HPE JG619A Reference guide

Type
Reference guide
HPE FlexFabric 12900E Switch Series
IP Tunneling Command Reference
Software
version: Release 5210
Document version: 6W100-20230424
© Copyright 2023 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
i
Contents
GRE commands ···························································································· 1
keepalive ···················································································································································· 1
IPsec commands ··························································································· 2
ah authentication-algorithm ························································································································ 2
description ·················································································································································· 3
display ipsec { ipv6-policy | policy } ············································································································ 3
display ipsec { ipv6-policy-template | policy-template } ·············································································· 9
display ipsec profile ·································································································································· 11
display ipsec sa ········································································································································ 13
display ipsec sdwan-sa local ···················································································································· 18
display ipsec sdwan-sa remote ················································································································ 22
display ipsec sdwan-statistics ·················································································································· 24
display ipsec sdwan-tunnel ······················································································································ 26
display ipsec statistics ······························································································································ 29
display ipsec transform-set ······················································································································ 31
display ipsec tunnel ·································································································································· 32
encapsulation-mode ································································································································· 35
esn enable ················································································································································ 36
esp authentication-algorithm ···················································································································· 36
esp encryption-algorithm ·························································································································· 37
ike-profile ·················································································································································· 39
ikev2-profile ·············································································································································· 40
ipsec { ipv6-policy | policy } ······················································································································ 41
ipsec { ipv6-policy | policy } isakmp template ··························································································· 42
ipsec { ipv6-policy | policy } local-address ································································································ 43
ipsec { ipv6-policy-template | policy-template } ························································································ 44
ipsec anti-replay check ····························································································································· 45
ipsec anti-replay window ·························································································································· 46
ipsec apply ··············································································································································· 46
ipsec decrypt-check enable ······················································································································ 47
ipsec df-bit ················································································································································ 48
ipsec fragmentation ·································································································································· 48
ipsec global-df-bit ····································································································································· 49
ipsec limit max-tunnel ······························································································································· 50
ipsec logging negotiation enable ·············································································································· 51
ipsec logging packet enable ····················································································································· 51
ipsec profile ·············································································································································· 52
ipsec redundancy enable ························································································································· 53
ipsec sa global-duration ··························································································································· 54
ipsec sa global-soft-duration buffer ·········································································································· 54
ipsec sa idle-time ····································································································································· 56
ipsec transform-set ··································································································································· 56
local-address ············································································································································ 57
pfs ···························································································································································· 58
policy enable ············································································································································ 59
protocol ···················································································································································· 59
qos pre-classify ········································································································································ 60
redundancy replay-interval ······················································································································· 61
remote-address ········································································································································ 62
reset ipsec sa ··········································································································································· 63
reset ipsec sdwan-sa ······························································································································· 64
reset ipsec sdwan-statistics ····················································································································· 65
reset ipsec sdwan-tunnel ························································································································· 65
reset ipsec statistics ································································································································· 66
responder-only enable ····························································································································· 66
reverse-route dynamic ····························································································································· 67
ii
reverse-route preference ·························································································································· 69
reverse-route tag ······································································································································ 69
sa df-bit ···················································································································································· 70
sa duration ··············································································································································· 71
sa hex-key authentication ························································································································ 72
sa hex-key encryption ······························································································································ 74
sa idle-time ··············································································································································· 75
sa soft-duration buffer ······························································································································ 76
sa spi ························································································································································ 77
sa string-key ············································································································································· 78
sa trigger-mode ········································································································································ 80
security acl ··············································································································································· 80
snmp-agent trap enable ipsec ·················································································································· 82
tfc enable ·················································································································································· 83
transform-set ············································································································································ 84
IKE commands ···························································································· 86
aaa authorization ······································································································································ 86
authentication-algorithm ··························································································································· 87
authentication-method ······························································································································ 87
certificate domain ····································································································································· 88
client-authentication ································································································································· 89
client-authentication xauth user ··············································································································· 90
client source-udp-port dynamic ················································································································ 91
description ················································································································································ 92
dh ····························································································································································· 92
display ike proposal ·································································································································· 93
display ike sa ············································································································································ 94
display ike statistics ·································································································································· 98
dpd ··························································································································································· 99
encryption-algorithm ······························································································································· 100
exchange-mode ····································································································································· 101
