displays the IPSec policy view.

The undo ipsec policy command deletes an IPSec policy.

By default, no IPSec policy is configured.

Format

ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]

undo ipsec policy policy-name [ seq-number ]

Parameters

Parameter	Description	Value
policy-name	Specifies the name of an IPSec policy.	The value is a string of 1 to 15 case-sensitive characters without question marks (?) and spaces.
seq-number	Specifies the sequence number of an IPSec policy.	The value is an integer that ranges from 1 to 10000. A smaller value indicates a higher IPSec policy priority.
manual	Indicates that an IPSec SA is created manually.	-
isakmp	Indicates that an IPSec policy is established in IKE negotiation mode.	-
template template-name	Indicates that an IPSec policy is established by referencing an IPSec policy template.	The value must be an existing IPSec policy template name.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec policy is uniquely defined by its name and sequence number. IPSec policies with the same name belong to one IPSec policy group.

Manual mode

IPSec parameters including the authentication/encryption key and SPI on IPSec peers must mirror each other. That is, IPSec parameters of the inbound SA at the local end must be the same as those of the outbound SA at the remote end, and IPSec parameters of the outbound SA at the local end must be the same as those of the inbound SA at the remote end.
IKE negotiation mode

IPSec parameters are automatically negotiated through IKE. This mode is classified into ISAKMP and IPSec policy template:
- ISAKMP
  
  Negotiated IPSec parameters are defined in the IPSec policy view, and the initiator and responder must use the same IPSec parameters.
  
  Devices use the ISAKMP policy can be an initiator or a responder.
- IPSec policy template
  
  An IPSec policy template defines negotiated parameters. The initiator determines optional parameters, and the responder accepts the parameters delivered by the initiator.
  
  An IPSec policy template can reduce the workload of establishing multiple IPSec tunnels. The IPSec policy template is applicable to specific scenarios, for example, scenario where the remote IP address is variable or unknown (for example, the remote end obtains an IP address using PPPoE) and the remote device is allowed to initiate negotiation to the local end.
  
  ACLs in this mode are optional. If no ACL is configured, the responder uses the ACL configured on the initiator to protect data flows.

Follow-up Procedure

Define negotiated IPSec parameters in the IPSec policy view and run the ipsec policy (interface view) command to bind the IPSec policy to an interface.

Precautions

The end where an IPSec policy template is configured can only function as the responder to receive negotiation requests.
One IPSec policy group can have only one IPSec policy template.
When creating an IPSec policy, you must specify the SA creation mode. If you have entered the IPSec policy view, you do not need to enter the SA creation mode.
Before modifying the negotiation mode of a created IPSec policy, delete the IPSec policy and create an IPSec policy again.

Example

# Set an IPSec policy using the ISAKMP negotiation mode. The IPSec policy name is policy1 and the sequence number is 1.

<Huawei> system-view
[Huawei] ipsec policy policy1 1 isakmp
[Huawei-ipsec-policy-isakmp-policy1-1]

# Set an IPSec policy using the manual negotiation mode. The IPSec policy name is policy2 and the sequence number is 1.

<Huawei> system-view
[Huawei] ipsec policy policy2 1 manual
[Huawei-ipsec-policy-manual-policy2-1]

Related Topics

ipsec policy-template

Function

The ipsec policy-template command creates an IPSec policy template and displays the IPSec policy template view.

The undo ipsec policy-template command deletes an IPSec policy template group or an IPSec policy template from the group.

By default, no IPSec policy template is created.

Format

ipsec policy-template template-name seq-number

undo ipsec policy-template template-name [ seq-number ]

Parameters

Parameter	Description	Value
template-name	Specifies the name of the policy template.	It is a string of 1 to 15 case sensitive characters and cannot contain the hyphen (-).
seq-number	Specifies the sequence number of the IPSec policy.	It is an integer that ranges from 1 to 10000. The smaller the value is, the higher the priority is.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Negotiated IPSec parameters are defined in the IPSec policy template view. The initiator determines optional parameters, and the responder accepts the parameters delivered by the initiator. If an IPSec policy template is configured at the local end, the local end can only function as the responder to receive negotiation requests.

An IPSec policy template can be used to configure multiple IPSec policies, reducing the workload of establishing multiple IPSec tunnels. An IPSec policy template is applicable to specific scenarios, for example, scenario where the remote IP address is variable or unknown and the remote peers are allowed to initiate negotiation to the local end.

ACLs in this mode are optional. If no ACL is configured, the responder uses the ACL configured on the initiator to protect data flows.

Follow-up Procedure

Run the ipsec policy policy-name seq-number isakmp template template-name command to reference the created template.

Precautions

The IPSec policy template name must be different from the IPSec policy name.

Example

# Create an IPSec policy template with the name policy1 and the sequence number 1.

<Huawei> system-view
[Huawei] ipsec policy-template policy1 1
[Huawei-ipsec-policy-templet-policy1-1]

ipsec profile (system view)

ipsec profile (interface view)

Function

The ipsec profile command applies an IPSec profile to a tunnel interface.

The undo ipsec profile command unbinds the IPSec profile from a tunnel interface.

By default, no IPSec profile is applied to a tunnel interface.

Format

ipsec profile profile-name

undo ipsec profile

V200R010 does not support the shared parameter. That is, the same physical outbound interface cannot be specified for multiple tunnel interfaces.

Parameters

Parameter	Description	Value
profile-name	Specifies the name of an IPSec profile.	The value is an existing IPSec profile name.

Views

Tunnel interface view, Tunnel-Template interface view

Default Level

2: Configuration level

Usage Guidelines

Prerequisites

An IPSec profile has been created using the ipsec profile (system view) command.

A tunnel interface has been created using the interface tunnel command, and the encapsulation mode of the tunnel interface has been set to GRE or IPSec using the tunnel-protocol command.

Precautions

A tunnel interface can be bound to only one IPSec profile. An IPSec profile can be applied to only one tunnel interface.
A tunnel template interface can be bound to only one IPSec profile. An IPSec profile can be applied to only one tunnel template interface.
When the number of IPSec tunnels is larger than 50% of the maximum limit, high CPU usage alarms may be generated in a short period of time after the undo ipsec profile command is run. After all the SAs are cleared, the CPU usage restores to the normal range.
A tunnel interface and the source interface that is referenced by the tunnel interface cannot be both bound to IPSec profiles.

Example

# Bind the IPSec profile profile1 to tunnel interface tunnel 0/0/1.

<Huawei> system-view
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol ipsec
[Huawei-Tunnel0/0/1] source 10.1.1.1
[Huawei-Tunnel0/0/1] ipsec profile profile1

Related Topics

interface tunnel

tunnel-protocol

ipsec profile (system view)

Function

The ipsec profile command creates an IPSec profile and enters the IPSec profile view.

The undo ipsec profile command deletes an IPSec profile.

By default, no IPSec profile is configured.

Format

ipsec profile profile-name

undo ipsec profile profile-name

Parameters

Parameter	Description	Value
profile-name	Specifies the name of an IPSec profile.	The value is a string of 1 to 32 case-sensitive characters without question marks (?) and spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec profile is similar to an IPSec policy. However, different from an IPSec policy, an IPSec profile is identified by its name, and can only be configured in IKE negotiation mode. The IPSec profile does not support ACL configuration. The IPSec profile can be applied to only an IPSec tunnel interface. An IPSec profile defines IPSec proposals used to protect data flows, IKE negotiation parameters for SA setup, SA lifetime, and PFS status. After an IPSec profile is applied to an IPSec tunnel interface, only one IPSec tunnel is created. The IPSec tunnel protects all the data flows routed to the IPSec tunnel interface, simplifying IPSec policy management.