ike address-group ·································································································································· 101
ike dpd ···················································································································································· 102
ike identity ·············································································································································· 103
ike invalid-spi-recovery enable ··············································································································· 104
ike keepalive interval ······························································································································ 105
ike keepalive timeout ······························································································································ 106
ike keychain ··········································································································································· 106
ike limit ··················································································································································· 107
ike logging negotiation enable················································································································ 108
ike nat-keepalive ···································································································································· 108
ike profile ················································································································································ 109
ike proposal ············································································································································ 109
ike signature-identity from-certificate ····································································································· 110
inside-vpn ··············································································································································· 111
keychain ················································································································································· 112
local-identity ··········································································································································· 113
match local address (IKE keychain view)······························································································· 114
match local address (IKE profile view) ··································································································· 115
match remote ········································································································································· 116
pre-shared-key ······································································································································· 117
priority (IKE keychain view) ···················································································································· 119
priority (IKE profile view) ························································································································ 119
proposal ················································································································································· 120
reset ike sa ············································································································································· 121
reset ike statistics ··································································································································· 121
sa duration ············································································································································· 122
sa soft-duration buffer ···························································································································· 122
snmp-agent trap enable ike ···················································································································· 123
iii
IKEv2 commands······················································································· 125
aaa authorization ···································································································································· 125
address ·················································································································································· 126
authentication-method ···························································································································· 127
certificate domain ··································································································································· 128
config-exchange ····································································································································· 129
dh ··························································································································································· 130
display ikev2 policy ································································································································ 131
display ikev2 profile ································································································································ 132
display ikev2 proposal ···························································································································· 133
display ikev2 sa ······································································································································ 134
display ikev2 statistics ···························································································································· 138
dpd ························································································································································· 139
encryption ··············································································································································· 140
hostname ··············································································································································· 141
identity ···················································································································································· 142
identity local ··········································································································································· 143
ikev2 address-group ······························································································································· 144
ikev2 cookie-challenge ··························································································································· 145
ikev2 dpd ················································································································································ 146
ikev2 ipv6-address-group ······················································································································· 147
ikev2 keychain ········································································································································ 147
ikev2 nat-keepalive ································································································································ 148
ikev2 policy ············································································································································· 149
ikev2 profile ············································································································································ 150
ikev2 proposal ········································································································································ 150
inside-vrf ················································································································································· 151
integrity ··················································································································································· 152
keychain ················································································································································· 153
match local (IKEv2 profile view) ············································································································· 154
match local address (IKEv2 policy view) ································································································ 155
match remote ········································································································································· 156
match vrf (IKEv2 policy view) ················································································································· 157
match vrf (IKEv2 profile view) ················································································································ 158
nat-keepalive ·········································································································································· 159
peer ························································································································································ 159
pre-shared-key ······································································································································· 160
prf ··························································································································································· 162
priority (IKEv2 policy view) ····················································································································· 163
priority (IKEv2 profile view) ···················································································································· 163
proposal ················································································································································· 164
reset ikev2 sa ········································································································································· 165
reset ikev2 statistics ······························································································································· 166
sa duration ············································································································································· 166
Document conventions and icons ······························································ 168
Conventions ··················································································································································· 168
Network topology icons ·································································································································· 169
Support and other resources ····································································· 170
Accessing Hewlett Packard Enterprise Support····························································································· 170
Accessing updates ········································································································································· 170
Websites ················································································································································ 171
Customer self repair ······························································································································· 171
Remote support ······································································································································ 171
Documentation feedback ······················································································································· 171
Index ·········································································································· 173
1
GRE commands
keepalive
Use keepalive to enable GRE keepalive and set the keepalive interval and the keepalive number.
Use undo keepalive to disable GRE keepalive.
Syntax
keepalive [ interval [ times ] ]
undo keepalive
Default
GRE keepalive is disabled.
Views
Tunnel interface view
Predefined user roles
network-admin
Parameters
interval: Specifies the keepalive interval, in the range of 1 to 32767 seconds. The default value is
10.
times: Specifies the keepalive number, in the range of 1 to 255. The default value is 3.
Usage guidelines
This command enables the tunnel interface to send keepalive packets at the specified interval. If the
device receives no response from the peer within the timeout time, it shuts down the local tunnel
interface. The device brings the local tunnel interface up if it receives a keepalive acknowledgment
packet from the peer. The timeout time is the result of multiplying the keepalive interval by the
keepalive number.