Follow-up Procedure

Define negotiated IPSec parameters in the IPSec profile view and run the ipsec profile (interface view) command to apply the IPSec profile to an interface.

Precautions

You do not need to specify the local and remote addresses for the IKE peer that is referenced by an IKE profile. Even if the local and remote addresses are specified for the IKE peer that is referenced by an IKE profile, the local and remote addresses are invalid. This is because the source and destination addresses of the IPSec tunnel interfaces are used as local and remote addresses when the IPSec profile performs IKE negotiation.

Example

# Create an IPSec profile named profile1.

<Huawei> system-view
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1]

Related Topics

ipsec profile (interface view)

ipsec proposal

Function

The ipsec proposal command creates an IPSec proposal and displays the IPSec proposal view.

The undo ipsec proposal command deletes an IPSec proposal.

By default, no IPSec proposal is configured.

Format

ipsec proposal proposal-name

undo ipsec proposal proposal-name

Parameters

Parameter	Description	Value
proposal-name	Specifies the name of an IPSec proposal.	The value is a string of 1 to 15 case-sensitive characters without question marks (?) and spaces.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec proposal is a part of an IPSec policy or an IPSec profile. It defines IPSec protection methods and security parameters for IPSec SA negotiation. The parameters include the security protocol, encryption and authentication algorithms, and encapsulation mode.

Follow-up Procedure

Configure security parameters including the security protocol, encryption and authentication algorithms, and encapsulation mode.
Run the proposal command to reference the IPSec proposal in an IPSec policy.

Precautions

Both ends of an IPSec tunnel must be configured with the same parameters.

Example

# Create an IPSec proposal named newprop1.

<Huawei> system-view
[Huawei] ipsec proposal newprop1
[Huawei-ipsec-proposal-newprop1]

Related Topics

transform

ah authentication-algorithm

esp authentication-algorithm

esp encryption-algorithm

encapsulation-mode

proposal

ipsec proto-protect proposal

Function

The ipsec proto-protect proposal command creates a security proposal and displays the security proposal view.

The undo ipsec proto-protect proposal command deletes a security proposal.

By default, no security proposal is created.

Format

ipsec proto-protect proposal proposal-name

undo ipsec proto-protect proposal proposal-name

Parameters

Parameter	Description	Value
proposal-name	Specifies the name of a security proposal.	The value is a string of 1 to 15 case-insensitive characters.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A security proposal defines the security protocol and authentication or encryption algorithm. Therefore, run the ipsec proto-protect proposal command to create a security proposal before configuring IPSec.

Follow-up Procedure

Configure the security protocol, authentication or encryption algorithm, and encapsulation mode.

Precautions

You cannot delete the security proposal applied on a Security Association (SA). However, you can apply the same proposal on different SA's. To delete a security proposal, run the undo proposal command to remove a security proposal from the SA.

Example

# Configure a security proposal named newprop1.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal newprop1

ipsec remote traffic-identical accept

Function

The ipsec remote traffic-identical accept command allows branch or other users to quickly access the headquarters network.

The undo ipsec remote traffic-identical accept command disables quick access to the headquarters network.

By default, the device allows branch or other users to quickly access the headquarters network after their IP addresses are changed.

Format

ipsec remote traffic-identical accept

undo ipsec remote traffic-identical accept

Parameters

None.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a branch and headquarters of a company establish an IPSec tunnel, the IP address of the branch gateway interface to which an IPSec policy group is applied changes due to the link status change or other reasons. For example, the branch gateway connects to the Internet through dialup and establishes an IPSec tunnel with the headquarters. As a result, the established IPSec tunnel between the headquarters and branch becomes unavailable. However, this IPSec tunnel still exists before timeout.

If quick access to the headquarters network is disabled, when a branch gateway initiates IPSec negotiation again, the headquarters retains the original IPSec tunnel before the tunnel expires. As a result, the data flows transmitted over the new negotiated IPSec tunnel are the same as those on the original IPSec tunnel, causing a conflict. In this case, the branch and headquarters cannot establish a new IPSec tunnel in a short period of time.

If quick access to the headquarters network is enabled, when a branch gateway initiates IPSec negotiation again, the headquarters deletes the original IPSec tunnel immediately so that the branch and headquarters can establish a new IPSec tunnel quickly.

Prerequisites

The headquarters gateway functions as the responder and uses an IPSec policy template to establish an IPSec tunnel with the branch gateway.
The ACL referenced by the IPSec policy does not change before and after the IPSec tunnel becomes unavailable.
The interface that the branch uses to connect to the headquarters gateway does not change before and after the IPSec tunnel becomes unavailable.

Example

# Allow the branch or other users to quickly access the headquarters network.

<Huawei> system-view
[Huawei] ipsec remote traffic-identical accept

ipsec sa

Function

The ipsec sa command creates a Security Association (SA) and displays the SA view.

The undo ipsec sa command deletes an SA.

By default, no SA is created.

Format

ipsec sa sa-name

undo ipsec sa sa-name

Parameters

Parameter	Description	Value
sa-name	Specifies the name of an SA.	It is a string of 1 to 15 case-insensitive characters, spaces not supported. The characters can be letters or numbers. When double quotation marks are used around the string, spaces are allowed in the string.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

IPSec uses an SA to ensure security during data transmission. When configuring IPSec, run the ipsec sa command to create an SA and configure SA parameters.

Follow-up Procedure

Run the proposal command to import a security proposal; run the sa spi command to configure the SPI; run the sa string-key, sa authentication-hex or sa encryption-hex command to configure the authentication key.

Precautions

An SA is unidirectional. Incoming packets and outgoing packets are processed by different SAs.

An SA can be configured with only one security protocol.

Example

# Create an SA.

<Huawei> system-view

[Huawei] ipsec sa sa1

ipsec sa global-duration

Function

The ipsec sa global-duration command sets the global hard lifetime of IPSec SAs.

The undo ipsec sa global-duration command restores the default global hard lifetime of IPSec SAs.

By default, the global time-based SA hard lifetime is 3600 seconds and the global traffic-based SA hard lifetime is 1843200 Kbytes.

Format

ipsec sa global-duration { time-based interval | traffic-based size }

undo ipsec sa global-duration { time-based | traffic-based }

Parameters

Parameter	Description	Value
time-based interval	Specifies the time-based global IPSec SA hard lifetime. When a large number of IPSec tunnels are established between two devices, you are advised to set the global IPSec SA hard lifetime to a value larger than or equivalent to 1800s.	It is an integer that ranges from 30 to 604800, in seconds.
traffic-based size	Specifies the traffic-based global IPSec SA hard lifetime. It is recommended that the traffic volume be equal to or larger than the size of IPSec traffic forwarded in 1 hour.	The value is 0 or an integer from 256 to 200000000, in Kbytes. IKEv1 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, both the local and remote devices disable the traffic timeout function. IKEv2 for IPSec negotiation: If the traffic hard lifetime is set to 0 on either device, the local device disables the traffic timeout function. During IPSec negotiation between a Huawei device and a Cisco device using IKEv1: If the Huawei device functions as the initiator and the traffic hard lifetime is set to 0, the traffic hard lifetime value pushed by the Cisco device takes effect on the local end. If the Huawei device functions as the responder and the traffic hard lifetime is set to 0, the value 0 takes effect on the local end.