The device always acknowledges the keepalive packets it receives whether or not GRE keepalive is
enabled.
Examples
# Enable GRE keepalive, set the keepalive interval to 20 seconds, and set the keepalive number to
5.
<Sysname> system-view
[Sysname] interface tunnel 2 mode gre
[Sysname-Tunnel2] keepalive 20 5
2
IPsec commands
IPsec supports encrypting and decrypting only software forwarding packets on the control plane, but
not packets on the user plane. For more information about the control plane and user plane, see QoS
configuration in ACL and QoS Configuration Guide.
ah authentication-algorithm
Use ah authentication-algorithm to specify authentication algorithms for the AH protocol.
Use undo ah authentication-algorithm to restore the default.
Syntax
ah authentication-algorithm { aes-xcbc-mac | md5 | sha1 | sha256 | sha384
| sha512 } *
undo ah authentication-algorithm
Default
AH does not use any authentication algorithms.
Views
IPsec transform set view
AKA IPsec profile view
Predefined user roles
network-admin
Parameters
aes-xcbc-mac: Specifies the HMAC-AES-XCBC-96 algorithm, which uses a 128-bit key. This
keyword is available only for IKEv2.
md5: Specifies the HMAC-MD5-96 algorithm, which uses a 128-bit key.
sha1: Specifies the HMAC-SHA1-96 algorithm, which uses a 160-bit key.
sha256: Specifies the HMAC-SHA256 algorithm, which uses a 256-bit key.
sha384: Specifies the HMAC-SHA384 algorithm, which uses a 384-bit key.
sha512: Specifies the HMAC-SHA512 algorithm, which uses a 512-bit key.
Usage guidelines
You can specify multiple AH authentication algorithms for one IPsec transform set, and the algorithm
specified earlier has a higher priority.
For a manual or IKEv1-based IPsec policy, the first specified AH authentication algorithm takes effect.
To make sure an IPsec tunnel can be established successfully, the IPsec transform sets specified at
both ends of the tunnel must have the same first AH authentication algorithm.
The AH authentication algorithms specified in AKA IPsec profile view apply to only an IP Multimedia
Subsystem (IMS). You can specify multiple AH authentication algorithms for one AKA IPsec profile,
and the algorithm specified earlier has a higher priority. For successful IPsec tunnel establishment
between an IMS server and a UE, make sure the AH authentication algorithms specified for the AKA
IPsec profile have an intersection with the authentication algorithms supported by the UE. For more
information about IMS configuration, see Voice Configuration Guide.
3
Examples
# Specify HMAC-SHA1 as the AH authentication algorithm for IPsec transform set tran1.
<Sysname> system-view
[Sysname] ipsec transform-set tran1
[Sysname-ipsec-transform-set-tran1] ah authentication-algorithm sha1
description
Use description to configure a description for an IPsec policy, IPsec profile, or IPsec policy
template.
Use undo description to restore the default.
Syntax
description text
undo description
Default
No description is configured for an IPsec policy, IPsec profile, or IPsec policy template.
Views
IPsec policy view
IPsec policy template view
IPsec profile view
Predefined user roles
network-admin
Parameters
text: Specifies a description, a case-sensitive string of 1 to 80 characters.
Usage guidelines
You can configure different descriptions for IPsec policies, IPsec profiles, or IPsec policy templates
to distinguish them.
Examples
# Configure the description for IPsec policy policy1 as CenterToA.
<Sysname> system-view
[Sysname] ipsec policy policy1 1 isakmp
[Sysname-ipsec-policy-isakmp-policy1-1] description CenterToA
display ipsec { ipv6-policy | policy }
Use display ipsec { ipv6-policy | policy } to display information about IPsec policies.
Syntax
display ipsec { ipv6-policy | policy } [ policy-name [ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
4
network-operator
Parameters
ipv6-policy: Displays information about IPv6 IPsec policies.
policy: Displays information about IPv4 IPsec policies.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63
characters.
seq-number: Specifies an IPsec policy entry by its sequence number in the range of 1 to 65535.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec policies.
If you specify an IPsec policy name and a sequence number, this command displays information
about the specified IPsec policy entry. If you specify an IPsec policy name without any sequence
number, this command displays information about all IPsec policy entries with the specified name.
Examples
# Display information about all IPv4 IPsec policies.
<Sysname> display ipsec policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: Manual
-----------------------------
The policy configuration is incomplete:
ACL not specified
Incomplete transform-set configuration
Description: This is my first IPv4 manual policy
Security data flow:
Remote address: 2.5.2.1
Transform set: transform
Inbound AH setting:
AH SPI: 1200 (0x000004b0)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 1400 (0x00000578)
ESP string-key:
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 1300 (0x00000514)
AH string-key: ******
AH authentication hex key:
5
Outbound ESP setting:
ESP SPI: 1500 (0x000005dc)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: ISAKMP
-----------------------------
The policy configuration is incomplete:
Remote-address not set
ACL not specified
Transform-set not set
Description: This is my first IPv4 Isakmp policy
Traffic Flow Confidentiality: Enabled
Security data flow:
Selector mode: standard
Local address:
Remote address:
Transform set:
IKE profile:
IKEv2 profile:
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
Responder only: Disabled
-------------------------------------------
IPsec Policy: mycompletepolicy
Interface: LoopBack2
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: Manual
-----------------------------
Description: This is my complete policy
Security data flow: 3100
Remote address: 2.2.2.2
Transform set: completetransform
Inbound AH setting:
AH SPI: 5000 (0x00001388)
AH string-key: ******
6
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 7000 (0x00001b58)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 6000 (0x00001770)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 8000 (0x00001f40)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3200
Selector mode: standard
Local address:
Remote address: 5.3.6.9
Transform set: completetransform
IKE profile:
IKEv2 profile:
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
Responder only: Disabled
# Display information about all IPv6 IPsec policies.
<Sysname> display ipsec ipv6-policy
-------------------------------------------
IPsec Policy: mypolicy
-------------------------------------------
-----------------------------
Sequence number: 1
Mode: Manual
7
-----------------------------
Description: This is my first IPv6 policy
Security data flow: 3600
Remote address: 1000::2
Transform set: mytransform
Inbound AH setting:
AH SPI: 1235 (0x000004d3)
AH string-key: ******
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 1236 (0x000004d4)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI: 1237 (0x000004d5)
AH string-key: ******
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 1238 (0x000004d6)
ESP string-key: ******
ESP encryption hex key:
ESP authentication hex key:
-----------------------------
Sequence number: 2
Mode: ISAKMP
-----------------------------
Description: This is my complete policy
Traffic Flow Confidentiality: Enabled
Security data flow: 3200
Selector mode: standard
Local address:
Remote address: 1000::2
Transform set: completetransform
IKE profile:
IKEv2 profile:
SA trigger mode: Auto
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
Responder only: Disabled
8
Table 1 Command output
Field
Description
IPsec Policy IPsec policy name.
Interface Interface applied with the IPsec policy.
Sequence number Sequence number of the IPsec policy entry.
Mode
Negotiation mode of the IPsec policy:
• Manual—Manual mode.
• ISAKMP—IKE negotiation mode.
• Template—IPsec policy template mode.
The policy configuration is incomplete
IPsec policy configuration incomplete. Possible causes include:
• The ACL is not configured.
• The IPsec transform set is not configured.
• The ACL does not have any permit statements.
• The IPsec transform set configuration is not complete.
• The peer IP address of the IPsec tunnel is not specified.
• The SPI and key of the IPsec SA do not match those in the
IPsec policy.
Description Description of the IPsec policy.
Traffic Flow Confidentiality Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Security data flow ACL used by the IPsec policy.
Selector mode Data flow protection mode of the IPsec policy: standard,
aggregation, or per-host.
Local address Local end IP address of the IPsec tunnel (available only for the
IKE-based IPsec policy).
Remote address Remote end IP address or host name of the IPsec tunnel.
Transform set Transform set used by the IPsec policy.
IKE profile IKE profile used by the IPsec policy.
IKEv2 profile IKEv2 profile used by the IPsec policy.
SA trigger mode
IPsec SA negotiation triggering mode:
• Auto—Triggers SA negotiation when required IPsec
configuration is complete.
• Traffic-based—Triggers SA negotiation when traffic
requires IPsec protection.
SA duration(time based) Time-based IPsec SA lifetime, in seconds.
SA duration(traffic based) Traffic-based IPsec SA lifetime, in Kilobytes.
SA soft-duration buffer(time based) Time-based IPsec SA soft lifetime buffer, in seconds.