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

For a dynamic SA, configure the SA hard lifetime so that the SA can be updated in real time, reducing the crash risk and improving security.

There are two methods to measure the lifetime:

Time-based lifetime

The period from when an SA is set up to when the SA is expired.
Traffic-based lifetime

The maximum volume of traffic that this SA can process.

The lifetime is classified as follows:

Hard lifetime: specifies the lifetime of an IPSec SA.

When two devices negotiate an IPSec SA, the actual hard lifetime is the smaller of the two values configured on the two devices.

Soft lifetime: specifies the time after which a new IPSec SA is negotiated so that the new IPSec SA will be ready before the hard lifetime of the original IPSec SA expires.

Table 11-64 lists the default soft lifetime values.

Table 11-64 Soft lifetime values

Soft Lifetime Type	Description
Time-based soft lifetime (soft timeout period)	The value is 70% of the actual hard lifetime (hard timeout period).
Traffic-based soft lifetime (soft timeout traffic)	For IKEv1, the value is 70% of the actual hard lifetime (hard timeout traffic). For IKEv2, the value is 65% to 75% of the actual hard lifetime (hard timeout traffic) plus or minus a random value.

Before an IPSec SA becomes invalid, IKE negotiates a new IPSec SA for the remote end. The remote end uses the new IPSec SA to protect IPSec communication immediately after the new IPSec SA is negotiated. If service traffic is transmitted, the original IPSec SA is deleted immediately. If no service traffic is transmitted, the original IPSec SA will be deleted after 10s or the hard lifetime expires.

If the time-based lifetime and traffic-based lifetime are both set for an IPSec SA, the IPSec SA becomes invalid when either lifetime expires.

Precautions

You only need to specify the SA lifetime for the SA setup through the IKE negotiation. That is, it is invalid to the SA manually set up. The manually set up SA is effective permanently.

The SA lifetime can be configured globally or based on an IPSec policy or profile. If no SA lifetime is configured for the IPSec policy or profile, the global lifetime is used. If both the global SA lifetime and lifetime based on the IPSec policy or profile are configured, the latter one takes effect.

During IKEv1 negotiation:

The responder cannot initiate IPSec SA renegotiation after the IPSec SA soft lifetime expires.
The initiator cannot initiate IPSec SA renegotiation when its IKE SA is deleted and the IPSec SA soft lifetime expires.

During IKEv2 negotiation, the initiator or responder cannot initiate IPSec SA renegotiation if the IKE SA is deleted and the IPSec SA soft lifetime expires.

Example

# Set the time-based global SA hard lifetime to 7200s.

<Huawei> system-view
[Huawei] ipsec sa global-duration time-based 7200

# Set the traffic-based global SA hard lifetime to 10 MB.

<Huawei> system-view
[Huawei] ipsec sa global-duration traffic-based 10240

ipsec sm4 version

Function

The ipsec sm4 version command sets an SM4 algorithm version for IKE negotiation.

The undo ipsec sm4 version command restores the default SM4 algorithm version for IKE negotiation.

By default, the SM4 algorithm version draft-standard is used.

Format

ipsec sm4 version { draft-standard | standard }

undo ipsec sm4 version

Parameters

Parameter	Description	Value
draft-standard	Sets the SM4 algorithm version to that released in 2013. The attribute value of the SM4 algorithm is 127.	-
standard	Sets the SM4 algorithm version to that released in 2014. The attribute value of the SM4 algorithm is 129.	-

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

For IKE negotiation during interconnection with non-Huawei devices, if the SM4 algorithm versions used by devices of different vendors differ from each other, the IKE negotiation fails. In this case, run the ipsec sm4 version command to set the SM4 algorithm version consistent with that on non-Huawei devices.

Example

# Set the SM4 algorithm version used for IKE negotiation to standard.

<Huawei> system-view
[Huawei] ike peer p1
[Huawei-ike-peer-p1] ipsec sm4 version standard

Related Topics

lifetime-notification-message enable

Function

The lifetime-notification-message enable command enables a device to send IKE SA lifetime notification messages.

The undo lifetime-notification-message enable command disables a device from sending IKE SA lifetime notification messages.

By default, the device does not send IKE SA lifetime notification messages.

Format

lifetime-notification-message enable

undo lifetime-notification-message enable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

You can run the sa duration (IKE proposal view) command to configure an IKE SA lifetime in an IKE proposal. If the IKE SA lifetimes of two ends are different, the two ends use the smaller IKE SA lifetime for IKE negotiation.

When a Huawei device (responder) wants to set up an IPSec tunnel with a Cisco systems VPN client (initiator) and the IKE SA lifetimes configured at two ends are different, you can run this command to enable the Huawei device to send IKE SA lifetime notification messages to the Cisco device to ensure successful IKE negotiation between them. If the Huawei device is disabled from sending IKE SA lifetime notification messages to the peer, the IKE negotiation fails.
You can also run this command when two Huawei devices need to set up an IPSec tunnel. However, the configuration takes effect on the responder only. If you cannot determine which end is the initiator, you are advised to configure this command on devices at both ends.

Precautions

This command is supported by IKEv1 only.

Example

# Enable the IKE peer named peer1 to send IKE SA lifetime notification messages.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] undo version 2
[Huawei-ike-peer-peer1] lifetime-notification-message enable

Related Topics

sa duration (IKE proposal view)

local-address

Function

The local-address command assigns an IP address to the local end of IKE negotiation.

The undo local-address command cancels the configuration.

By default, the system selects an outbound interface according to a route and uses the IP address of the outbound interface as the local IP address.

Format

local-address ip-address

undo local-address

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address of the local end of IKE negotiation.	The value is in dotted decimal notation.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The local-address command assigns an IP address to the local end of IKE negotiation.

When the local end and remote end establish an IPSec tunnel, the local IP address does not need to be configured during IKE negotiation. By default, the system selects an outbound interface according to a route and uses the IP address of the outbound interface as the local IP address.

If the IP address of an interface bound to an IPSec policy is variable or unknown, run the local-address command to specify the IP address of another interface such as a loopback interface as the local IP address.
If an interface bound to an IPSec policy is configured with one primary IP address and multiple secondary IP addresses, run the local-address command to specify one IP address as the local IP address.
If the local and remote ends have equal-cost routes, run the local-address command to specify the local IP address so that IPSec packets can be sent out from the specified interface.

Precautions

The local-address at the local end must be the same as the remote-address at the remote end.

You do not need to specify local-address for an IKE peer referenced by an IPSec profile. During IKE negotiation, the IPSec profile uses the source addresses of the IPSec tunnel interface.

In a multi-link shared IPSec policy group scenario, the IP address of the local end cannot be the secondary IP address of a loopback interface. Otherwise, an IPSec tunnel cannot be established.

Example

# Configure an IP address for the local end of IKE negotiation in the IKE peer view.

<Huawei> system-view
[Huawei] ike peer huawei
[Huawei-ike-peer-huawei] local-address 10.10.10.1

Related Topics

local-id-type

Function

The local-id-type command sets the type of the local ID used in IKE negotiation.

The undo local-id-type command restores the default type of the local ID used in IKE negotiation.

By default, the local ID type used by IKE negotiation is IP.