If the time-based IPsec SA soft lifetime buffer is not configured,
this field displays two consecutive hyphens (--).
SA soft-duration buffer(traffic based) Traffic-based IPsec SA soft lifetime buffer, in Kilobytes.
If the traffic-based IPsec SA soft lifetime buffer is not
configured, this field displays two consecutive hyphens (--).
SA idle time Idle timeout of the IPsec SA, in seconds.
If the IPsec SA idle timeout is not configured, this field displays
two consecutive hyphens (--).
Responder only State of the responder only feature:
9
Field
Description
• Enabled
• Disabled
AH string-key AH string key. This field displays ****** if the key is configured
and it is empty if the key is not configured.
AH authentication hex key AH authentication hexadecimal key. This field displays ****** if
the key is configured and it is empty if the key is not configured.
ESP string-key
ESP string key. This field displays ****** if the key is configured
and it is empty if the key is not configured.
ESP encryption hex key ESP encryption hexadecimal key. This field displays ****** if the
key is configured and it is empty if the key is not configured.
ESP authentication hex key ESP authentication hexadecimal key. This field displays ****** if
the key is configured and it is empty if the key is not configured.
Related commands
ipsec { ipv6-policy | policy }
display ipsec { ipv6-policy-template | policy-template }
Use display ipsec { ipv6-policy-template | policy-template } to display
information about IPsec policy templates
Syntax
display ipsec { ipv6-policy-template | policy-template } [ template-name
[ seq-number ] ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
ipv6-policy-template: Displays information about IPv6 IPsec policy templates.
policy-template: Displays information about IPv4 IPsec policy templates.
template-name: Specifies an IPsec policy template by its name, a case-insensitive string of 1 to
63 characters.
seq-number: Specifies an IPsec policy template entry by its sequence number in the range of 1 to
65535.
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec policy
templates.
If you specify an IPsec policy template name and a sequence number, this command displays
information about the specified IPsec policy template entry. If you specify an IPsec policy template
name without any sequence number, this command displays information about all IPsec policy
template entries with the specified name.
10
Examples
# Display information about all IPv4 IPsec policy templates.
<Sysname> display ipsec policy-template
-----------------------------------------------
IPsec Policy Template: template
-----------------------------------------------
---------------------------------
Sequence number: 1
---------------------------------
Description: This is policy template
Traffic Flow Confidentiality: Disabled
Security data flow :
Selector mode: standard
Local address:
IKE profile:
IKEv2 profile:
Remote address: 162.105.10.2
Transform set: testprop
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA idle time: 100 seconds
Responder only: Disabled
# Display information about all IPv6 IPsec policy templates.
<Sysname> display ipsec ipv6-policy-template
-----------------------------------------------
IPsec Policy Template: template6
-----------------------------------------------
---------------------------------
Sequence number: 1
---------------------------------
Description: This is policy template
Traffic Flow Confidentiality: Disabled
Security data flow :
Selector mode: standard
Local address:
IKE profile:
IKEv2 profile:
Remote address: 200::1
Transform set: testprop
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA idle time: 100 seconds
Responder only: Disabled
11
Table 2 Command output
Field
Description
IPsec Policy Template IPsec policy template name.
Sequence number Sequence number of the IPsec policy template entry.
Description Description of the IPsec policy template.
Traffic Flow Confidentiality Whether Traffic Flow Confidentiality (TFC) padding is enabled.
Security data flow ACL used by the IPsec policy template.
Selector mode Data flow protection mode of the IPsec policy template: standard,
aggregation, or per-host.
Local address Local end IP address of the IPsec tunnel.
IKE profile IKE profile used by the IPsec policy template.
IKEv2 profile IKEv2 profile used by the IPsec policy template.
Remote address Remote end IP address of the IPsec tunnel.
Transform set Transform set used by the IPsec policy template.
IPsec SA local duration(time based) Time-based IPsec SA lifetime, in seconds.
IPsec SA local duration(traffic
based) Traffic-based IPsec SA lifetime, in Kilobytes.
SA idle time Idle timeout of the IPsec SA, in seconds.
If the IPsec SA idle timeout is not configured, this field displays two
consecutive hyphens (--).
Responder only State of the responder only feature:
• Enabled
• Disabled
Related commands
ipsec { ipv6-policy | policy } isakmp template
display ipsec profile
Use display ipsec profile to display information about IPsec profiles.
Syntax
display ipsec profile [ profile-name ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63
characters.
12
Usage guidelines
If you do not specify any parameters, this command displays information about all IPsec profiles.
Examples
# Display information about all IPsec profiles.
<Sysname> display ipsec profile
-------------------------------------------
IPsec profile: myprofile
Mode: isakmp
-------------------------------------------
Transform set: tran1
IKE profile: profile
SA duration(time based): 3600 seconds
SA duration(traffic based): 1843200 kilobytes
SA soft-duration buffer(time based): 1000 seconds
SA soft-duration buffer(traffic based): 43200 kilobytes
SA idle time: 100 seconds
Responder only: Disabled
-----------------------------------------------
IPsec profile: profile
Mode: manual
-----------------------------------------------
Transform set: prop1
Inbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Inbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex-key: ******
ESP authentication hex-key: ******
Outbound AH setting:
AH SPI: 12345 (0x00003039)
AH string-key:
AH authentication hex key: ******
Outbound ESP setting:
ESP SPI: 23456 (0x00005ba0)
ESP string-key:
ESP encryption hex key: ******
ESP authentication hex key: ******
-------------------------------------------
IPsec profile: myprofile
Mode: SDWAN
-------------------------------------------
Transform set: tran1
SA duration (time based): 3600 seconds
13
Table 3 Command output
Field
Description
IPsec profile IPsec profile name.
Mode
Negotiation mode used by the IPsec profile.
• AKA—AKA mode.
• Manual—Manual mode.
• ISAKMP—IKE negotiation mode.
• SDWAN—SDWAN mode.
Description Description of the IPsec profile.
Transform set IPsec transform set used by the IPsec profile.
IKE profile IKE profile used by the IPsec profile.
SA duration(time based) Time-based IPsec SA lifetime, in seconds.
SA duration(traffic based) Traffic-based IPsec SA lifetime, in Kilobytes.
SA soft-duration buffer(time based) Time-based IPsec SA soft lifetime buffer, in seconds.
If the time-based IPsec SA soft lifetime buffer is not configured,
this field displays two consecutive hyphens (--).
SA soft-duration buffer(traffic based) Traffic-based IPsec SA soft lifetime buffer, in Kilobytes.
If the traffic-based IPsec SA soft lifetime buffer is not
configured, this field displays two consecutive hyphens (--).
SA idle time IPsec SA idle timeout, in seconds.
If the IPsec SA idle timeout is not configured, this field displays
two consecutive hyphens (--).
Responder only State of the responder only feature:
• Enabled
• Disabled
Related commands
ipsec profile
display ipsec sa
Use display ipsec sa to display information about IPsec SAs.
Syntax
display ipsec sa [ aka | brief | count | interface interface-type
interface-number | { ipv6-policy | policy } policy-name [ seq-number ] |
profile profile-name | remote [ ipv6 ] ip-address ]
Views
Any view
Predefined user roles
network-admin
network-operator
Parameters
aka: Displays detailed information about IPsec SAs created by using a specified AKA IPsec profile.
This keyword is supported for only voice communications.
14
brief: Displays brief information about all IPsec SAs.
count: Displays the number of IPsec SAs.
interface interface-type interface-number: Specifies an interface by its type and
number.
ipv6-policy: Displays detailed information about IPsec SAs created by using a specified IPv6
IPsec policy.
policy: Displays detailed information about IPsec SAs created by using a specified IPv4 IPsec
policy.
policy-name: Specifies an IPsec policy by its name, a case-insensitive string of 1 to 63
characters.
seq-number: Specifies an IPsec policy entry by its sequence number. The value range is 1 to
65535.
profile: Displays detailed information about IPsec SAs created by using a specified IPsec profile.
profile-name: Specifies an IPsec profile by its name, a case-insensitive string of 1 to 63
characters.
remote ip-address: Specifies an IPsec SA by its remote end IP address.
ipv6: Specifies an IPsec SA by its remote end IPv6 address. If this keyword is not specified, the
specified remote end IP address is an IPv4 address.
Usage guidelines
If you do not specify any parameters, this command displays detailed information about all IPsec
SAs.