Format

local-id-type { dn | fqdn | ip [ ip-configurable ] | key-id | user-fqdn }

undo local-id-type

Parameters

Parameter	Description	Value
dn	Specifies the Distinguished Name (DN) as the local ID.	-
fqdn	Specifies the name as the local ID.	-
ip	Specifies the IP address as the local ID.	-
ip-configurable	Indicates that the IP address used as the local ID is configurable. This IP address can be configured using the local-id command. The IP address is the local IP address used for IKE negotiation by default. This parameter takes effect only in the IKE peer view.	-
key-id	Specifies the key-id as the local ID. This parameter takes effect only in the Efficient VPN policy view.	-
user-fqdn	Specifies the USER-FQDN as the local ID.	-

Views

IKE peer view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Identity authentication is a protection mechanism for IKE negotiation. The device ensures security by confirming identities of communication parties. IKE peers can use different types. This command configures the type of the local ID of an IKE peer.

Precautions

The local ID type can be different from the remote ID type. You can use commands to specify the local and remote ID types.
If IKEv1 is used, pre-shared key authentication requires the local ID on the local end to be the same as the remote ID on the remote end. If IKEv2 is used, pre-shared key authentication requires the local ID type or local ID on the local end to be the same as the remote ID type or remote ID on the remote end.
For RSA signature authentication, the remote ID type or remote ID on the local end must be consistent with corresponding fields in the local certificate on the remote end.

Different authentication methods support different ID types, as shown in Table 11-65.

Table 11-65 Relationship between local IKE ID types, local ID, and authentication methods

Authentication Method

FQDN

USER-FQDN

key-id

pre-share

Supported

The ID is the local IP address used for IKE negotiation by default. Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication.

Not supported

Supported

Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication.

The ID specified by the ike local-name command, indicating that all peers on the device use this ID for identity authentication.

The ID specified by the local-id command has a higher priority than the one specified by the ike local-name command.

Supported

Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication.

Set an ID using the ike local-name command, indicating that all peers on the device use this ID for identity authentication.

The ID specified by the local-id command has a higher priority than the one specified by the ike local-name command.

Supported

This parameter is often used when the device using the Efficient VPN policy functions as a remote end to communicate with Cisco devices.

rsa-signature

Supported

The ID is the local IP address used for IKE negotiation by default. Set an ID using the local-id command, indicating that the IKE peer uses this ID for identity authentication.

Supported

Use the default ID in the certificate. No configuration is required.

Supported

Use the default ID in the certificate. No configuration is required.

Supported

Use the default ID in the certificate. No configuration is required.

Supported

This parameter is often used when the device using the Efficient VPN policy functions as a remote end to communicate with Cisco devices.

Example

# Set the local ID type of IKE peer peer1 to FQDN.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] local-id-type fqdn

Related Topics

local-id

Function

The local-id command specifies the local ID for IKE negotiation.

The undo local-id command deletes the local ID for IKE negotiation.

By default, the local ID is not configured for IKE negotiation.

Format

local-id id

undo local-id

Parameters

Parameter	Description	Value
id	Specifies the local ID used in IKE negotiation	The value is a string of 1 to 255 case-sensitive characters.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

If the ID type of the IKE peer is IP, FQDN, or USER-FQDN, you can configure the local end identity in the system view or IKE peer view.

The local-id command sets an ID, indicating that the IKE peer uses this ID for authentication. If the ID type is FQDN or User-FQDN, the ike local-name command sets an ID, indicating that all peers on the device use this ID for authentication. The ID specified by the local-id command has a higher priority than the one specified by the ike local-name command.

Example

# Set the local ID to be huawei in IKE negotiation.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] local-id huawei

Related Topics

local-id-type

ike local-name

local-id-preference certificate enable

Function

The local-id-preference certificate enable command enables the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation.

The undo local-id-preference certificate enable command disables the device from preferentially obtaining the local ID from a field in a certificate when IKE uses certificate negotiation.

By default, the device does not preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation.

Format

local-id-preference certificate enable

undo local-id-preference certificate enable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When IKE uses certificate negotiation, the device can obtain its local ID from a field (IP address, FQDN, or email address) in the certificate, removing the need to configure the local ID.

After the local-id-preference certificate enable command is configured, the device preferentially obtains its local ID from a field in the certificate. If this method fails, it obtains its local ID based on the local configuration. If this method also fails, IKE negotiation fails.

Precautions

Before V500R005C00, the local-id-preference certificate enable command is supported only after a required patch is installed. By default, this command is disabled. In V500R005C00, this command is supported by default but is not displayed in the IKE peer view. In versions earlier than V5R5C20SPC500, this command is supported and displayed by default.

This command is not supported when the certificate negotiation mode is set to digital envelope authentication using the authentication-method command.

In IKEv2 negotiation scenarios, when both the local-id-preference certificate enable and local-id-reflect enable commands are configured, the local-id-reflect enable command takes effect.

You can run the display pki certificate command to view certificate identity information. The email address in the certificate corresponds to User-FQDN.

Example

# Enable the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation.

<Huawei&gt; system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] local-id-preference certificate enable

Related Topics

local-id

local-id-reflect enable

Function

The local-id-reflect enable command enables the function of using the local ID of the responder as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation.

The undo local-id-reflect enable command disables the function of using the local ID of the responder as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation.

By default, during IKEv2 negotiation, the local ID of the responder is not used as the remote ID carried in the IKE packets sent by the initiator.

Format

local-id-reflect enable

undo local-id-reflect enable

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During IKEv2 negotiation, if the user does not know the remote ID configured for the initiator, run the local-id-reflect enable command on the responder. When the responder receives an IKE packet from the initiator, the responder uses the IDr payload (remote ID) in the received packet as its local ID. If the responder does not obtain the IDr payload, it obtains its local ID based on the local configuration.

Precautions

This command is not supported when IKEv2 uses a digital envelope for authentication during certificate negotiation.

When both the local-id-reflect enable and local-id-preference certificate enable commands are configured, the local-id-reflect enable command takes effect.

Currently, the ID type can only be IP address, FQDN, or User-FQDN.

Example

# Enable the function of using the local ID of the responder as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] local-id-reflect enable

Related Topics

local-id

remote-id

match ike-identity

Function

The match ike-identity command references an identity filter set.

The undo match ike-identity command removes the referenced identity filter set.

By default, no identity filter set is referenced.

Format

match ike-identity identity-name

undo match ike-identity

Parameters

Parameter	Description	Value
identity-name	Specifies the name of the identity filter set.	The value is an existing identity filter name.

Views

IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During IKE negotiation, a device specifies the peer based on the identity filter set referenced in the policy template or IPSec profile.

When the device functions as a responder, it can specify the peer allowed to connect to it to improve security.
In an IPSec over DSVPN application, multiple mGRE tunnel interfaces are configured on the hub which provides only one IP address for spoke access. The mGRE tunnel interfaces use the same source address or source interface; therefore, the hub cannot identify IKE packets from different mGRE tunnel interfaces. To solve this problem, set parameters in the identity filter set to specify the mGRE tunnel interface of each IKE packet.

For details about DSVPN, see DSVPN Configuration.

Prerequisites

An identity filter set with a specific identity-name has been created using the ike identity command.

Precautions

If you configure multiple IPSec policy templates and apply them to multiple interfaces on the same device, the parameters in the identity filter set referenced in different policy templates cannot be the same.
If you configure multiple IPSec profiles and apply them to multiple tunnel interfaces on the same device, the parameters in the identity filter set referenced in different IPSec profiles cannot be the same.

If a remote device matches one parameter or more parameters in different identity filter sets in the local device, the access request of the remote device will be denied.

Example

# Reference an identity filter set in the IPSec profile view.

<Huawei> system-view
[Huawei] ike identity identity1
[Huawei-ike-identity-identity1] fqdn peer1
[Huawei-ike-identity-identity1] quit
[Huawei] ipsec profile profile1
[Huawei-ipsec-profile-profile1] match ike-identity identity1

Related Topics

ipsec profile (system view)

nat traversal

Function

The nat traversal command enables NAT traversal.

The undo nat traversal command disables NAT traversal.

By default, the NAT traversal is enabled.

Format

nat traversal

undo nat traversal

Parameters

None

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In practice, if the initiator is located on a private network and the responder is located on the public network side. To ensure that an IPSec tunnel can be set up when the NAT device exists, NAT traversal needs to be configured.

NAT traversal allows ESP packets to pass through the NAT gateway during IKE negotiation.

Precautions

If NAT traversal is enabled, the IPSec proposal (ipsec proposal) supports only ESP.

Example

# Enable NAT traversal in IKE peer named peer1.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] nat traversal

Related Topics

pfs

Function

The pfs command enables Perfect Forward Secrecy (PFS) when the local end initiates negotiation.

The undo pfs command disables PFS when the local end initiates negotiation.

By default, PFS is not used when the local end initiates negotiation.

Format

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 | dh-group19 | dh-group20 | dh-group21 }

undo pfs

Parameters

Parameter	Description	Value
dh-group1	Uses the 768-bit DH group.	-
dh-group2	Uses the 1024-bit DH group.	-
dh-group5	Uses the 1536-bit DH group.	-
dh-group14	Uses the 2048-bit DH group.	-
dh-group19	Uses the 256-bit Elliptic Curve Groups modulo a Prime (ECP) DH group.	-
dh-group20	Uses the 384-bit ECP DH group.	-
dh-group21	Uses the 521-bit ECP DH group.	-

Views

ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the local end initiates negotiation, there is an additional DH exchange in IKEv1 phase 2 or IKEv2 CREATE_CHILD_SA exchange. The additional DH exchange ensures security of the IPSec SA key and improves communication security.

Precautions

The dh-group1, dh-group2, and dh-group5 have potential security risks. The other DH groups are recommended.

Table 11-66 describes the requirement for consistency of the PFS DH groups configured on the local and remote ends when the PFS function is enabled.

Table 11-66 Description of PFS DH groups

Security Policy Mode on the Local and Remote Ends	Description
IPSec policy in ISAKMP mode on both ends	The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.
IPSec policy in ISAKMP mode on one end and IPSec policy configured using an IPSec policy template on the other end	If PFS is enabled in the IPSec policy template: The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails. If PFS is disabled in the IPSec policy template: The IPSec SA negotiation may succeed when the DH groups specified on the two ends are different. The responder uses the DH group on the initiator.
IPSec profile on both ends	The DH groups specified on the two ends must be the same; otherwise, the IPSec SA negotiation fails.

Example

# Use PFS when the IPSec policy named policy1 is used in negotiation.

<Huawei> system-view
[Huawei] ipsec policy policy1 1 isakmp
[Huawei-ipsec-policy-isakmp-policy1-1] pfs dh-group14

# Enable the PFS feature in the IPSec Efficient VPN policy evpn.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] pfs dh-group14

Related Topics

pki realm

Function

The pki realm command binds a public key infrastructure (PKI) realm to an IKE peer or an Efficient VPN policy.

The undo pki realm command unbinds a PKI realm from an IKE peer or an Efficient VPN policy.

By default, no PKI realm is bound to an IKE peer or an Efficient VPN policy.

Format

pki realm realm-name

undo pki realm

Parameters

Parameter	Description	Value
realm-name	Specifies the name of a PKI realm.	The PKI realm must already exist.

Views

IKE peer view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A PKI realm is a set of identity information required when a PKI entity enrolls a certificate.

After a PKI realm is bound to an IKE peer or an Efficient VPN policy, the IKE peer can obtain the CA certificate and local certificate based on the PKI realm configuration.

Prerequisites

A PKI realm has been created using the pki realm command in the system view. And the CA certificate and local certificate have been imported in the PKI realm.

Example

# Bind the PKI realm test to the IKE peer.

<Huawei> system-view
[Huawei] pki realm test
[Huawei-pki-realm-test] quit
[Huawei] ike peer huawei
[Huawei-ike-peer-huawei] pki realm test

# Bind the PKI realm test1 to the Efficient VPN policy.

<Huawei> system-view
[Huawei] pki realm test1
[Huawei-pki-realm-test1] quit
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] pki realm test1

Related Topics

policy enable

Function

The policy enable command enables a policy in an IPSec policy group.

The undo policy enable command disables a policy in an IPSec policy group.

By default, all the policies in an IPSec policy group are enabled.

Format

policy enable

undo policy enable

Parameters

None

Views

ISAKMP IPSec policy view, IPSec policy template view

Default Level

2: Configuration level

Usage Guidelines

After you disable a policy, the policy is not used for tunnel establishment.

Example

# Disable policy 1 in the IPSec policy group.

<Huawei> system-view
[Huawei] ipsec policy map1 1 isakmp
[Huawei-ipsec-policy-isakmp-map1-1] undo policy enable

Related Topics

pre-shared-key (IKE peer view, Efficient VPN policy view)

Function

The pre-shared-key command configures the pre-shared key used by IKE peers to perform pre-shared key authentication.

The undo pre-shared-key command deletes the pre-shared key used by IKE peers to perform pre-shared key authentication.

By default, the pre-shared key used by IKE peers to perform pre-shared key authentication is not configured.

Format

pre-shared-key { simple | cipher } key

undo pre-shared-key

Parameters

Parameter	Description	Value
simple	Indicates the pre-shared key in plain text. The pre-shared key is displayed in plain text in the configuration file. NOTICE: If simple is selected, the password is saved in the configuration file in plain text. This brings security risks. It is recommended that you select cipher to save the password in cipher text.	-
cipher	Indicates the pre-shared key in cipher text. You can enter a pre-shared key in plain text or cipher text, but the pre-shared key is displayed in cipher text in the configuration file.	-
key	Specifies the pre-shared key used by IKE peers to perform pre-shared key authentication.	The value is a string of case-sensitive characters without spaces. A plaintext key contains 1 to 128 characters, and a ciphertext key contains 48 to 188 characters. If the character string is enclosed in double quotation marks (" "), the character string can contain spaces. NOTE: For security purposes, it is recommended that the pre-shared key contains at least 3 types of lowercase letters, uppercase letters, digits, and special characters, and contains at least 6 characters.

Views

IKE peer view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

During IKE negotiation, IPSec can use pre-shared key authentication to verify identities of communication parties. After pre-shared key authentication is configured, the initiator encrypts data using the pre-shared key before transmitting the data, and the receiver decrypts the data using the same pre-shared key. If the receiver succeeds in data decryption, the initiator passes the identity verification.

Prerequisites

Pre-shared key authentication has been specified in an IKE proposal or in an Efficient VPN policy.

Precautions

Both ends of IKE negotiation must be configured with the same pre-shared key.

Example

# Configure the pre-shared key used by IKE peers to perform pre-shared key authentication as Test!123.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] pre-shared-key cipher Test!123

# Configure pre-shared key authentication in the Efficient VPN policy evpn and set the pre-shared key to huawei@123 in cipher text.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] authentication-method pre-share
[Huawei-ipsec-efficient-vpn-evpn] pre-shared-key cipher huawei@123

Related Topics

pre-shared-key (IKE user view)

Function

The pre-shared-key command configures the pre-shared key used by IKE users when IKE peers use pre-shared key authentication during IKE negotiation.

The undo pre-shared-key command cancels the configuration.

By default, the pre-shared key used by IKE peers is not configured when IKE peers use pre-shared key authentication during IKE negotiation.

Format

pre-shared-key key

undo pre-shared-key

Parameters

Parameter	Description	Value
key	Specifies the pre-shared key used by IKE users when IKE peers use pre-shared key authentication during IKE negotiation.	The value is a string of case-sensitive characters without spaces. A plaintext key contains 1 to 128 characters, and a ciphertext key contains 48 to 188 characters. If the character string is quoted by double quotation marks (" "), the character string can contain spaces. NOTE: For security purposes, it is recommended that the pre-shared key contains at least 3 types of lowercase letters, uppercase letters, digits, and special characters, and contains at least 6 characters.

Views

IKE user view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Precautions

After an IKE peer references an IKE user table, the pre-shared key configured by this command takes precedence over the pre-shared key configured by the pre-shared-key (IKE peer view, Efficient VPN policy view) command.
Pre-shared key authentication has been specified in an IKE proposal when IKE peers are configured.
Both ends of IKE negotiation must use the same pre-shared key.

Example

# Configure the pre-shared key as Test!123 for IKE users.

<Huawei> system-view
[Huawei] ike user-table 10
[Huawei-ike-user-table-10] user user1
[Huawei-ike-user-table-10-user1] pre-shared-key Test!123

id-type

prf

Function

The prf command configures the pseudo-random function (PRF) algorithm used in IKEv2 negotiation.

The undo prf command restores the default configuration.

By default, the HMAC-SHA2-256 PRF algorithm is used in IKEv2 negotiation.

Format

prf { aes-xcbc-128 | hmac-md5 | hmac-sha1 | hmac-sha2-256 | hmac-sha2-384 | hmac-sha2-512 }

undo prf

Parameters

Parameter	Description	Value
aes-xcbc-128	Indicates that the PRF algorithm is AES-XCBC-128. This algorithm applies only to IKEv2 negotiation.	-
hmac-md5	Indicates that the PRF algorithm is HMAC-MD5.	-
hmac-sha1	Indicates that the PRF algorithm is HMAC-SHA1.	-
hmac-sha2-256	Indicates that the PRF algorithm is HMAC-SHA2-256.	-
hmac-sha2-384	Indicates that the PRF algorithm is HMAC-SHA2-384.	-
hmac-sha2-512	Indicates that the PRF algorithm is HMAC-SHA2-512.	-

Views

IKE proposal view

Default Level

2: Configuration level

Usage Guidelines

The PRF algorithm is required in IKEv2 negotiation. The PRFs are listed as follows from the highest security level to the lowest security level: hmac-sha2-512 > hmac-sha2-384 > hmac-sha2-256 > aes-xcbc-128 > hmac-sha1 > hmac-md5.

If you run the prf command multiple times, only the latest configuration takes effect.

hmac-md5 and hmac-sha1 are not recommended due to their low security.

Example

# Set hmac-sha2-256 as the PRF algorithm for IKEv2 proposal 10.

<Huawei> system-view
[Huawei] ike proposal 10
[Huawei-ike-proposal-10] prf hmac-sha2-256

Related Topics

ike proposal

proposal

Function

The proposal command references an IPSec proposal.

The undo proposal command deletes the referenced IPSec proposal.

By default, no IPSec proposal is referenced.

Format

Manual IPSec policy view:

proposal proposal-name

undo proposal

ISAKMP IPSec policy view, IPSec policy template view, and IPSec profile view:

proposal proposal-name

undo proposal [ proposal-name ]

Parameters

Parameter	Description	Value
proposal-name	Specifies the name of the proposals.	It is a string of 1 to 15 case-insensitive characters.

Views

Manual IPSec policy view, ISAKMP IPSec policy view, IPSec policy template view, IPSec profile view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An IPSec proposal defines IPSec protection methods and takes effect only after an IPSec policy or profile references the IPSec proposal.

Prerequisites

An IPSec proposal has been created using the ipsec proposal command.

Precautions

A manual IPSec policy can only reference one IPSec proposal.

An ISAKMP IPSec policy, an IPSec policy template, or IPSec profile can reference a maximum of 12 IPSec proposals. When devices at both ends of an IPSec tunnel perform IKE negotiation, they search for IPSec proposals in sequence where IPSec proposals were configured until a matching IPSec proposal is found. If no matching IPSec proposal is found, an SA cannot be set up and packets to be protected are discarded.

Example

# Set a proposal named prop1, and apply this proposal to the IPSec policy in manual mode named policy1.

<Huawei> system-view
[Huawei] ipsec proposal prop1
[Huawei-ipsec-proposal-prop1] quit
[Huawei] ipsec policy policy1 1 manual
[Huawei-ipsec-policy-manual-policy1-1] proposal prop1

Related Topics

ipsec proposal

ipsec profile (system view)

proposal (SA view)

Function

The proposal command applies a security proposal to a Security Association (SA).

The undo proposal command removes a security proposal from an SA.

By default, no security proposal is created.

Format

proposal proposal-name

undo proposal

Parameters

Parameter	Description	Value
proposal-name	Specifies the name of a security proposal.	The value is a string of 1 to 15 case-insensitive characters.

Views

SA view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

An SA defines a protection policy, and a security proposal defines a protection method. Data protection can be implemented only after a security proposal is applied to an SA.

Prerequisite

The ipsec proto-protect proposal proposal-name command has been run to create a security proposal before the proposal command is run. If no security proposal has been created, an error message will be displayed when the proposal command is run.

Configuration Impact

After the proposal command is run, the security proposal is applied to an SA and cannot be deleted.

Example

# Apply the security proposal named prop1 to the SA named sa1.

<Huawei> system-view

[Huawei] ipsec proto-protect proposal prop1

[Huawei-ipsec-proto-protect-proposal-prop1] transform ah

[Huawei-ipsec-proto-protect-proposal-prop1] quit

[Huawei] ipsec sa sa1

[Huawei-ipsec-sa-sa1] proposal prop1

qos group

Function

The qos group command configures the QoS group to which the IPSec packets belong.

The undo qos group command deletes the QoS group to which the IPSec packets belong.

By default, no QoS group is configured.

Format

qos group qos-group-value

undo qos group

Parameters

Parameter	Description	Value
qos-group-value	Specifies the ID of the QoS group.	The value is an integer that ranges from 1 to 99.

Views

Manual IPSec policy view, IPSec policy view, IPSec policy template view, IPSec profile view, Efficient VPN policy view, GDOI policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When both an IPSec policy and a QoS policy are used on an interface, you can run this command to specify the QoS group to which the IPSec packets belong to facilitate QoS management.

Precautions

This command takes effect in the packet encapsulation process but not the packet decapsulation process. That is, the command takes effect only for incoming packets.

Follow-up Procedure

After QoS for IPSec packets is enabled, run the if-match qos-group qos-group-value command in the traffic classifier view to configure a matching rule based on the QoS group.

Example

# Configure the QoS group to which the IPSec packets belong in the IPSec policy view.

<Huawei> system-view
[Huawei] ipsec policy policy1 10 isakmp
[Huawei-ipsec-policy-isakmp-policy1-10] qos group 30

Related Topics

ipsec policy (interface view)

ipsec profile (interface view)

ipsec policy (interface view)

qos pre-classify

Function

The qos pre-classify command enables pre-extraction of original IP packets.

The undo qos pre-classify command disables pre-extraction of original IP packets.

By default, pre-extraction of original IP packets is disabled.

Format

qos pre-classify

undo qos pre-classify

Parameters

None

Views

Tunnel interface view, Efficient VPN policy view, Manual IPSec policy view, IPSec policy view, IPSec policy template view, IPSec profile view, GDOI policy view, BD view, VBDIF interface view, VPN instance view, Virtual template interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In tunnel mode, QoS parameters such as the packet header and protocol type in original packets are hidden after IP packets are encapsulated through GRE, VXLAN, L2TP, and IPSec. Although GRE, VXLAN, L2TP, and IPSec uses the DSCP field in original packets as the DSCP field in the IP packet header, some QoS solutions require quintuple information. The encryption device can pre-extract quintuple information including the source address, destination address, protocol type, source port number, and destination port number to facilitate refined QoS management on GRE, VXLAN, L2TP, and IPSec packets.

In an A2A VPN solution, the device uses the IP header of original packets as the IP header for encapsulated A2A VPN packets. Therefore, you do not need to configure this command if the device classifies packets based on the source address, destination address, or protocol type only.

Follow-up Procedure

After pre-extraction of original IP packets is enabled, run the if-match acl { acl-number | acl-name } command in the traffic classifier view to configure a matching rule based on the ACL.

Example

# Enable pre-extraction of original IP packets in the IPSec policy view.

<Huawei> system-view
[Huawei] ipsec policy policy1 10 isakmp
[Huawei-ipsec-policy-isakmp-policy1-10] qos pre-classify

Related Topics

ipsec profile (interface view)

re-authentication interval

Function

The re-authentication interval command sets the IKEv2 re-authentication interval.

The undo re-authentication interval command cancels the configuration.

By default, the device does not perform IKEv2 re-authentication.

Format

re-authentication interval interval

undo re-authentication interval

Parameters

Parameter

Description

Value

interval

Specifies the IKEv2 re-authentication interval.

When about 70% of the time interval has elapsed, the device initiates IKEv2 re-authentication.

The value is an integer that ranges from 60 to 604800, in seconds.

Views

IKE peer view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In the remote access scenario, third-party attacks may occur during communications of peers. To improve IPSec network security, you can run this command to enable the peers to periodically re-authenticate each other.

Precautions

Only IKEv2 supports re-authentication.

Example

# Set the re-authentication interval of an IKE peer to 400 seconds.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] re-authentication interval 400

# Set the re-authentication interval to 400 seconds in the IPSec Efficient VPN policy.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] re-authentication interval 400

remote-address (IKE peer view)

Function

The remote-address command configures an IP address or domain name for the remote IKE peer during IKE negotiation.

The undo remote-address command cancels the configuration.

By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.

Format

remote-address { [ vpn-instance vpn-instance-name ] { ipv4-address | host-name host-name } [ track { nqa admin-name test-name | bfd-session session-name } { up | down } ] | authentication-address start-ipv4-address [ end-ipv4-address ] }

undo remote-address [ ipv4-address | host-name host-name | authentication-address ]

Parameters

Parameter	Description	Value
vpn-instance vpn-instance-name	Specifies the name of a VPN instance.	The value must be an existing VPN instance name. IPv4 multi-instance is supported.
ipv4-address	Specifies the IP address of the remote IKE peer.	The value is an IPv4 address in dotted decimal notation.
host-name host-name	Specifies the domain name of the remote IKE peer.	The value is an existing remote IKE peer domain name.
track	Specifies association between IKE and NQA or BFD.	-
nqa admin-name test-name	Configures association between IKE negotiation and NQA so that the device can determine whether the remote address of the peer is valid according to the NQA test instance status. admin-name specifies the administrator name of an NQA test instance, and test-name specifies the name of an NQA test instance.	The administrator name or name of an NQA test instance must have been created.
bfd-session session-name	Specifies association between IKE and BFD so that the peer address depends on the BFD session status. bfd-session-name specifies the name of the BFD session.	The BFD session name must have been created.
up	Indicates that the local address is used as the peer address for negotiation when the NQA test instance or BFD session status is Up.	-
down	Indicates that the local address is used as the peer address for negotiation when the NQA test instance or BFD session status is Down.	-
authentication-address start-ipv4-address [ end-ipv4-address ]	Specifies the IP address before NAT as the authentication address. start-ipv4-address: Specifies the start IP address of the remote end. end-ipv4-address: Specifies the end IP address of the remote end.	The value is an IPv4 address in dotted decimal notation.

Views

IKE peer view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The remote address negotiated by the IKE peers has two types: IP address and domain name.

When the configured remote address is an IP address and the remote gateway IP address is fixed, set remote-address to a fixed IP address. When an IPSec policy template is used and the remote gateway address is not fixed, set remote-address to an IP address segment.

When a domain name is configured as the remote address, the device obtains the remote address in either of the following modes:

Static mode: The device obtains the remote address based on the manually configured mapping between the domain name and IP address.
Dynamic mode: The device obtains the remote address from the DNS server.

To improve network reliability, the headquarters provides four devices for branch gateways to access. In an IPSec policy, two remote IP addresses or domain names of the IKE peer can be configured on the branch gateway. The branch gateway attempts to use the first IP address or domain name to establish an IKE connection with the headquarters gateway. If the connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection, and so on.

If the IP address of the first IKE peer is unreachable in the scenario that two IP addresses are configured, the branch gateway uses the second IP address to establish an IKE connection only when establishing an IKE connection fails or the dead peer detection (DPD) fails. It takes a long time. To reduce the time required and determine validity of the IKE peer address in real time, configuring association between IKE negotiation and NQA or BFD to detect the link status and check validity of the IKE peer address based on the detection result.

In NAT traversal scenarios, when two ends use IKEv2, you can run the remote-address authentication-address start-ipv4-address [ end-ipv4-address ] command to specify the pre-NAT IP address or IP address segment as the authentication address if IP addresses need to be verified.

Prerequisites

The VPN instance has been created using the ip vpn-instance command and the route distinguisher (RD) has been configured for the VPN instance using the route-distinguisher command if vpn-instance vpn-instance-name is specified.
An NQA test instance has been created using the nqa command and the NQA test instance type has been set to ICMP using the test-type command if nqa admin-name test-name is specified.
A BFD session has been created using the bfd bind peer-ip command and the BFD session has been set the local and remote discriminators using the discriminator command if bfd-session bfd-session-name is specified.

Precautions

When an IPSec policy is used, if the local device functions as the initiator, run the remote-address command so that the initiator can use this address to search for the responder. Because both ends may be the initiator, run the remote-address command at both ends. The remote-address command is not required when the IKE peer functions as the responder and uses an IPSec policy template to establish an IPSec policy.
You do not need to specify the tunnel local (local address) for the IKE peer referenced in an IPSec profile, because the local address is the source address of the GRE, mGRE or IPSec virtual tunnel interface. For the IKE peer referenced in an IPSec profile, tunnel local does not take effect.
When applying an IPSec policy to a tunnel interface and running the source command to specify an IP address for the interface, you must run the tunnel local command to configure a tunnel local address. Otherwise, IKE negotiation will fail.
When an IPSec profile is used, the destination address of the IPSec tunnel interface configured using the destination command is preferentially used as the remote address for IKE negotiation. When the remote-address and destination commands are configured at the same time, ensure that the configured IP addresses are the same; otherwise, IKE negotiation will fail. To implement IKE peer redundancy, do not configure the destination command on the IPSec tunnel interface. Instead, configure the remote-address command on the IKE peer referenced by the IPSec profile.
The remote IP address (remote-address) at the local end must be the same as the local IP address (local-address) at the remote end.
The VPN instance specified by vpn-instance-name must be the same as the VPN instance that is configured by the ip binding vpn-instance command and bound to the physical interface negotiating IPSec tunnel setup.
If more than one remote IP address or domain name is configured, the specified vpn-instance-name must be the same.
If multiple remote IP addresses are configured, the device with redundant addresses must function as the IKE negotiation initiator.

Example

# Set the remote IP address of IKE peer peer1 to 10.1.1.1.

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] remote-address 10.1.1.1

# Configure association between the IKE peer huawei with NQA and specify IP address 10.1.1.1 as the peer address for IKE negotiation when the NQA test instance (administrator name admin and instance name test) status is Up.

<Huawei> system-view
[Huawei] nqa test-instance admin test
[Huawei-nqa-admin-test] test-type icmp
[Huawei-nqa-admin-test] destination-address ipv4 10.1.1.1
[Huawei-nqa-admin-test] quit
[Huawei] ike peer huawei
[Huawei-ike-peer-huawei] remote-address 10.1.1.1 track nqa admin test up

# Configure association between the IKE peer huawei and BFD and use the IP address 10.1.1.2 as the peer address for IKE negotiation when the status of the BFD session test is Up.

<Huawei> system-view
[Huawei] interface gigabitethernet 0/0/1
[Huawei-GigabitEthernet0/0/1] ip address 10.1.1.1 255.255.255.0
[Huawei-GigabitEthernet0/0/1] quit
[Huawei] bfd
[Huawei-bfd] quit
[Huawei] bfd test bind peer-ip 10.1.1.2 interface gigabitethernet 0/0/1
[Huawei-bfd-session-test] discriminator local 10
[Huawei-bfd-session-test] discriminator remote 20
[Huawei-bfd-session-test] commit
[Huawei-bfd-session-test] quit
[Huawei] ike peer huawei
[Huawei-ike-peer-huawei] remote-address 10.1.1.2 track bfd-session test up

Related Topics

remote-address (Efficient VPN policy view)

Function

The remote-address command configures an IP address or domain name for the remote IKE peer during IKE negotiation.

The undo remote-address command deletes an IP address or domain name for the remote IKE peer during IKE negotiation.

By default, no IP address or domain name is configured for the remote IKE peer during IKE negotiation.

Format

remote-address { ip-address | host-name host-name } { v1 | v2 }

undo remote-address [ ip-address | host-name host-name ]

Parameters

Parameter	Description	Value
ip-address	Specifies the IP address of the remote IKE peer.	The value is in dotted decimal notation.
host-name host-name	Specifies the domain name of the remote IKE peer.	The value is an existing remote IKE peer domain name.
v1	Indicates that both ends use IKEv1.	-
v2	Indicates that both ends use IKEv2.	-

Views

Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

The remote-address command configures an IP address or domain name for the remote IKE peer in an Efficient VPN policy. If the domain name is configured for the remote IKE peer, the IP address of the remote IKE peer is obtained in either of the following modes:

Static mode: The IP address of the remote IKE peer is obtained based on the mapping between the domain name and IP address.
Dynamic mode: The IP address of the remote IKE peer is obtained from the DNS server.

To improve network reliability, two devices can be deployed at the headquarters to connect to the branch gateway. In an Efficient VPN solution, two IP addresses or domain names of the remote IKE peer can be configured on the branch gateway. The branch gateway first attempts to use the first configured IP address or domain name to establish an IKE connection with the headquarters gateway. If establishing an IKE connection fails, the branch gateway uses the second IP address or domain name to establish an IKE connection.

Precautions

When you configure IP addresses or domain names for two remote IKE peers, ensure that the value type of remote-address and the IKE version are respectively the same. Generally, only one device is deployed at the headquarters to connect to the branch gateway. Therefore, only one remote address is configured.

Example

# Assign the IP addresses 10.1.1.1 and 10.1.2.1 to the remote peer in the Efficient VPN policy view.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] remote-address 10.1.1.1 v1
[Huawei-ipsec-efficient-vpn-evpn] remote-address 10.1.2.1 v1

# Set the domain name of the remote peer to mypeer in the Efficient VPN policy view.

<Huawei> system-view
[Huawei] ipsec efficient-vpn evpn mode client
[Huawei-ipsec-efficient-vpn-evpn] remote-address host-name mypeer v1

Related Topics

remote-id

Function

The remote-id command specifies the remote ID for IKE negotiation.

The undo remote-id command deletes the remote ID for IKE negotiation.

By default, the remote ID for IKE negotiation is not configured.

Format

remote-id id

undo remote-id

Parameters

Parameter	Description	Value
id	Specifies the remote ID.	The value is a string of 1 to 255 case-sensitive characters including special characters, such as the exclamation point (!), at sign (@), number sign (#), dollar sign ($), and percent (%).

Views

IKE peer view, Efficient VPN policy view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If the remote ID type of the IKE peer is IP, DN, FQDN, or USER-FQDN, you can run this command to set a value for the remote ID.

During IKE negotiation, you can run the remote-id-type and remote-id commands to configure the remote ID type and remote ID for authentication.

Precautions

In IKEv1, the configured remote ID is used to authenticate only the peer.
In IKEv2, the configured remote ID can be sent to the peer to check whether the local ID of the peer is the same as this remote ID.

Example

Set the remote ID of IKE peer peer1 when pre-shared key authentication is used and the remote ID type is FQDN or USER-FQDN.

# Set the remote end of the tunnel.
<Huawei_A> system-view
[Huawei_A] ike local-name device_A
# Set the local end of the tunnel.
<Huawei_B> system-view
[Huawei_B] ike peer peer1
[Huawei_B-ike-peer-peer1] remote-id device_A

Set the remote ID of IKE peer peer1 when digital signature authentication is used.

If the remote ID type is DN, set the remote ID as follows:
```
<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] remote-id /C=CN/ST=beijing
```
If remote-id is set to the subject field in the certificate entity, the format is as follows: "/"+"subject". Note that spaces in the subject field are omitted and the comma is replaced by slash (/). For example, if the subject field is C=CN, ST=beijing, the command is remote-id /C=CN/ST=beijing.

If the remote ID type is FQDN, set the remote ID as follows:

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] remote-id www.hw.com

If the remote ID type is USER-FQDN, set the remote ID as follows:

<Huawei> system-view
[Huawei] ike peer peer1
[Huawei-ike-peer-peer1] remote-id user@hw.com

# Set the remote peer name to Huawei in the Efficient VPN policy view.

<Huawei> system-view
[Huawei] ipsec efficient-vpn name mode client
[Huawei-ipsec-efficient-vpn-name] remote-id Huawei

Related Topics