Examples
# Display brief information about IPsec SAs.
<Sysname> display ipsec sa brief
-----------------------------------------------------------------------
Interface/Global Dst Address SPI Protocol Status
-----------------------------------------------------------------------
HGE1/0/1 10.1.1.1 400 ESP Active
HGE1/0/1 255.255.255.255 4294967295 ESP Active
HGE1/0/1 100::1/64 500 AH Active
Global -- 600 ESP Active
Table 4 Command output
Field
Description
Interface/Global Interface where the IPsec SA belongs to or global IPsec SA (created by using an
IPsec profile).
Dst Address Remote end IP address of the IPsec tunnel.
For the IPsec SAs created by using IPsec profiles, this field displays two hyphens
(--).
SPI IPsec SA SPI.
Protocol Security protocol used by IPsec.
Status Status of the IPsec SA: Active or Standby.
In a VSRP scenario, this field displays either Active or Standby.
In standalone mode, this field always displays
Active
.
15
# Display the number of IPsec SAs.
<Sysname> display ipsec sa count
Total IPsec SAs count: 4
# Display detailed information about IPsec SAs created by using AKA IPsec profiles.
<Sysname> display ipsec sa aka
-------------------------------
IPsec AKA SA
Total IPsec AKA SAs count: 1
-------------------------------
-----------------------------
IPsec profile: profile1
Mode: AKA
-----------------------------
Encapsulation mode: transport
Flow:
sour addr: 44.1.1.3 port: 38211 protocol: tcp
dest addr: 10.10.0.72 port: 24771 protocol: tcp
[Inbound ESP SAs]
SPI: 1234563 (0x0012d683)
Connection ID: 64426789452
Algorithms set: ESP-ENCRYPT-NULL ESP-AUTH-MD5
[Outbound ESP SAs]
SPI: 1234563 (0x002d683)
Connection ID: 64428999468
Algorithms set: ESP-ENCRYPT-NULL ESP-AUTH-MD5
# Display detailed information about all IPsec SAs.
<Sysname> display ipsec sa
-------------------------------
Interface: HundredGigE1/0/1
-------------------------------
-----------------------------
IPsec policy: r2
Sequence number: 1
Mode: ISAKMP
-----------------------------
Tunnel id: 3
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN: vp1
Extended Sequence Numbers enable: Y
Traffic Flow Confidentiality enable: N
Path MTU: 1443
Transmitting entity: Initiator
Tunnel:
local address: 2.2.2.2
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92
  • Page 93 93
  • Page 94 94
  • Page 95 95
  • Page 96 96
  • Page 97 97
  • Page 98 98
  • Page 99 99
  • Page 100 100
  • Page 101 101
  • Page 102 102
  • Page 103 103
  • Page 104 104
  • Page 105 105
  • Page 106 106
  • Page 107 107
  • Page 108 108
  • Page 109 109
  • Page 110 110
  • Page 111 111
  • Page 112 112
  • Page 113 113
  • Page 114 114
  • Page 115 115
  • Page 116 116
  • Page 117 117
  • Page 118 118
  • Page 119 119
  • Page 120 120
  • Page 121 121
  • Page 122 122
  • Page 123 123
  • Page 124 124
  • Page 125 125
  • Page 126 126
  • Page 127 127
  • Page 128 128
  • Page 129 129
  • Page 130 130
  • Page 131 131
  • Page 132 132
  • Page 133 133
  • Page 134 134
  • Page 135 135
  • Page 136 136
  • Page 137 137
  • Page 138 138
  • Page 139 139
  • Page 140 140
  • Page 141 141
  • Page 142 142
  • Page 143 143
  • Page 144 144
  • Page 145 145
  • Page 146 146
  • Page 147 147
  • Page 148 148
  • Page 149 149
  • Page 150 150
  • Page 151 151
  • Page 152 152
  • Page 153 153
  • Page 154 154
  • Page 155 155
  • Page 156 156
  • Page 157 157
  • Page 158 158
  • Page 159 159
  • Page 160 160
  • Page 161 161
  • Page 162 162
  • Page 163 163
  • Page 164 164
  • Page 165 165
  • Page 166 166
  • Page 167 167
  • Page 168 168
  • Page 169 169
  • Page 170 170
  • Page 171 171
  • Page 172 172
  • Page 173 173
  • Page 174 174
  • Page 175 175
  • Page 176 176
  • Page 177 177
  • Page 178 178
  • Page 179 179

HPE JG619A Reference guide

Type
Reference guide

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI