virtual-template-number: Specifies the virtual template interface used when creating new virtual access interface, an integer ranging from 0 to 1023.

remote-name: Specifies the name of the peer end of the tunnel that initiates the connection request, a case sensitive string containing 1 to 30 characters.

domain-name: Specifies the name of enterprise, a string containing 1 to 30 characters.

Description

Use the allow l2tp command to specify the name of the peer end of the tunnel and the used Virtual-Template on receiving a call.

Use the undo allow command to remove the name of the peer end of the tunnel and the used Virtual-Template.

By default, incoming call is restricted.

This command is used on LNS side.

For multi-instance applications of L2TP, the domain-name parameter must be configured.

When L2TP group number1 (the default L2TP group number) is used, the name of the peer end of the tunnel remote-name can be unspecified. When configured in the view of L2TP group 1, the format of the command is as follows:

allow l2tp virtual-template virtual-template-number [ remote remote-name ] [ domain domain-name ]

If a peer end name is specified in L2TP group 1 configuration, L2TP group 1 will not serve as the default L2TP group. For example, in the environment of Windows 2000 beta 2, the local name of VPN connection is NONE, so the peer end name that the SecBlade receives is NONE. In order to allow the SecBlade to receive tunnel connection requests sent by this kind of unknown peer ends, or for the test purposes, a default L2TP group needs to be configured.

The allow l2tp command is used on LNS side. If a peer end name of the tunnel is configured, it must be the name of the local end configured on LAC side.

Related command: l2tp-group.

Example

# Configure to receive L2TP tunnel connection requests sent by the peer end AS8010 (LAC side), and create a virtual-access interface on virtual-template 1.

[SecBlade_VPN-l2tp2] allow l2tp virtual-template 1 remote AS8010

# Configure L2TP group 1 as the default L2TP group to receive L2TP tunnel connection requests sent by any peer end, and create a virtual-access interface according to virtual-template 1.

[SecBlade_VPN] l2tp-group 1

[SecBlade_VPN-l2tp1] allow l2tp virtual-template 1

1.1.2 debugging l2tp

Syntax

debugging l2tp { all | control | dump | error | event | hidden | payload | time-stamp }

undo debugging l2tp { all | control | dump | error | event | hidden | payload | time-stamp }

View

User view

Parameter

all: Specifies to enable all L2TP related debugging.

control: Specifies to enable control packet debugging.

dump: Specifies to enable PPP packet debugging.

error: Specifies to enable error debugging.

event: Specifies to enable event debugging.

hidden: Specifies to enable hidden AVP debugging.

payload: Specifies to enable L2TP payload debugging.

time-stamp: Specifies to enable time-stamp debugging.

Description

Use the debugging l2tp command to enable L2TP debugging.

Use the undo debugging l2tp command to disable L2TP debugging.

Example

# Enable all L2TP debugging.

<SecBlade_VPN> debugging l2tp all

1.1.3 display l2tp session

Syntax

display l2tp session

View

Any view

Parameter

None

Description

Use the display l2tp session command to view the current L2TP sessions.

Related command: display l2tp Tunnel.

Example

# Display current L2TP sessions.

<SecBlade_VPN> display l2tp session

LocalSID RemoteSID LocalTID IdleTimeLeft

1 1 2 600

Total session = 1

Table 1-1 Description on the fields of the display l2tp session command

Field	Description
Total session	Number of sessions
LocalSID	The number uniquely identifying a session at the local end.
RemoteSID	The number uniquely identifying a session at the peer end.
LocalTID	The local ID number of the tunnel
Idle-Time-Left	The remaining time before the session is disconnected due to timeout

1.1.4 display l2tp Tunnel

Syntax

display l2tp Tunnel

View

Any view

Parameter

None

Description

Use the display l2tp Tunnel command to display information of the current L2TP tunnels.

Related command: display l2tp session.

Example

# Display information of the current L2TP tunnels.

<SecBlade_VPN> display l2tp Tunnel

LocalTID RemoteTID RemoteAddress Port Sessions RemoteName keepstanding

2 22849 11.1.1.1 1701 1 lns YES

Total tunnel = 1

Table 1-2 Description on the fields of the display l2tp Tunnel command

Field	Description
Total tunnels	Number of tunnels
LocalTID	The number uniquely identifying a tunnel at the local end
RemoteTID	The number uniquely identifying a tunnel at the peer end
RemoteAddress	IP address of the peer end
Port	Port number of the peer end
Sessions	Number of sessions on the tunnel
Remote Name	Name of the peer end
KeepStanding	State of the tunnel-hold function

& Note:

When the SecBlade is used as the LNS and both domain users and non-domain users exist, wrong L2TP information may be displayed on the device for a tunnel triggered by a non-domain user.

1.1.5 display l2tp user

Syntax

display l2tp user

View

Any view

Parameter

None

Description

Use the display l2tp user command to display information about current L2TP users.

Related command: display l2tp Tunnel, display l2tp session.

Example

# Display information about current L2TP users.

<SecBlade_VPN> display l2tp user

User Name LocalSID RemoteSID LocalTID

w@h3c 1 1 2

Total user = 1

Table 1-3 Description on the fields of the display L2tp user command

Field	Description
User Name	User name
LocalSID	Local identifier of the session
RemoteSID	Remote identifier of the session
LocalTID	Local identifier of the tunnel
Total user	Total number of the users

1.1.6 interface virtual-template

Syntax

interface virtual-template virtual-template-number

undo interface virtual-template virtual-template-number

View

System view

Parameter

virtual-template-number: Number of a virtual template interface, an integer in the range 0 to 1023.

Description

Use the interface virtual-template command to create a virtual template interface.

Use the undo interface virtual-template command to delete a specified virtual template interface.

By default, the system has no virtual template interface.

Virtual template interfaces are used to configure the operation parameters for the virtual interfaces dynamically created by the SecBlade, for example, L2TP logical interfaces.

Related command: allow l2tp.

Example

# Create virtual template interface 1 and enter its view.

[SecBlade_VPN] interface virtual-template 1

1.1.7 l2tp enable

Syntax

l2tp enable

undo l2tp enable

View

System view

Parameter

None

Description

Use the l2tp enable command to enable the L2TP function.

Use the undo l2tp enable command to disable the L2TP function.

By default, the L2TP function is disabled.

Related command: l2tp-group.

Example

# Enable the L2TP function on the SecBlade.

[SecBlade_VPN] l2tp enable

1.1.8 l2tp-auto-client enable

Syntax

l2tp-auto-client enable

undo l2tp-auto-client enable

View

Virtual template interface view

Parameter

None

Description

Use the l2tp-auto-client enable command to enable the LAC client to set up L2TP tunnel.

Use the undo l2tp-auto-client enable command to disable the LAC client to set up L2TP tunnel.

Example

# Enter virtual template interface view.

[SecBlade_VPN] interface virtual-template 1

# Enable the LAC client to set up L2TP tunnel.

[SecBlade_VPN-Virtual-Template1] l2tp-auto-client enable

1.1.9 l2tp-group

Syntax

l2tp-group group-number

undo l2tp-group group-number

View

System view

Parameter

group-number: Number of L2TP group, an integer ranging from 1 to 1000.

Description

Use the l2tp-group command to create an L2TP group.

Use the undo l2tp-group command to remove a specified L2TP group.

By default, the system has no L2TP group.

L2TP group 1 can be the default L2TP group

Deleting an L2TP group using the undo l2tp-group command will also delete its all configuration information.

Related command: allow l2tp and start l2tp.

Example

# Create L2TP group 2 and enter L2TP group 2 view.

[SecBlade_VPN] l2tp-group 2

[SecBlade_VPN-l2tp2]

1.1.10 l2tpmoreexam enable

Syntax

l2tpmoreexam enable

undo l2tpmoreexam enable

View

System view

Parameter

None

Description

This command is executed at the LNS side only.

Use the l2tpmoreexam enable command to enable the L2TP multi-domain function.

Use the undo l2tpmoreexam enable command to disable the L2TP multi-domain function.

By default, the L2TP multi-domain function is disabled.

L2TP multi-domain services can be deployed only after you enable the L2TP multi-domain function.

Related command: l2tp enable.

Example

# Enable the L2TP multi-domain function on the SecBlade (the LNS side).

[H3C] l2tpmoreexam enable

1.1.11 mandatory-chap

Syntax

mandatory-chap

undo mandatory-chap

View

L2TP group view

Parameter

None

Description

Use the mandatory-chap command to force the LNS to perform CHAP authentication again with the client.

Use the undo mandatory-chap command to disable CHAP re-authentication.

By default, CHAP re-authentication is not performed.

After the LAC performs agent authentication on clients, the LNS can perform authentication on them again for enhanced security purposes. If the mandatory-chap command is used, each VPN client whose tunnel connection is initialized by access server will undergo authentication on both the access server side and the LNS side. Some PPP clients may not support the second authentication. In this case, local CHAP authentication will fail.

Related command: mandatory-lcp.

Example

# Perform mandatory CHAP authentication.

[SecBlade_VPN-l2tp1] mandatory-chap

1.1.12 mandatory-lcp

Syntax

mandatory-lcp

undo mandatory-lcp

View

L2TP group view

Parameter

None

Description

Use the mandatory-lcp command to allow the LNS and client to renegotiate link control protocol (LCP) between them.

Use the undo mandatory-lcp command to disable the LCP renegotiation.

By default, LCP is not renegotiated.

For NAS-Initialized VPN clients, PPP negotiation will be first performed with network access server (NAS) at the beginning of a PPP session. If the negotiation is successful, the access server will initiate the tunnel connection and transmit the information collected during the negotiation to the LNS. The LNS will judge whether the user is legal based on the information. The mandatory-lcp command can be used to force the LNS and client to renegotiate LCP. In this case, the NAS agent authentication information is ignored. If PPP clients do not support LCP renegotiation, the LCP renegotiation will fail.

Related command: mandatory-chap.

Example

# Enable LCP renegotiation.

[SecBlade_VPN-l2tp1] mandatory-lcp

1.1.13 reset l2tp session

Syntax

reset l2tp session session-id

View

User view

Parameter

session-id: Local identifier of a session.

Description

Use the reset l2tp session command to tear down a session, which can be reset up when the user calls in again.

Related command: reset l2tp Tunnel.

Example

# Tear down an L2TP session.

<SecBlade_VPN> reset l2tp session 1

1.1.14 reset l2tp Tunnel

Syntax

reset l2tp Tunnel { name remote-name | id Tunnel-id }

View

User view

Parameter

remote-name: Name of the peer end of the tunnel.

Tunnel-id: ID of the local end of the tunnel.

Description

Use the reset l2tp Tunnel command to tear down the specified tunnel and all sessions on the tunnel.

The tunnel compulsorily torn down by the reset l2tp Tunnel command can be reestablished again when a remote user calls in again. You may specify a tunnel to be torn down by its remote end name. If no such a tunnel connection exists, the current tunnel connections will not be affected. If there are several tunnel connections (with the same name but different IP addresses), all of them will be torn down. When tunnel-id is specified, only the corresponding tunnel connection will be torn down.

Related command: display l2tp Tunnel.

Example

# Tear down the tunnel connection with the peer name as AS8010.

<SecBlade_VPN> reset l2tp Tunnel name AS8010

1.1.15 reset l2tp user

Syntax

reset l2tp user user-name

View

User view

Parameter

user-name: L2TP user name.

Description

Use the reset l2tp user command to tear down the L2TP connection of the specified user. When the user calls in again, the connection can be reset up.

Related command: reset l2tp Tunnel, reset l2tp session.

Example

# Tear down the connection of the current L2TP user.

<SecBlade_VPN> reset l2tp user H3C@h3c

1.1.16 session idle-time

Syntax

session idle-time time

undo session idle-time

View

L2TP group view

Parameter

time: Idle-timeout time in the range 0 to 10000 seconds.

Description

Use the session idle-time command to set the L2TP session idle-timeout time and enable the timeout disconnection function.

Use the undo session idle-time command to disable the timeout disconnection function.

By default, L2TP session never expires.

Example

# Enter L2TP group view.

[SecBlade_VPN] l2tp-group 1

# Set the L2TP session idle-timeout time to 600 seconds.

[SecBlade l2tp1] session idle-time 600

1.1.17 start l2tp

Syntax

start l2tp { ip ip-addr [ ip ip-addr ] [ ip ip-addr ] ... } { domain domain-name | fullusername user-name }

undo start

View

L2TP group view

Parameter

ip ip-addr: Specifies the IP address of the peer end of the tunnel (LNS). Up to five IP addresses can be set to provide LNS backup for one another.

domain-name: Domain name triggering connection requests, a string of 1 to 30 characters.

user-name: Full username triggering connection requests, a string of 1 to 80 characters.

Description

Use the start l2tp command to specify the conditions triggering the local end to initiate calls when it works as a L2TP LAC.

Use the undo start command to delete the specified triggering conditions.

This command is used on LAC side to specify IP address of an LNS; it can support several connection request triggering conditions, specifically,

l Initiating tunnel connection request according to the user’s domain name. For example, if domain name of user’s company is H3C.com, the user with this domain name can be specified as a VPN user.

l Specifying a user to be a VPN user by directly specifying full username.

For a VPN user, the local end (LAC) will send L2TP tunnel connection request to a certain LNS according to the configured LNS priority or order. If receiving response from the LNS within the specified period, the LAC will take it as the peer end of the tunnel. If not, the LAC will send tunnel connection request to the next LNS.

Conflicts may exist between these VPN user judgment ways. For example, an LNS address specified according to full username is 1.1.1.1, while that according to domain name is 1.1.1.2. To avoid situations like this, a user lookup order is necessary to be specified. The system always starts a lookup by looking for the specified L2TP group by full username; if finding no match, it continues the lookup by domain name.

When multiple LNSs are configured, subsequent IP addresses (backup LNSs) may not be connected because the PPP clients’ timeout time varies. Therefore, you are recommended to configure a maximum of two LNSs.

Example

# Specify the users using the domain name of “H3C.com” to be VPN users, with IP address of the L2TP access server of the headquarters being 202.38.168.1.

[SecBlade_VPN-l2tp1] start l2tp ip 202.38.168.1 domain H3C.com

1.1.18 start l2tp Tunnel

Syntax

start l2tp Tunnel

View

L2TP group view

Parameter

None

Description

Use the start l2tp Tunnel command to enable the L2TP LAC to initiate an L2TP tunnel connection.

This command is used only on LAC side.

Related command: Tunnel keepstanding.

Example

# Enable the LAC to initiate an L2TP tunnel connection according to the configured LNS order. Let the LAC request the LNS at 1.1.1.1 first and then the LNS at 2.2.2.2 if no response is received.

[SecBlade_VPN-l2tp1] start l2tp ip 1.1.1.1 ip 2.2.2.2 fullusername vpdnuser

[SecBlade_VPN-l2tp1] start l2tp Tunnel

Caution:

You must use this command together with the Tunnel keepstanding command. Otherwise, no tunnel will be set up.

1.1.19 Tunnel authentication

Syntax

Tunnel authentication

undo Tunnel authentication

View

L2TP group view

Parameter

None

Description

Use the l2tp Tunnel authentication command to enable L2TP tunnel authentication.

Use the undo l2tp Tunnel authentication command to disable L2TP tunnel authentication.

By default, the L2TP tunnel authentication is performed.

L2TP tunnel authentication is permitted by default. Normally, authentication needs to be performed on both ends of the tunnel for security purposes. In the case of network connectivity test or when the system receives a connection sent by unknown peer end, tunnel authentication is not required.

Example

# Configure not to authenticate the peer end of the tunnel.

[SecBlade_VPN-l2tp1] undo Tunnel authentication

1.1.20 Tunnel avp-hidden

Syntax

Tunnel avp-hidden

undo Tunnel avp-hidden

View

L2TP group view

Parameter

None

Description

Use the Tunnel avp-hidden command to configure attribute value pair (AVP) data to be transmitted in hidden format.

Use the undo Tunnel avp-hidden command to restore the default transmission way of AVP data.

By default, the tunnel transmits AVP data in plain text.

Some parameters of L2TP protocol are transmitted in AVP data. If high security is desired, you can use this command to configure AVP data to be transmitted in hidden format.

Example

# Set AVP data to be transmitted in hidden format.

[SecBlade_VPN-l2tp1] Tunnel avp-hidden

1.1.21 Tunnel flow-control

Syntax

Tunnel flow-control

undo Tunnel flow-control

View

L2TP group view

Parameter

None

Description

Use the Tunnel flow-control command to enable the flow control function for L2TP tunnel.

Use the undo Tunnel flow-control command to disable the flow control function.

By default, the L2TP tunnel flow control function is disabled.

Example

# Enable the flow control function.

[SecBlade_VPN-l2tp1] Tunnel flow-control

1.1.22 Tunnel keepstanding

Syntax

Tunnel keepstanding

undo Tunnel keepstanding

View

L2TP group view

Parameter

None

Description

Use the Tunnel keepstanding command to enable the L2TP tunnel-hold function, to prevent tunnels from being torn down when no session is present.

Use the undo Tunnel keepstanding command to disable the L2TP tunnel-hold function.

Caution:

To have this command take effect on a tunnel, you must configure it at both ends of the tunnel.

By default, the tunnel-hold function is disabled.

Example

# Enter L2TP group view.

[SecBlade_VPN] l2tp-group 1

# Enable the L2TP tunnel-hold function.

[SecBlade_VPN-l2tp1] Tunnel keepstanding

1.1.23 Tunnel name

Syntax

Tunnel name name

undo Tunnel name

View

L2TP group view

Parameter

name: Local name of the tunnel, a string containing 1 to 30 characters.

Description

Use the Tunnel name command to specify local name of a tunnel.

Use the undo Tunnel name command to restore the local name to the default.

By default, local name is the name of the SecBlade.

When creating an L2TP group, the system initializes the local name according to the name of the SecBlade.

An LNS selects a local L2TP group according to the tunnel name of an LAC. If tunnel names are the same, the LNS will establish a tunnel using the first matching group. To establish multiple tunnels, you must configure different tunnel names.

Related command: sysname.

Example

# Set local name of the tunnel to “itsme”.

[SecBlade_VPN-l2tp1] Tunnel name itsme

1.1.24 Tunnel password

Syntax

Tunnel password { simple | cipher } password

undo Tunnel password

View

L2TP group view

Parameter

simple: Password in plain text.

cipher: Password in ciphertext.

password: Password used for tunnel authentication, a string containing 1 to 16 characters.

Description

Use the Tunnel password command to specify a password for tunnel authentication.

Use the undo l2tp Tunnel password command to remove the tunnel authentication password.

By default, tunnel authentication password is null.

Example

# Set tunnel authentication password to “yougotit” displayed in cipher text.

[SecBlade_VPN-l2tp1] Tunnel password cipher yougotit

1.1.25 Tunnel timer hello

Syntax

Tunnel timer hello hello-interval

undo Tunnel timer hello

View

L2TP group view

Parameter

hello-interval: Interval of sending Hello packet when LAC or LNS has no packet to receive, an integer ranging from 60 to 1000 seconds.

Description

Use the Tunnel timer hello command to set a Hello packet send interval.

Use the undo Tunnel timer hello command to restore the Hello packet send interval to the default.

By default, Hello packet is sent every 60 seconds.

Different Hello packet time intervals can be configured on LNS and LAC sides.

Example

# Set Hello packet send interval to 99 seconds.

[SecBlade_VPN-l2tp1] Tunnel timer hello 99

Chapter 2 GRE Configuration Commands

2.1 GRE Configuration Commands

2.1.1 debugging Tunnel

Syntax

debugging Tunnel

undo debugging Tunnel

View

User view

Parameter

None

Description

Use the debugging Tunnel command to enable the debugging for tunnel.

Use the undo debugging Tunnel command to disable the debugging for tunnel.

Example

# Enable the debugging for tunnel.

<SecBlade_VPN> debugging Tunnel

2.1.2 destination

Syntax

destination ip-addr

undo destination

view

Tunnel interface view

Parameter

ip-addr: IP address of the physical interface used by the peer end of a tunnel.

Description

Use the destination command to specify the destination IP address to be filled into the IP header during packet encapsulation at tunnel interface.

Use the undo destination command to delete the defined destination address.

By default, destination address is not specified in the system.

The specified tunnel destination address is IP address of the real physical interface receiving GRE packets, which should be the same as the specified source address at the opposite tunnel interface, and the route to the opposite physical interface should be through.

The same source address and destination address cannot be configured on two or more tunnel interfaces using the same encapsulation protocol.

Related command: interface Tunnel and source.

Example

# Set up a tunnel connection between the interface GigabitEthernet0/0.1 of SecBlade_VPN1 (with IP address of 193.101.1.1) and the interface GigabitEthernet0/0.2 of the SecBlade_VPN2 (with IP address of 192.100.1.1).

[SecBlade_VPN1-Tunnel0] source 193.101.1.1

[SecBlade_VPN1-Tunnel0] destination 192.100.1.1

[SecBlade_VPN2-Tunnel1] source 192.100.1.1

[SecBlade_VPN2-Tunnel1] destination 193.101.1.1

2.1.3 display interface Tunnel

Syntax

display interface Tunnel [ number ]

view

Any view

Parameter

number: Tunnel interface number, in the range 0 to 1,023.

Description

Use the display interface Tunnel command to view the working status of a tunnel interface.

Executing the display interface Tunnel command displays such information about the tunnel interface as source address, destination address (the real physical interface address receiving/sending GRE packet), encapsulation mode, identification keyword and end-to-end check.

Related command: source, destination, gre key, gre checksum, and Tunnel-protocol.

Example

# Display the information about the current tunnel interface.

<SecBlade_VPN> display interface Tunnel 2

Tunnel2 current state :UP

Line protocol current state :DOWN

Description : Tunnel0 Interface

The Maximum Transmit Unit is 64000

Internet Address is 192.168.2.1/24

Encapsulation is TUNNEL, loopback not set

Tunnel source 192.168.0.1 (GigabitEthernet0/0.1), destination 202.38.16.188

Tunnel keepalive disable

Tunnel protocol/transport GRE/IP, key disabled

Checksumming of packets disabled

Last 300 seconds input: 0 bytes/sec, 0 packets/sec

Last 300 seconds output: 0 bytes/sec, 0 packets/sec

0 packets input, 0 bytes

0 input error

0 packets output, 0 bytes

0 output error

Table 2-1 Description on the fields of the display interface Tunnel 2 command

Field	Description
Tunnel2 current state	Current state of the tunnel interface
Line protocol current state	Current state of the protocol on the tunnel interface
Description	Description information of the tunnel interface
The Maximum Transmit Unit	MTU value of the tunnel interface
Internet Address	IP address of the tunnel interface
Encapsulation	The tunnel formed by encapsulated GRE protocol
Loopback	Enable/Disable loopback test
Tunnel source	Source IP address of the tunnel
destination	Destination IP address of the tunnel
Tunnel keepalive	Enable/Disable the tunnel keepalive function
Tunnel protocol/transport	Encapsulation protocol and transport protocol of the tunnel
key	Identification keyword of the tunnel interface
Checksumming of packets	End-to-end checksum of the tunnel
Last 300 seconds input	The number of input bytes and packets in the last five minutes
Last 300 seconds output	The number of output bytes and packets in the last five minutes
packets input, bytes	Total number of input packets and bytes
packets output, bytes	Total number of output packets and bytes
input error	Number of error packets among all input packets
output error	Number of error packets among all output packets

2.1.4 gre checksum

Syntax

gre checksum

undo gre checksum

view

Tunnel interface view

Parameter

None

Description

Use the gre checksum command to configure the two ends of a tunnel to perform end-to-end checksum, to verify the correctness of packets and discard those that do not pass the verification.

Use the undo gre checksum command to cancel the checksum.

By default, end-to-end checksum is disabled.

You may enable or disable checksum at each end of a tunnel as needed. If checksum is enabled at the local end but not at the peer end, the local end will perform checksum on the transmitted packets but not on the received packets. If checksum is disabled at the local end but enabled at the opposite end, the local end will perform checksum on the received packets but not on the transmitted packets.

Related command: interface Tunnel.

Example

# Set up a tunnel between the SecBlade_VPN1 interface and SecBlade_VPN2 interface and enable checksum on both ends of the tunnel.

[SecBlade_VPN1-Tunnel3] gre checksum

[SecBlade_VPN2-Tunnel2] gre checksum

2.1.5 gre key

Syntax

gre key key-number

undo gre key

view

Tunnel interface view

Parameter

key-number: Identification keyword of the two ends of the tunnel, an integer ranging from 0 to 4294967295.

Description

Use the gre key command to set identification keyword of the tunnel interface, and by this weak security mechanism, the system can avoid incorrectly identifying or receiving packets from undesired places.

Use the undo gre key command to delete this configuration.

By default, the system does not assign identification keyword to the tunnel.

Regarding the setting of key-number, you are required either to specify the same key-number at both ends of the tunnel or to specify it at neither of the two ends.

Related command: interface Tunnel.

Example

# Set up a tunnel between SecBlade_VPN1 and SecBlade_VPN2 and set the identification keyword of the tunnel.

[SecBlade_VPN1-Tunnel3] gre key 123

[SecBlade_VPN2-Tunnel2] gre key 123

2.1.6 interface Tunnel

Syntax

interface Tunnel number

undo interface Tunnel number

view

System view

Parameter

number: Tunnel interface number to be set, in the range 0 to 1023.

Description

Use the interface Tunnel command to create a tunnel interface and enter the view of this tunnel interface.

Use the undo interface Tunnel command to delete the specified tunnel interface.

By default, there is no tunnel interface in the system.

The interface Tunnel command is used to enter interface view of the specified tunnel. If the tunnel interface does not exist, the system will create it before entering tunnel interface view.

Tunnel interface numbers are only locally significant. The two ends of a tunnel can use the same or different interface numbers.

Related command: source, destination, gre key, gre checksum, Tunnel-protocol.

Example

# Create interface Tunnel 3.

[SecBlade_VPN] interface Tunnel 3

2.1.7 keepalive

Syntax

keepalive [ seconds [ times ] ]

undo keepalive

View

Tunnel interface view

Parameter

seconds: Interval for sending keepalive packets. It is in the range 1 to 32767 seconds and defaults to 10 seconds.

times: The maximum number of keepalive message send attempts. It is in the range 1 to 255 and defaults to 3.

Description

Use the keepalive command to enable the keepalive function of GRE and configure the interval for sending keepalive packets and the maximum number of message send attempts as well.

Use the undo keepalive command to disable the keepalive function.

By default, the keepalive function of GRE is disabled.

After you configure the keepalive command, the SecBlade sends GRE keepalive packets regularly. If no response is received for a sent keepalive packet upon the expiration of a specified period, the SecBlade resends the keepalive packet. If no response is received yet after the number of resend attempts exceeds the specified limit, the protocol of the local tunnel interface goes down.

Related command: interface Tunnel.

Example

# Configure the SecBlade to send GRE keepalive packets up to five times at intervals of 20 seconds.

[SecBlade_VPN-Tunnel0] keepalive 20 5

2.1.8 source

Syntax

source { ip-addr | interface-type interface-num }

undo source

View

Tunnel interface view

Parameter

ip-addr: IP address of the real interface sending GRE packets in the address format of A.B.C.D.

interface-type interface-num: Interface type and interface number.

Description

Use the source command to specify the source IP address to be filled in the IP header during packet encapsulation at tunnel interface.

Use the undo source command to delete the defined source address.

By default, source address is not specified in the system.

The specified source address of a tunnel is the real IP address of the interface sending GRE packets, which should be consistent with the specified destination address at the opposite tunnel interface.

The same source address and destination address cannot be configured on two or more tunnel interfaces using the same encapsulation protocol.

The configuration does not support card hot-swapping. That is, the corresponding configuration is not removed after you remove the card. You need to remove the configuration manually.

Related command: interface Tunnel, destination.

Example

# Configure the interface Tunnel5 on SecBlade_VPN1, on which the physical interface of the encapsulated packet is GigabitEthernet0/0.1 (with the IP address being 192.100.1.1).

[SecBlade_VPN1-Tunnel5] source 192.100.1.1

Alternatively, you may specify the actual physical interface:

[SecBlade_VPN1-Tunnel5] source GigabitEthernet0/0.1

2.1.9 Tunnel-protocol gre

Syntax

Tunnel-protocol gre

undo Tunnel-protocol

View

Tunnel interface view

Parameter

None

Description

Use the Tunnel-protocol gre command to set encapsulation mode of the tunnel interface to GRE.

By default, the encapsulation protocol of tunnel interface is GRE. Under the GRE mode, users can execute and view the GRE related commands, whereas other relevant commands are available under other modes.

Related command: interface Tunnel.

Example

# Create a tunnel between SecBlade_VPN1 and SecBlade_VPN2, with encapsulation protocol being GRE and transport protocol being IP.

[SecBlade_VPN1-Tunnel3] Tunnel-protocol gre

[SecBlade_VPN2-Tunnel2] Tunnel-protocol gre

Chapter 3 IPSec Configuration Commands

3.1 IPSec Configuration Commands

3.1.1 ah authentication-algorithm

Syntax

ah authentication-algorithm { md5 | sha1 }

undo ah authentication-algorithm

View

IPSec proposal view

Parameter

md5: Specifies to use MD5 algorithm.

sha1: Specifies to use SHA1 algorithm.

Description

Use the ah authentication-algorithm command to set the authentication algorithm for the authentication header (AH) protocol in IPSec proposal.

Use the undo ah authentication-algorithm command to restore the default setting.

By default, the MD5 authentication algorithm is used by AH protocol in IPSec proposal.

AH protocol cannot be used to encrypt, but to authenticate.

The MD5 algorithm uses 128-bit message digest, while SHA1 uses 160-bit message digest. By comparison, MD5 is faster than SHA1, while SHA1 is securer than MD5.

The AH protocol adopted by the IPSec policy at both ends of the security tunnel must be set to use the same authentication algorithm.

The AH authentication algorithm can be configured only after AH or AH-ESP security protocol is selected by executing the transform command.

Related command: ipsec proposal, proposal, sa sip and transform.

Example

# Set IPSec proposal to use SHA1 in AH protocol.

[SecBlade_VPN] ipsec proposal prop1

[SecBlade_VPN-ipsec-proposal-prop1] transform ah

[SecBlade_VPN-ipsec-proposal-prop1] ah authentication-algorithm sha1

3.1.2 debugging ike dpd

Syntax

debugging ike dpd

undo debugging ike dpd

View

User view

Parameter

None

Description

Use the debugging ike dpd command to enable debugging for IKE DPD.

Use the undo debugging ike dpd command to disable debugging for IKE DPD.

Example

# Enable debugging for IKE DPD.

<SecBlade_VPN> debugging ike dpd

3.1.3 debugging ipsec

Syntax

debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] }

undo debugging ipsec { all | sa | misc | packet [ policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ] }

View

User view

Parameter

all: Specifies to display all debugging information.

sa: Specifies to display debugging information of SA.

packet: Specifies to display debugging information of IPSec packets.

policy policy-name: Specifies to display debugging information of IPSec policy whose name is policy-name.

seq-number: Specifies to display debugging information of IPSec policy whose sequence number is seq-number.

parameters: Specifies to display debugging information of an SA whose remote address is ip-address, Security protocol is protocol, and SPI is spi-number.

misc: Specifies to display other debugging information of IPSec.

Description

Use the debugging ipsec command to enable the debugging for IPSec.

Use the undo debugging ipsec command to disable the debugging for IPSec.

By default, the debugging for IPSec is disabled.

Example

# Enable the debugging function for IPSec SA.

<SecBlade_VPN> debugging ipsec sa

3.1.4 display ike dpd

Syntax

display ike dpd [ dpd-name ]

View

Any view

Parameter

dpd-name: DPD structure name.

Description

Use the display ike dpd command to display the information about the configured DPD structure.

Example

# Display information about all the configured DPD structures.

[SecBlade_VPN] display ike dpd

---------------------------

IKE dpd: aaa

references: 0

interval-time: 10

time_out: 5

---------------------------

IKE dpd: xhy

references: 1

interval-time: 10

time_out: 5

Table 3-1 Description on the fields of the display ike dpd command

Field	Description
IKE dpd	IKE DPD structure name
references	DPD structure reference count
interval-time	Interval for triggering DPD queries
time-out	Timeout time for a DPD query

3.1.5 display ipsec policy

Syntax

display ipsec policy [ brief | name policy-name [ seq-number ] ]

View

Any view

Parameter

brief: Specifies to display brief information about all the IPSec policies.

name: Specifies to display information of the IPSec policy with the name policy-name and sequence number seq-number.

policy-name: Name of an IPSec policy.

seq-number: Sequence number of an IPSec policy.

If no argument has been specified, the details of all the IPSec policies will be displayed. If name policy-name has been specified but seq-number has not, the information of the specified IPSec policy group will be listed out.

Description

Use the display ipsec policy command to view information about the IPSec policy.

The brief keyword is used for displaying brief information about all the IPSec policies, whose display format is the brief format (see the following example). The brief keyword can be used for quick display of all the IPSec policies. Brief information includes: name and sequence number, negotiation mode, access control list, proposal, local address, and remote address.

The other command words are used to display the detailed information about the IPSec policy, whose display format is the detailed format (refer to the following example).

Related command: ipsec policy (system view).

Example

# View brief information about all the IPSec policies.

[SecBlade_VPN] display ipsec policy brief

IPsec-Policy-Name Mode acl Local-Address Remote-Address

------------------------------------------------------------------------

policy1-1 isakmp 3000 172.16.2.1

policy2-1 manual 3001 172.16.2.1 172.16.2.2

Table 3-2 Description on the fields of the display ipsec policy command

Field	Description
IPsec-Policy-Name	Name and sequence number of an IPSec policy (the name and the sequence number are separated by “—”)
Mode	negotiation method used by an IPSec policy
acl	access control list used by an IPSec policy
Local Address	local IP address
Remote Address	remote IP address
ike-peer name	In ISAKMP negotiation mode, the name of the IKE peer used by an IPSec policy (the name is not displayed in the manual mode)

# View information about all the IPSec policies

[SecBlade_VPN] display ipsec policy

===========================================

IPsec Policy Group: "policy1"

Using interface: {GigabitEthernet0/0.1}

===========================================

-----------------------------

IPsec policy name: "policy1"

sequence number: 1

mode: isakmp

-----------------------------

security data flow : 3000

selector mode: standard

ike-peer name: ikepeer

perfect forward secrecy: DH group 1

proposal name: proposal1

IPsec sa local duration(time based): 3600 seconds

IPsec sa local duration(traffic based): 1843200 kilobytes

===========================================

IPsec Policy Group: "policy2"

Using interface: {GigabitEthernet0/0.2}

===========================================

-----------------------------

IPsec policy name: "policy2"

sequence number: 1

mode: manual

-----------------------------

security data flow : 3001

tunnel local address: 172.16.2.1

tunnel remote address: 172.16.2.2

proposal name: proposal2

inbound AH setting:

AH spi:

AH string-key:

AH authentication hex key:

inbound ESP setting:

ESP spi:

ESP string-key:

ESP encryption hex key:

ESP authentication hex key:

outbound AH setting:

AH spi:

AH string-key:

AH authentication hex key:

outbound ESP setting:

ESP spi:

ESP string-key:

ESP encryption hex key:

ESP authentication hex key: :

Table 3-3 Description on the fields of the display ipsec policy command

Field	Description
IPSec policy name	Name of the IPSec policy
Sequence number	Sequence number of the IPSec policy
Mode	Negotiation mode of the IPSec policy: isakmp or manual
security data flow	access control list used by an IPSec policy
Selector mode	Data flow protection mode
Ike-peer name	Name of the referenced IKE peer
perfect forward secrecy	The configuration of perfect forward secrecy (PFS)
proposal name	Name of the proposal referenced in the IPSec policy
IPsec sa local duration(time based)	Time-based duration of the IPSec SA
IPsec sa local duration(traffic based)	Traffic-based duration of the IPSec SA
tunnel local address	IP address of the local end of the tunnel
tunnel remote address	IP address of the remote end of the tunnel
inbound AH setting	The setting of inbound AH protocol
inbound ESP setting	The setting of inbound ESP protocol
outbound AH setting	The setting of outbound AH protocol
outbound ESP setting	The setting of outbound ESP protocol

3.1.6 display ipsec policy-template

Syntax

display ipsec policy-template [ brief | name template-name [ seq-number ] ]

View

Any view

Parameter

Brief : Specifies to display brief information about all the IPSec policy templates.

Name : Specifies to display information of the IPSec policy template with the name template-name and sequence number seq-number.

template-name: Name of an IPSec policy template.

seq-number: Sequence number of an IPSec policy template. If seq-number is not specified, then the information about all the IPSec policy templates named template-name is shown.

If no parameter is specified, then the detail information about all the IPSec policy templates will be displayed. If name template-name has been specified but seq-number has not, the information of the specified IPSec policy template group will be listed out.

Description

Use the display ipsec policy-template command to view information about the IPSec policy template.

Parameter brief is used for showing brief information about all the IPSec policy templates, whose display format is the brief format (see the following example). It can display information on all the IPSec policy templates quickly. Brief information includes: template name and sequence number, access control list, and remote address.

Any of the sub-commands can be used to display detail information of the IPSec policy template.

Related command: ipsec policy-template.

Example

# View brief information about all the IPSec policy templates.

[SecBlade_VPN] display ipsec policy-template brief

Policy-template-Name acl Remote-Address

------------------------------------------------------

test-tplt300 2200

Table 3-4 Brief information of IPSec policy template

Field	Description
Policy-template-Name	name, sequence number of an IPSec policy template
acl	access control list used by an IPSec policy template
Remote Address	remote IP address

3.1.7 display ipsec proposal

Syntax

display ipsec proposal [ proposal-name ]

View

Any view

Parameter

proposal-name: Name of the proposal.

Description

Use the display ipsec proposal command to view information about the proposal.

If the name of the proposal is not specified, then information about all the proposals will be shown.

Related command: ipsec proposal, display ipsec sa and display ipsec policy.

Example

# View all the proposals.

[SecBlade_VPN] display ipsec proposal

IPsec proposal name: prop2

encapsulation mode: tunnel

transform: ah-new

ah protocol: authentication sha1-hmac-96

IPsec proposal name: prop1

encapsulation mode: transport

transform: esp-new

esp protocol: authentication md5-hmac-96, encryption des

Table 3-5 IPSec proposal information

Field	Description
Ipsec proposal name	name of the proposal
encapsulation mode	modes used by proposal, including two types: transport mode and tunnel mode
transform	security protocols used by proposal, including two types: AH and ESP
ah protocol	the authentication-algorithm used by AH: md5 \| sha1
esp protocol	the authentication-algorithm and encryption method used by ESP respectively: MD5 and DES

3.1.8 display ipsec sa

Syntax

display ipsec sa [ brief | remote ip-address | policy policy-name [ seq-number ] | duration ]

View

Any view

Parameter

brief: Specifies to display brief information about all the SAs.

remote: Specifies to display information about the SA with remote address as ip-address.

ip-address: Specifies the remote address in dotted decimal format.

policy: Specifies to display information about the SA created by the IPSec policy whose name is policy-name.

policy-name: Name of the IPSec policy.

seq-number: Specifies the sequence number of the IPSec policy.

duration: Global sa duration to be shown.

Description

Use the display ipsec sa command to view the relevant information about the SA.

The command with brief keyword shows brief information about all the SAs, whose display format is the brief format (refer to the following example). Brief information includes source address, destination address, SPI, protocol, and algorithm. A display beginning with "E" in the algorithm stands for the encryption algorithm and a display beginning with "A" stands for the authentication algorithm. The brief keyword can be used to display all the SAs already set up quickly.

The commands with remote and policy parameters both display the detailed information about the SA. The display mode: part of the information about the IPSec policy is shown first and then the detailed information of the SA in this IPSec policy.

The command with duration parameter shows the global sa duration, including "time-based" and "traffic-based" sa duration. Refer to the following examples.

Information of all the SAs will be shown when no parameter is specified.

Related command: reset ipsec sa, ipsec sa duration, display ipsec sa and display ipsec policy.

Example

# View brief information about all the SAs.

[SecBlade_VPN] display ipsec sa brief

Total IPSec SAs: 2

Src Address Dst Address SPI Protocol Algorithm

10.1.1.1 10.1.1.2 300 ESP E:DES; A:HMAC-MD5-96

10.1.1.2 10.1.1.1 400 ESP E:DES; A:HMAC-MD5-96

Table 3-6 Brief information of IPSec SA

Field	Description
Src Address	Local IP address
Dst Address	Remote Ip address
SPI	security parameter index
Protocol	security protocol used by IPSec
Algorithm	The authentication algorithm and encryption algorithm used by the security protocol. A display beginning with "E" in the algorithm stands for the encryption algorithm, and a display beginning with "A" stands for the authentication algorithm.

# View the global duration of SA.

[SecBlade_VPN] display ipsec sa duration

Ipsec sa global duration (traffic based): 1843200 kilobytes

Ipsec sa global duration (time based): 3600 seconds

# View information of all the SAs.

[SecBlade_VPN] display ipsec sa

===============================

Interface: GigabitEthernet0/0.1

path MTU: 1500

===============================

-----------------------------

IPsec policy name: "1"

sequence number: 1

mode: isakmp

-----------------------------

Created by: "Encrypt-card"

connection id: 5

encapsulation mode: tunnel

perfect forward secrecy: None

tunnel:

local address: 2.1.1.1

remote address: 2.1.1.3

flow: (8 times matched)

sour addr: 192.168.1.0/255.255.255.0 port: 0 protocol: IP

dest addr: 10.1.1.0/255.255.255.0 port: 0 protocol: IP

[inbound AH SAs]

spi: 1369228154 (0x519cc37a)

proposal: AH-SHA1HMAC96

sa remaining key duration (bytes/sec): 1887436256/3594

max received sequence-number: 4

udp encapsulation used for nat traversal: N

[inbound ESP SAs]

spi: 2673492781 (0x9f5a432d)

proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436448/3594

max received sequence-number: 4

udp encapsulation used for nat traversal: N

[outbound ESP SAs]

spi: 1109683945 (0x42246ee9)

proposal: ESP-ENCRYPT-3DES ESP-AUTH-MD5

sa remaining key duration (bytes/sec): 1887436256/3594

max sent sequence-number: 5

udp encapsulation used for nat traversal: N

[outbound AH SAs]

spi: 3969283528 (0xec9675c8)

proposal: AH-SHA1HMAC96

sa remaining key duration (bytes/sec): 1887436160/3594

max sent sequence-number: 5

udp encapsulation used for nat traversal: N

Table 3-7 Description on the fields of the display ipsec sa command

Field	Description
Interface	Interface using IPSec policy
path MTU	Maximum IP packet length sent from the interface
IPSec policy	IPSec policy used, including name, sequence number and negotiation method
Created by	"Encrypt-card" indicates that the data is encrypted by encryption card; "Host" indicates that the data is encrypted by software.
connection id	security channel identifier
encapsulation mode	IPSec mode, including two types: transport mode and tunnel mode
perfect forward secrecy	Whether the perfect forward secrecy (PFC) feature is enabled
tunnel local	Local IP address
tunnel remote	Remote IP address
sour addr	Source address of the ACL referenced by the IPSec policy
dest addr	Destination address of the ACL referenced by the IPSec policy
inbound	SA information of the inbound end
transform	Proposal used by the IPSec policy
sa remaining key duration	Remaining sa duration of SA
max received sequence-number	Maximum sequence number of the received packets (the anti-replay function provided by the security protocol)
udp encapsulation used for nat traversal	Whether IKE NAT traversal is used
outbound	SA information of the outbound end
max sent sequence-number	Maximum sequence number of the sent packets (the anti-replay function provided by the security protocol)

3.1.9 display ipsec statistics

Syntax

display ipsec statistics

View

Any view

Parameter

None

Description

Use the display ipsec statistics command to view the IPSec packet statistics information, including the input and output security packet statistics, bytes, number of packets discarded and detailed description of discarded packets.

Related command: reset ipsec statistics.

Example

# View IPSec packet statistics.

[SecBlade_VPN] display ipsec statistics

the security packet statistics:

input/output security packets: 5124/8231

input/output security bytes: 52348/64356

input/output dropped security packets: 0/0

dropped security packet detail:

no enough memory: 0

can't find SA: 0

queue is full: 0

authentication is failed: 0

wrong length: 0

replay packet: 0

too long packet: 0

wrong SA: 0

other error packet: 0

Table 3-8 Description on the fields of the display ipsec statistics command

Field	Description
input/output security packets	Input/output packets under the security protection
input/output security bytes	Input/output bytes under the security protection
input/output discarded security packets	Input/output packets under the security protection discarded by the SecBlade

3.1.10 display ipsec Tunnel

Syntax

display ipsec Tunnel

View

Any view

Parameter

None

Description

Use the display ipsec Tunnel command to display the information about IPSec tunnels.

Example

# Display the information about IPSec tunnels.

<H3C> display ipsec Tunnel

------------------------------------------------

Connection ID : 5

Perfect forward secrecy: None

SA's SPI :

Inbound : 1369228154 (0x519cc37a) [AH]

2673492781 (0x9f5a432d) [ESP]

Outbound : 1109683945 (0x42246ee9) [ESP]

3969283528 (0xec9675c8) [AH]

Tunnel :

Local Address: 2.1.1.1 Remote Address : 2.1.1.3

Flow : (8 times matched)

Sour Addr : 0.0.0.0/0.0.0.0 Port: 0 Protocol : IP

Dest Addr : 0.0.0.0/0.0.0.0 Port: 0 Protocol : IP

3.1.11 dpd

Syntax

dpd dpd-name

undo dpd

View

ike-peer view

Parameter

dpd-name: DPD structure name.

Description

Use the dpd command to specify a DPD structure for the IKE Peer.

Use the undo dpd command to remove the DPD structure for the IKE Peer.

The DPD structure specified by an IKE peer must be one that has existed. Otherwise, the error information is returned back. When the dpd command is executed, the reference counter of the DPD structure increments by one; when the undo dpd command is executed, the reference counter of the DPD structure decrements by one.

Related command: ike dpd.

Example

# Specify the DPD structure “aaa” for IKE Peer1.

[SecBlade_VPN-ike-peer-peer1] dpd aaa

# Remove the DPD structure used by IKE peer 1.

[SecBlade_VPN-ike-peer-peer1] undo dpd

3.1.12 encapsulation-mode

Syntax

encapsulation-mode { transport | Tunnel }

undo encapsulation-mode

View

IPSec proposal view

Parameter

transport: Sets that the encapsulation mode of IP packets is transport mode.

Tunnel: Sets that the encapsulation mode of IP packets is tunnel mode.

Description

Use the encapsulation-mode command to set the encapsulation mode that the security protocol applies to IP packets, which can be transport or tunnel.

Use the undo encapsulation-mode command to restore it to the default.

By default, tunnel mode is used.

There are two encapsulation modes where IPSec is used to encrypt and authenticate IP packets: transport mode and tunnel mode. In transport mode, IPSec does not encapsulate a new header into the IP packet. The both ends of security tunnel is of source and destination of original packets. In tunnel mode, IPSec protects the whole IP packet, and adds a new IP header in the front part of the IP packet. The source and destination addresses of the new IP header are the IP addresses of both ends of the tunnel.

Generally, the tunnel mode is used between two SecBlades (routers). A packet encrypted in a SecBlade can only be decrypted in another SecBlade. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added; the IP packet encapsulated in tunnel mode is sent to another SecBlade before it is decrypted.

The transport mode is suitable for communication between two hosts, or for communication between a host and a SecBlade. In transport mode, two devices responsible for encrypting and decrypting packets must be the original sender and receiver of the packet. Most of the data traffic between two SecBlades is not of the SecBlade’s own. So the transport mode is not often used between SecBlades.

The proposal used by the IPSec policies set at both ends of the security tunnel must be set as having the same packet encapsulation mode.

Related command: ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, proposal, transform.

Example

# Set the proposal whose name is prop2 as using the transport mode to encapsulate IP packets.

[SecBlade_VPN] ipsec proposal prop2

[SecBlade_VPN-ipsec-proposal-prop2] encapsulation-mode transport

3.1.13 esp authentication-algorithm

Syntax

esp authentication-algorithm { md5 | sha1 }

undo esp authentication-algorithm

View

IPSec proposal configuration view

Parameter

md5: Use MD5 algorithm with the length of the key 128 bits.

sha1: Use SHA1 algorithm with the length of the key 160 bits.

Description

Use the esp authentication-algorithm command to set the authentication algorithm used by ESP.

Use the undo esp authentication-algorithm command to set ESP not to authenticate packets.

By default, MD5 algorithm is used.

MD5 is faster than SHA1, while SHA1 is securer than MD5.

ESP permits a packet to be encrypted or authenticated or both.

The encryption and authentication algorithm used by ESP cannot be set to vacant at the same time.

The undo esp authentication-algorithm command is not used to restore the authentication algorithm to the default; instead it is used to set the authentication algorithm to vacant, i.e. not authentication. When the encryption algorithm is not vacant, the undo esp authentication-algorithm command is valid.

The proposal used by the IPSec policies set at both ends of the security tunnel must be set as having the same authentication algorithm.

Related command: ipsec proposal, esp encryption-algorithm, proposal, sa encryption-hex, transform.

Example

# Set a proposal that adopts ESP, and uses SHA1.

[SecBlade_VPN] ipsec proposal prop1

[SecBlade_VPN-ipsec-proposal-prop1] transform esp

[SecBlade_VPN-ipsec-proposal-prop1] esp authentication-algorithm sha1

3.1.14 esp encryption-algorithm

Syntax

esp encryption-algorithm { 3des | des | aes }

undo esp encryption-algorithm

View

IPSec proposal view

Parameter

des: Data Encryption Standard (DES), a universal encryption algorithm with the length of the key being 56 bits.

3des: 3DES (Triple DES), another universal encryption algorithm with the length of the key being 168 bits.

aes: AES (Advanced Encryption Standard), an encryption algorithm conforming to the IETF standards. 128-, 192- and 256-bit key can be implemented on CMW.

Description

Use the esp encryption-algorithm command to set the encryption algorithm adopted by ESP.

Use the undo esp encryption-algorithm command to set the ESP not to encrypt packets.

By default, DES algorithm is used.

3DES can meet the requirement of high confidentiality and security, but it is comparatively slow. And DES can satisfy the normal security requirements.

ESP permits a packet to be encrypted or authenticated or both.

The encryption and authentication methods used by ESP cannot be set to a vacant value at the same time. The undo esp encryption-algorithm command can take effect only if the authentication algorithm is not null.

Related command: ipsec proposal, esp authentication-algorithm, proposal, sa encryption-hex and transform.

Example

# Set ESP to use 3DES.

[SecBlade_VPN] ipsec proposal prop1

[SecBlade_VPN-ipsec-proposal-prop1] transform esp

[SecBlade_VPN-ipsec-proposal-prop1] esp encryption-algorithm 3des

3.1.15 ike dpd

Syntax

ike dpd dpd-name

undo ike dpd dpd-name

View

System view

Parameter

dpd-name: Name of dead peer detection (DPD) structure.

Description

Use the ike dpd command to create a DPD structure and enter its view.

Use the undo ike dpd command to delete the specified DPD structure.

If a DPD structure has been referenced by an IKE peer, it cannot be deleted.

Related command: dpd.

Example

# Create a DPD structure named aaa.

[SecBlade_VPN] ike dpd aaa

# Delete the DPD structure named aaa.

[SecBlade_VPN] undo ike dpd aaa

3.1.16 interval-time

Syntax

interval-time seconds

undo interval-time

View

DPD structure view

Parameter

seconds: Interval for triggering DPD queries, in the range 1 to 300 seconds.

Description

Use the interval-time command to configure the interval for triggering DPD query.

Use the undo interval-time command to restore the default.

By default, the interval is 10 seconds.

Example

# Set interval-time to 20 seconds.

[SecBlade_VPN-ike-dpd-aaa] interval-time 20

# Reset interval-time to 10 seconds.

[SecBlade_VPN-ike-dpd-aaa]undo interval-time

3.1.17 ipsec policy

Syntax

ipsec policy policy-name

undo ipsec policy [ policy-name ]

View

Interface view

Parameter

policy-name: Name of an IPSec policy group applied on the interface. To apply the IPSec policy group, it must have been configured in system view.

Description

Use the ipsec policy policy-name command to apply an IPSec policy group with the name policy-name on the interface.

Use the undo ipsec policy command to cancel all or the specific IPSec policy group so as to disable the IPSec function on the interface.

An interface can be applied with only one IPSec policy group, while an IPSec policy group can be applied to multiple interfaces.

When a packet is sent from an interface, all IPSec policies in the IPSec policy group will be searched according to the sequence number in an ascending order. If the packet matches an access control list used by an IPSec policy, then this IPSec policy is used to process the packet; otherwise next IPSec policy will be retrieved. If the packet does not match any of the access control lists used by all the IPSec policies, it will be directly transmitted (that is, IPSec will not protect the packet).

To prevent transmitting any unencrypted packet from the interface, it is necessary to use the firewall together with the IPSec function; the firewall is for dropping all the packets that do not need to be encrypted.

All IKE SAs will be removed only after an IPSec policy is removed from all interfaces. Otherwise, you need to remove all IKE SAs manually or wait till the SA times out.

Related command: ipsec policy (system view).

Example

# Apply an IPSec policy group whose name is pg1 to the interface GigabitEthernet0/0.1.

[SecBlade_VPN] interface GigabitEthernet0/0.1

[SecBlade_VPN- GigabitEthernet0/0.1] ipsec policy pg1

3.1.18 ipsec policy

Syntax

ipsec policy policy-name seq-number [ manual | isakmp [ template template-name ] ]

undo ipsec policy policy-name [ seq-number ]

View

System view

Parameter

policy-name: Name of the IPSec policy. The naming rule is: the length of the name is 1 to 15 characters, the name is case insensitive and the characters can be English characters or numbers, cannot include “-”.

seq-number: Sequence number of the IPSec policy, ranging from 1 to 10000. The lower the value is, the higher the priority.

manual: Specifies to set up SA manually.

isakmp: Specifies to set up SA through IKE negotiation.

template: Specifies to dynamically set up SA by using policy template.

template-name: Name of the template. The policy-name discussed here will reference template-name which is a created policy template thus named.

Description

Use the ipsec policy command to establish or modify an IPSec policy, and enter IPSec policy view.

Use the undo ipsec policy policy-name command to delete an IPSec policy group whose name is policy-name.

Use the undo ipsec policy policy-name seq-number command to delete an IPSec policy whose name is policy-name and sequence number is seq-number. After an IPSec policy is applied to an interface, you cannot remove the policy.

By default, no IPSec policy exists.

To establish an IPSec policy, it is necessary to specify the negotiation mode (manual or isakmp). Once the IPSec policy is established, its negotiation mode cannot be modified. For example: if an IPSec policy is established in manual mode, it cannot be changed to isakmp mode. To modify the negotiation mode, this IPSec policy must be deleted and then recreated, if appropriate, with the negotiation mode being isakmp.

IPSec policies with the same name constitute an IPSec policy group. The name and sequence number are used together to define a unique IPSec policy. In an IPSec policy group, at most 500 IPSec policies can be set. In an IPSec policy, the smaller the sequence number of an IPSec policy is, the higher its preference. Applying an IPSec policy group to an interface means to apply all IPSec policies in the group, so that different data streams can be protected by adopting different SAs.

Use the ipsec policy policy-name seq-number isakmp template template-name command to create an IPSec policy according to the template through IKE negotiation. Before this command is executed, the template should have been created. During the negotiation and policy matching, the parameters defined in the template should be compliant, and the other parameters are decided by the initiator. The proposal must be defined in policy template, and other parameters are optional.

Note that IKE will not use a policy with a template argument to initiate a negotiation, but it uses such a policy to response the negotiation initiated by its peer.

Related command: ipsec policy (interface view), security acl, Tunnel local, Tunnel remote, sa duration, proposal, display ipsec policy, ipsec policy-template, ike-peer.

Example

# Set an IPSec policy whose name is policy1, sequence number is 100, and negotiation mode is isakmp.

[SecBlade_VPN] ipsec policy policy1 100 isakmp

[SecBlade_VPN-ipsec-policy-isakmp-policy1-100]

3.1.19 ipsec policy-template

Syntax

ipsec policy-template policy-template-name seq-number

undo ipsec policy-template policy-template-name [ seq-number ]

View

System view

Parameter

policy-template-name: Name of the IPSec policy template, an string of 1 to 15 characters (English letters or numerals), case insensitive, excluding minus signs (-).

seq-number: Number of the IPSec policy template, in the range 1 to 10000. In one IPSec policy template group, the smaller the sequence number of an IPSec policy template is, the higher its preference.

Description

Use the ipsec policy-template command to create or modify an IPSec policy template, and enter IPSec policy template view.

Use the undo ipsec policy-template policy-template-name command to delete the IPSec policy template group named template-name.

Use the undo ipsec policy-template policy-template-name seq-number command to delete the IPSec policy template with the name as template-name and the sequence number as seq-number.

By default, no IPSec policy template exists.

A policy template that has been created with the name of template-name can be referenced by the ipsec policy policy-name seq-number isakmp template template-name command to create an IPSec policy.

The IPSec policy template and the IPSec policy of IPSec IPSAMP negotiation share the same parameter settings, including the referenced IPSec proposal, the protected traffic, PFS feature, lifetime, and the address of the remote tunnel end. However, you should note that the proposal parameter is compulsory to be configured whereas other parameters are optional. If an IPSec policy template is used for the policy match operation undertaken in an IKE negotiation, the configured parameters must be matched, and the settings of the initiator will be used if the corresponding parameters have not been configured.

Related command: ipsec policy, security acl, Tunnel local, Tunnel remote, proposal, display ipsec policy, ike-peer.

Example

# Create an IPSec policy template with the name as “template1” and the sequence number as “100”.

[SecBlade_VPN] ipsec policy-template template1 100

[SecBlade_VPN-ipsec-policy-template- template1-100]

3.1.20 ipsec proposal

Syntax

ipsec proposal proposal-name

undo ipsec proposal proposal-name

View

System view

Parameter

proposal-name: Name of the specified proposal. The naming rule is: the name contains 1 to 15 characters, and is case insensitive.

Description

Use the ipsec proposal proposal-name command to create or modify a proposal named proposal-name, and enter IPSec proposal view.

Use the undo ipsec proposal proposal-name command to delete the proposal named proposal-name.

By default, no proposal exists.

This proposal is a combination of the security protocol, encryption and authentication algorithm and packet encapsulation format for implementing IPSec protection.

An IPSec policy determines the protocol, algorithm and encapsulation mode to be adopted by the reference of the proposal. Before the IPSec policy uses a proposal, this proposal must have already been created.

After a new IPSec proposal is created by using the IPSec proposal command, the ESP protocol, DES encryption algorithm and MD5 authentication algorithm are adopted by default.

Related command: ah authentication-algorithm, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode, proposal, display ipsec proposal and transform.

Example

# Establish a proposal named newprop1.

[SecBlade_VPN] ipsec proposal newprop1

3.1.21 ipsec sa global-duration

Syntax

ipsec sa global-duration { time-based seconds | traffic-based kilobytes }

undo ipsec sa global-duration { time-based | traffic-based }

View

System view

Parameter

time-based seconds: Time-based global SA duration in seconds, ranging from 30 to 604800 seconds. It is 3600 seconds (1 hour) by default.

traffic-based kilobytes: Traffic-based global SA duration in kilobytes, ranging 256 to 4194303 kilobytes. It is 1843200 kilobytes by default and when the traffic reaches this value, the duration expires.

Description

Use the ipsec sa global-duration command to set a global SA duration.

Use the undo ipsec sa global-duration command to restore to the default setting of the global SA duration.

When IKE negotiates to establish an SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration specified by this command to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPSec, the shorter one of the duration set locally and that proposed by the remote will be selected.

There are two types of SA duration: time-based (in seconds) and traffic-based (in kilobytes) durations. The time-based SA duration is the valid time of the SA between the time when the SA is created and the time when the SA begins negotiation, and the traffic-based SA duration is the valid time of the SA during which a maximum of traffic that can be processed by this SA. No matter which one of the two types expires, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.

Modifying the global SA duration will not affect an SA that has individually set up its own SA duration, or an SA which is already set up. But the modified global SA duration will be used by those SAs having no their own SA durations to set up new SA in the future IKE negotiation.

The SA duration does not function for a manually created SA, that is, the SA which is manually created will never get invalid.

Related command: sa duration and display ipsec sa duration.

Example

# Set the global time-based SA duration to 2 hours.

[SecBlade_VPN] ipsec sa global-duration time-based 7200

# Set the global traffic-base SA duration to 10M bytes.

[SecBlade_VPN] ipsec sa global-duration traffic-based 10000

3.1.22 pfs

Syntax

pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }

undo pfs

View

IPSec policy view, IPSec policy template view

Parameter

dh-group1: Specifies to use the 768-bit Diffie-Hellman group.

dh-group2: Specifies to use the 1024-bit Diffie-Hellman group.

dh-group5: Specifies to use the 1536-bit Diffie-Hellman group.

dh-group14: Specifies to use the 2048-bit Diffie-Hellman group.

Description

Use the pfs command to set the perfect forward secrecy (PFS) feature for the IPSec policy to initiate the negotiation.

Use the undo pfs command to set not to use the PFS feature during the negotiation.

By default, no PFS feature is used.

The command is used to add a PFS exchange process when IPSec uses the IPSec policy to initiate a negotiation. This additional key exchange is performed during the phase 2 negotiation so as to enhance the communication safety. The DH group specified by the local and remote ends must be consistent, otherwise the negotiation will fail.

This command can be used only when the SA is established through IKE mode.

Related command: ipsec policy-template, ipsec policy (system view), ipsec policy (interface view), Tunnel local, Tunnel remote, sa duration and proposal.

Example

# Set to use PFS when negotiating through IPSec policy shanghai 200.

[SecBlade_VPN] ipsec policy shanghai 200 isakmp

[SecBlade_VPN-ipsec-policy-isakmp-shanghai-200] pfs group1

3.1.23 proposal

Syntax

proposal proposal-name1 [ proposal-name2...proposal-name6 ]

undo proposal [ proposal-name ]

View

IPSec policy view, IPSec policy template view

Parameter

proposal-name1,…, proposal-name6: Name of the proposal adopted.

Description

Use the proposal command to set the proposal used by the IPSec policy.

Use the undo proposal command to cancel the proposal used by the IPSec policy.

By default, no proposal is used.

Before this command is executed, the corresponding IPSec proposal must have been configured.

If created in manual mode, an SA can only use one proposal. To change a set proposal, it needs to be deleted by using the undo proposal command before a new one can be set.

If created in isakmp mode, an SA can use six proposals at most. IKE negotiation will search for the completely matching proposal at both ends of the security tunnel.

Each IPSec template can use six proposals at most, and the IKE negotiation will search for the completely matching proposal.

Related command: ipsec proposal, ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel local and Tunnel remote.

Example

# Set a proposal with name prop1, adopting ESP and the default algorithm, and sets an IPSec policy to use the proposal.

[SecBlade_VPN] ipsec proposal prop1

[SecBlade_VPN-ipsec-proposal-prop1] transform esp

[SecBlade_VPN-ipsec-proposal-prop1] quit

[SecBlade_VPN] ipsec policy policy1 100 manual

[SecBlade_VPN-ipsec-policy-manual-policy1-100] proposal prop1

3.1.24 reset ipsec sa

Syntax

reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] | parameters ip-address protocol spi-number ]

View

User view

Parameter

remote ip-address: Specifies a remote IP address, in dotted decimal format.

policy: Specifies the IPSec policy.

policy-name: Name of the IPSec policy. The naming rule is as follows: is the name contains 1 to 15 characters (English letters or numerals), and is case sensitive.

seq-number: Optional parameter specifying the sequence number of the IPSec policy. If no seq-number is specified, the IPSec policy refers to all the policies in the IPSec policy group named policy-name.

parameters: Defines an SA by the destination address, security protocol and SPI.

ip-address: Destination address in the dotted decimal format.

protocol: Security protocol by the keyword ah or esp, case insensitive. ah indicates the Authentication Header protocol and esp indicates Encapsulating Security Payload.

Spi-number: Security parameter index (SPI), ranging from 256 to 4294967295.

Description

Use the reset ipsec sa command to delete an existing SA (created manually or through IKE negotiation). If no keyword, such as remote, policy, or parameters, is specified, all the SAs will be deleted.

An SA is uniquely identified by a triplet of IP address, security protocol and SPI, and it can be created either manually or through IKE negotiation.

If an SA which is created manually is deleted, the system will automatically create a new SA according to the corresponding manual security policy.

If an SA which is created through IKE negotiation is deleted, when a packet re-triggers IKE negotiation, IKE will recreate an SA through negotiation.

If the parameters keyword is specified, because SAs appear in pairs, the inbound SA will also be deleted after the outbound SA is deleted.

Related command: display ipsec sa.

Example

# Delete all the SAs.

<SecBlade_VPN> reset ipsec sa

# Delete an SA whose remote IP address is 10.1.1.2.

<SecBlade_VPN> reset ipsec sa remote 10.1.1.2

# Delete all the SAs in policy1.

<SecBlade_VPN> reset ipsec sa policy policy1

# Delete the SA of the IPSec policy with the name policy1 and the sequence number 10.

<SecBlade_VPN> reset ipsec sa policy policy1 10

# Delete an SA whose remote IP address is 10.1.1.2, security protocol is AH, and SPI is 10000

<SecBlade_VPN> reset ipsec sa parameters 10.1.1.2 ah 10000

3.1.25 reset ipsec statistics

Syntax

reset ipsec statistics

View

User view

Parameter

None

Description

Use the reset ipsec statistics command to clear IPSec packet statistics, and set all the statistics to zero.

Related command: display ipsec statistics.

Example

# Clear IPSec packet statistics.

<SecBlade_VPN> reset ipsec statistics

3.1.26 sa authentication-hex

Syntax

sa authentication-hex { inbound | outbound } { ah | esp } hex-key

undo sa authentication-hex { inbound | outbound } { ah | esp }

View

Manually-created IPSec policy view

Parameter

inbound: Specifies to configure the authentication-hex parameter for the inbound SA. IPSec uses the inbound SA for processing the packets in the inbound direction (received).

outbound: Specifies to configure the authentication-hex parameter for the outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent).

ah: Specifies to set the authentication-hex parameter for the SA using AH. If the IPSec proposal used by the IPSec policy adopts AH, the ah keyword is used here to set the AH relevant parameter of the SA.

esp: Specifies to set the authentication-hex parameter for the SA using ESP. If the IPSec proposal used by the IPSec policy adopts ESP, the esp keyword is used here to set the ESP relevant parameter of the SA.

hex-key: Authentication key in the hex format. If MD5 is used, the key is a 16-byte key; if SHA1 is used, the key is a 20-byte key.

Description

Use the sa authentication-hex command to set the SA authentication key for the IPSec policy of manual mode.

Use the undo sa authentication-hex command to delete the SA authentication key.

This command is only used for the IPSec policy in manual mode. For the IPSec policy in isakmp mode, it is invalid.

For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, because IKE will automatically negotiate the SA parameter and establish an SA.

When the SA of manual mode is to be configured, the SA parameters of inbound and outbound directions must be set separately.

The SA parameters set at both ends of the security tunnel must be fully matching. The authentication key of the inbound SA at the local end must be the same as that of the outbound SA at the remote, and the authentication key of outbound SA at the local end must be the same as that of the inbound SA at the remote.

There are two key formats: hexadecimal and character string. To specify a key in character string format, the sa string-key command is needed. For the character string key and hexadecimal key, the last set one will be adopted. At both ends of a security tunnel, the key should be set in the same format; otherwise, a security tunnel cannot be set up correctly.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel local, Tunnel remote, sa duration and proposal.

Example

# Set SPI of the inbound SA to 10000, key to 0x112233445566778899aabbccddeeff00; sets the SPI of the outbound SA to 20000, and its key to 0xaabbccddeeff001100aabbccddeeff00 in the IPSec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah

[SecBlade_VPN-ipsec-proposal-prop_ah] transform ah

[SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5

[SecBlade_VPN-ipsec-proposal-prop_ah] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa authentication-hex inbound ah 112233445566778899aabbccddeeff00

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa authentication-hex outbound ah aabbccddeeff001100aabbccddeeff00

3.1.27 sa duration

Syntax

sa duration { traffic-based kilobytes | time-based seconds }

undo sa duration { traffic-based | time-based }

View

IPSec policy view, IPSec policy template view

Parameter

time-based seconds: Time-based SA duration in seconds, ranging from 120 to 604,800 seconds. It is 3,600 seconds (1 hour) by default.

traffic-based kilobytes: Traffic-based SA duration in kilobytes, ranging from 256 to 4,194,303 kilobytes. It is 1,843,200 kilobytes by default.

Description

Use the sa duration command to set an SA duration of the IPSec policy.

Use the undo sa duration command to restore to the global SA duration.

When IKE negotiates to establish an SA, if the adopted IPSec policy is not configured with its own duration, the system will use the global SA duration to negotiate with the peer. If the IPSec policy is configured with its own duration, the system will use the duration of the IPSec policy to negotiate with the peer. When IKE negotiates to set up an SA for IPSec, the shorter one of the duration set locally and that proposed by the remote will be selected.

There are two types of SA duration: time-based (in seconds) and traffic-based (in kilobytes) durations. The time-based SA duration is the valid time of the SA between the time when the SA is created and the time when the SA begins negotiation, and the traffic-based SA duration is the valid time of the SA during which a maximum of traffic that can be processed by this SA. No matter which one of the two types expires, the SA will get invalid.. Before the SA is about to get invalid, IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid.

The SA duration does not function for a manually created SA, that is, the SA which is manually created will never get invalid.

Related command: ipsec sa global-duration, ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel local, Tunnel remote and proposal.

Example

# Set the SA duration for the IPSec policy shenzhen 100 to 2 hours, that is, 7200 seconds.

[SecBlade_VPN] ipsec policy shenzhen 100 isakmp

[SecBlade_VPN-ipsec-policy-isakmp-shenzhen-100] sa duration time-based 7200

# Set the SA duration for the IPSec policy shenzhen 100 to 20M bytes, that is, the SA expires when the traffic exceeds 20000 kilobytes.

[SecBlade_VPN] ipsec policy shenzhen 100 isakmp

[SecBlade_VPN-ipsec-policy-isakmp-shenzhen-100] sa duration traffic-based 20000

3.1.28 sa encryption-hex

Syntax

sa encryption-hex { inbound | outbound } esp hex-key

undo sa encryption-hex { inbound | outbound } esp

View

Manually-created IPSec policy view

Parameter

inbound: Specifies to set the encryption-hex parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Specifies to set the encryption-hex parameter for outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent).

esp: Specifies to set the encryption-hex parameter for the SA using ESP. If the IPSec proposal used by the IPSec policy adopts ESP, the esp keyword is used here to set the ESP relevant parameter of the SA.

hex-key: Encryption key for the SA in the hexadecimal format. When applied in ESP, if DES is used, the key is a 8-byte key; if 3DES is used, the key is a 24-byte key.

Description

Use the sa encryption-hex command to set the SA encryption key for the IPSec policy of manual mode.

Use the undo sa encryption-hex command to delete the SA encryption key.

This command is only used for the IPSec policy in manual mode.

For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, because IKE will automatically negotiate the SA parameter and establish an SA.

When configuring the SA of manual mode, you need to set the SA parameters of inbound and outbound directions separately.

The SA parameters set at both ends of the security tunnel must be fully matching. The encryption key of the inbound SA at the local end must be the same as that of the outbound SA at the remote, and the encryption key of outbound SA at the local end must be the same as that of the inbound SA at the remote.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel local, Tunnel remote, sa duration and proposal.

Example

# Set the SPI of the inbound SA to 1001, and the key to 0x1234567890abcdef; set the SPI of the outbound SA to 2001, and its key to 0xabcdefabcdef1234 in the IPSec policy using ESP and DES.

[SecBlade_VPN] ipsec proposal prop_esp

[SecBlade_VPN-ipsec-proposal-prop_esp] transform esp

[SecBlade_VPN-ipsec-proposal-prop_esp] ah encryption-algorithm des

[SecBlade_VPN-ipsec-proposal-prop_esp] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_esp

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound esp 1001

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa encryption-hex inbound esp 1234567890abcdef

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound esp 2001

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa encryption-hex outbound esp abcdefabcdef1234

3.1.29 sa spi

Syntax

sa spi { inbound | outbound } { ah | esp } spi-number

undo sa spi { inbound | outbound } { ah | esp }

View

Manually-established IPSec policy view

Parameter

inbound: Specifies to set the spi parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Specifies to set the spi parameter for outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent).

ah: Specifies to set the spi parameter for the SA using AH. If the IPSec proposal used by the IPSec policy adopts AH, the ah keyword is used here to set the spi relevant parameter of the SA.

esp: Specifies to set the spi parameter for the SA using ESP. If the IPSec proposal used by the IPSec policy adopts ESP, the esp keyword is used here to set the spi relevant parameter of the SA.

spi-number: SPI in the triplet identification of the SA, ranging from 256 to 4294967295. The triplet identification of the SA, which appears as SPI, destination address, and protocol number, must be unique.

Description

Use the sa spi command to set the SA SPI for the IPSec policy of manual mode.

Use the undo sa spi command to delete the SA SPI.

This command is only used for the IPSec policy in manual mode. For the IPSec policies in isakmp mode, it is invalid.

For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, because IKE will automatically negotiate the SA parameter and establish an SA.

When configuring the SA of manual mode, you need to set the SA parameters of inbound and outbound directions separately.

The SA parameters set at both ends of the security tunnel must be fully matching. The SPI of inbound SA at the local end must be the same as that of the outbound SA at the remote, and the SPI of outbound SA at the local end must be the same as that of the inbound SA at the remote.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel local, Tunnel remote, sa duration and proposal.

Example

# Set the SPI of the inbound SA to 10000, set the SPI of the outbound SA to 20000, in the IPSec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah

[SecBlade_VPN-ipsec-proposal-prop_ah] transform ah

[SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5

[SecBlade_VPN-ipsec-proposal-prop_ah] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

3.1.30 sa string-key

Syntax

sa string-key { inbound | outbound } { ah | esp } string-key

undo sa string-key { inbound | outbound } { ah | esp }

View

Manually-created IPSec policy view

Parameter

inbound: Specifies to set the string-key parameter for the inbound SA. IPSec uses the inbound SA for processing the packet in the inbound direction (received).

outbound: Specifies to set the string-key parameter for the outbound SA. IPSec uses the outbound SA for processing the packet in the outbound direction (sent).

ah: Specifies to set the string-key parameter for the SA using AH. If the IPSec proposal used by the IPSec policy adopts AH, the ah keyword is used here to set the string-key relevant parameter of the SA.

esp: Sets the string-key parameter for the SA using ESP. If the IPSec proposal used by the IPSec policy adopts ESP, the esp keyword is used here to set the string-key relevant parameter of the SA.

string-key: SA Key containing 1 to 255 characters. No matter which algorithm is used, you can enter a character string of any length in the specified range, and the system will generate a key meeting the algorithm requirements automatically. As for ESP, the system will automatically generate the key for the authentication algorithm and that for the encryption algorithm at the same time.

Description

Use the sa string-key command to set the SA key for the IPSec policy of manual mode.

Use the undo sa string-key command to delete the SA key.

This command is only used for the IPSec policy in manual mode. For the IPSec policy in isakmp mode, it is invalid.

For the IPSec policy in isakmp mode, it is unnecessary to set the SA parameter manually, because IKE will automatically negotiate the SA parameter and establish an SA.

When configuring the SA of manual mode, you need to set the SA parameters of inbound and outbound directions separately

The SA parameters set at both ends of the security tunnel must be fully matching. The key of the inbound SA at the local end must be the same as that of the outbound SA at the remote, and the key of outbound SA at the local end must be the same as that of the inbound SA at the remote.

There are two key formats: hexadecimal and character string. To specify a key in hexadecimal format, the sa authentication-hex command is needed. For the character string key and hexadecimal key, the last set one will be adopted. At both ends of a security tunnel, the key should be set in the same format; otherwise, a security tunnel cannot be set up correctly.

Related command: ipsec policy(system view), ipsec policy(interface view), security acl, Tunnel local, Tunnel remote, sa duration, proposal.

Example

# Set the SPI of the inbound SA to 10000, and the key string to “abcdef”; sets the SPI of the outbound SA to 20000, and its key string to “efcdab” in the IPSec policy using AH and MD5.

[SecBlade_VPN] ipsec proposal prop_ah

[SecBlade_VPN-ipsec-proposal-prop_ah] transform ah

[SecBlade_VPN-ipsec-proposal-prop_ah] ah authentication-algorithm md5

[SecBlade_VPN-ipsec-proposal-prop_ah] quit

[SecBlade_VPN] ipsec policy tianjin 100 manual

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] proposal prop_ah

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi inbound ah 10000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa string-key abcdef

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa spi outbound ah 20000

[SecBlade_VPN-ipsec-policy-manual-tianjin-100] sa string-key efcdab

3.1.31 security acl

Syntax

security acl acl-number

undo security acl

View

IPSec policy view, IPSec policy template view

Parameter

acl-number: Number of the access control list used by the IPSec policy, ranging from 3000 to 3999.

Description

Use the security acl command to set an access control list to be used by the IPSec policy.

Use the undo security acl command to remove the access control list used by the IPSec policy.

By default, no ACL has been specified for the IPSec policies.

The data flow that will be protected by an IPSec policy is confined by the ACL in this command. According to the rules in the ACL, IPSec determines which packets need security protection and which do not. The packet permitted by the access control list will be protected, and a packet denied by the access control list will not be protected. The denied packets are sent out directly without IPSec protection.

A manually created IPSec policy only supports one rule under an ACL, that is, only the packets first matching a rule in the ACL will be protected, later packets matching the other rules in the ACL will not be protected.

Related command: ipsec policy (system view), ipsec policy (interface view), Tunnel local, Tunnel remote, sa duration, proposal.

Example

# Set the IPSec policy to use access control list 3001.

[SecBlade_VPN] acl number 3001

[SecBlade_VPN-acl-adv-3001] rule permit tcp source 10.1.1.1 0.0.0.255 destination 10.1.1.2 0.0.0.255

[SecBlade_VPN] ipsec policy beijing 100 manual

[SecBlade_VPN-ipsec-policy-manual-beijing-100] security acl 3001

3.1.32 time-out

Syntax

time-out seconds

undo time-out

View

DPD structure view

Parameter

seconds: Timeout time before receiving a DPD acknowledgement, in the range 1 to 60 seconds.

Description

Use the time-out command to configure the timeout time before receiving a DPD acknowledgement.

Use the undo time-out command to restore the default.

By default, the timeout time for receiving DPD acknowledgement is 5 seconds.

Example

# Set time-out to 2 seconds.

[SecBlade_VPN-ike-dpd-aaa] time-out 2

# Reset time-out to 5 seconds.

[SecBlade_VPN-ike-dpd-aaa] undo time-out

3.1.33 transform

Syntax

transform { ah | ah-esp | esp }

undo transform

View

IPSec proposal view

Parameter

ah: Specifies to use AH protocol specified in RFC2402.

ah-esp: Specifies to use ESP specified in RFC2406 to protect the packets and then use AH protocol specified in RFC2402 to authenticate packets.

esp: Specifies to use ESP specified in RFC2406.

Description

Use the transform command to set a security protocol used by a proposal.

Use the undo transform command to restore to the default security protocol.

By default, esp, that is, the ESP specified in RFC2406, is used.

If ESP is adopted, the default encryption algorithm is DES and the authentication algorithm is MD5.

If AH is adopted, the default authentication algorithm is MD5.

If the keyword ah-esp is specified, the default authentication algorithm for AH is MD5 and the default encryption algorithm for ESP is DES without authentication.

AH protocol provides data source authentication, data integrity check and anti-replay function.

ESP protocol provides data source authentication, data integrity check, anti-replay function and data encryption.

The proposals used by the IPSec policy at both ends of the security tunnel must be set to use the same security protocol.

The following figure illustrates the data encapsulation formats of different security protocols in the transport mode and the tunnel mode.

Figure 3-1 Data encapsulation formats of security protocols

“data” in the figure is the original IP datagram.

Related command: ah authentication-algorithm, ipsec proposal, esp encryption-algorithm, esp authentication-algorithm, encapsulation-mode and proposal.

Example

# Set a proposal using AH.

[SecBlade_VPN] ipsec proposal prop1

[SecBlade_VPN-ipsec-proposal-prop1] transform ah

3.1.34 Tunnel local

Syntax

Tunnel local ip-address

undo Tunnel local

View

Manually-created IPSec policy view

Parameter

ip-address: Local address in dotted decimal format.

Description

Use the Tunnel local command to set the local address of an IPSec policy.

Use the undo Tunnel local command to delete the local address of the IPSec policy.

By default, the local address of an IPSec policy is not configured.

It is not necessary to set a local address for an IPSec policy in isakmp mode, so this command is invalid in this situation. IKE can automatically obtain the local address from the interface where this IPSec policy is applied.

As for the IPSec policy in manual mode, it is necessary to set the local address before the SA can be established.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel remote, sa duration and proposal.

Example

# Set the local address for the IPSec policy, which is applied on GigabitEthernet0/0.1 whose IP address is 10.0.0.1.

[SecBlade_VPN] ipsec policy guangzhou 100 manual

[SecBlade_VPN-ipsec-policy-manual-guangzhou-100] Tunnel local 10.0.0.1

[SecBlade_VPN-ipsec-policy-manual-guangzhou-100] quit

[SecBlade_VPN] interface GigabitEthernet0/0/0.1

[SecBlade_VPN- GigabitEthernet0/0.1] ipsec policy guangzhou

3.1.35 Tunnel remote

Syntax

Tunnel remote ip-address

undo Tunnel remote [ ip-address ]

View

Manually-created IPSec policy view

Parameter

ip-address: Remote address in dotted decimal format.

Description

Use the Tunnel remote command to set the remote address of an IPSec policy.

Use the undo Tunnel remote command to delete the remote address of the IPSec policy.

By default, the remote address of an IPSec policy is not configured.

For an IPSec policy in manual mode, only one remote address can be set. To change the remote address of an IPSec policy, it is necessary to remove the address before a new one can be set.

The security tunnel is established between the local and remote ends. The remote address must be set correctly on both ends of the security tunnel.

Related command: ipsec policy (system view), ipsec policy (interface view), security acl, Tunnel local, sa duration, proposal.

Example

# Set the remote address of the IPSec policy to 10.1.1.2.

[SecBlade_VPN] ipsec policy shanghai 10 manual

[SecBlade_VPN-ipsec-policy-shanghai-10] Tunnel remote 10.1.1.2

3.2 Encryption Card Configuration Commands

3.2.1 debugging encrypt-card host

Syntax

debugging encrypt-card host { all | command | error | misc | packet | sa }

undo debugging encrypt-card host { all | command | error | misc | packet | sa }

View

User view

Parameter

all: Specifies to enable all debugging on the encryption card.

command: Specifies to enable command debugging on the encryption card.

error: Specifies to enable error debugging on the encryption card.

misc: Specifies to enable other debugging on the encryption card.

packet: Specifies to enable packet debugging on the encryption card.

sa: Specifies to enable security association (SA) debugging on the encryption card.

Description

Use the debugging encrypt-card command to enable debugging for the CMW host test software on the encryption card.

Use the undo debugging encrypt-card command to disable debugging on the encryption card.

Example

# Enable command debugging for the CMW host test software on the encryption card.

<SecBlade_VPN> debugging encrypt-card host command

3.2.2 display encrypt-card fast-switch

Syntax

display encrypt-card fast-switch

View

Any view

Parameter

None

Description

Use the display encrypt-card fast-switch command to view the entries in the fast forwarding cache for the encryption cards.

Example

# Display the entries in the fast forwarding cache for the encryption cards.

[SecBlade_VPN] display encrypt-card fast-switch

encrypt-card Fast-Forwarding cache:

Index SourIP SourPort DestIP DestPort Prot TdbID Type

18 1.1.1.2 8 1.1.1.1 0 1 0x00000024 encrypt

130 1.1.1.1 0 1.1.1.2 0 50 0x00000023 decrypt

Table 3-9 Description on the fields of the display encrypt-card fast-switch command

Field	Description
Index	Index of the fast forwarding entry
SourIP	Source IP address
SourPort	Source port
DestIP	Destination IP address
DestPort	Destination port
Prot	Protocol number
TdbID	TDB ID for encrypting this flow
Type	Two options are available: encrypt (in the outgoing direction) and decrypt (in the incoming direction)

3.2.3 display interface encrypt

Syntax

display interface encrypt [ slot-id ]

View

Any view

Parameter

slot-id: Slot ID of an encryption card, whose range depends on the number of slots on the SecBlade. It is in 3-dimentional format, for example, x/y/z, where x stands for a slot number on the SecBlade, y and z are constant 0 for encryption cards.

Description

Use the display interface encrypt command to view the port information about an encryption.

With this command, you can view the status of the encryption card, total number of packets transmitted or received on it, maximum number of packets dropped per second and relevant information during the last five seconds.

Related command: interface encrypt.

Example

# Display the port information on the encryption card at slot 5/0/0.

[SecBlade_VPN] display interface Encrypt 5/0/0

Description : Encrypt5/0/0 Interface

Protocol Status: READY

Driver Status : READY

Total Statistics

Packets sent to card : 10

Packets received from card : 9

Bytes sent to card : 1216

Bytes received from card : 584

Dropped packets : 0

Statistics during last 5 seconds

Packets sent to card : 0

Packets received from card : 0

Bytes sent to card : 0

Bytes received from card : 0

Dropped packets : 0

3.2.4 encrypt-card backuped

Syntax

encrypt-card backuped

undo encrypt-card backuped

View

System view

Parameter

None

Description

Use the encrypt-card backuped command to enable the backup function for the encryption cards.

Use the undo encrypt-card backuped command to disable the backup function for the encryption cards.

By default, the backup function for the encryption cards is disabled.

For the IPSec SA implemented by the encryption card, if the card is normal, IPSec is processed by the card. If the card fails, the backup function is enabled on the card and the selected encryption/authentication algorithms for the SA are supported by the IPSec module on CMW platform, IPSec shall be implemented by the IPSec module on CMW platform. If the selected algorithms are not supported by the IPSec module, the system will drop the packets.

Example

# Enable the backup function for the encryption card.

[SecBlade_VPN] encrypt-card backuped

3.2.5 encrypt-card fast-switch

Syntax

encrypt-card fast-switch

undo encrypt-card fast-switch

View

System view

Parameter

None

Description

Use the encrypt-card fast-switch command to enable the fast forwarding function of the encryption cards.

Use the undo encrypt-card fast-switch command to disable the fast forwarding function of the encryption cards.

By default, the fast forwarding function of the encryption cards is disabled.

For the packets that have the same [SourIP, SourPort, DestIP, DestPort, Prot] quintuple, the SecBlade creates a fast forwarding entry when it receives the first packet. Then, the subsequent packets are sent directly to the encryption card, where they are sent to the destination after being encrypted or decrypted. In this way, IP to IPSec processing for each packet can be simplified. This is how the fast forwarding function of the encryption card expedites packet processing.

Caution:

After the fast forwarding function is enabled on the encryption card, no more ACL statistics will be performed on the packets fast-forwarded by the encryption card.

Example

# Enable the fast forwarding function of the encryption card.

[SecBlade_VPN] encrypt-card fast-switch

3.2.6 interface encrypt

Syntax

interface encrypt slot-id

View

System view

Parameter

Description

Use the interface encrypt command to enter an encryption card interface view.

In encryption card interface view, you can only execute the shutdown and undo shutdown commands, respectively to shut down the encryption card or turn on the card.

Example

# Enter the interface mode of the encryption card at slot 5/0/0.

[SecBlade_VPN] interface encrypt 5/0/0

[SecBlade_VPN-Encrypt5/0/0]

3.2.7 ipsec card-proposal

Syntax

ipsec card-proposal proposal-name

undo ipsec card-proposal proposal-name

View

System view

Parameter

proposal-name: Name of the SA proposal for encryption card, a string up to 16 characters. It is not case-sensitive.

Description

Use the ipsec card-proposal command to create an SA proposal for encryption card and enter the corresponding view.

Use the undo ipsec card-proposal command to delete an SA proposal for encryption card.

This command is used in encryption card SA proposal view (the corresponding encryption, decryption, and authentication are implemented on the encryption card), whereas the host software is also compatible with SA proposal view of the host itself (the ipsec proposal command), in which the encryption/decryption/authentication are implemented by the host. In encryption card SA proposal view, you can also specify the slot ID of the encryption card for the SA proposal, with the use encrypt-card command, while other configurations are identical with the ipsec proposal command.

After completing SA proposal configuration, you need to return to system view using the quit command, so that you can initiate other configuration.

Example

# Create the SA proposal “card” using the encryption card at slot 5/0/0, and configure the security algorithm as “ah-esp” , the encryption algorithm for ah as “sha1”, and the encryption algorithm for esp as “sha1” and “3des”.

[SecBlade_VPN] ipsec card-proposal card

[SecBlade_VPN-ipsec-card-proposal] use encrypt-card 5/0/0

[SecBlade_VPN-ipsec-card-proposal-card] transform ah-esp

[SecBlade_VPN-ipsec-card-proposal-card] ah authentication-algorithm sha1

[SecBlade_VPN-ipsec-card-proposal-card] esp authentication-algorithm sha1

[SecBlade_VPN-ipsec-card-proposal-card] esp encryption-algorithm 3des

[SecBlade_VPN-ipsec-card-proposal-card] quit

[SecBlade_VPN]

3.2.8 reset counters interface encrypt

Syntax

reset counters interface encrypt [ slot-id ]

View

User view

Parameter

Description

Use the reset counters interface encrypt command to clear the statistics on an encryption card.

The statistics information records all the information of the encryption card during the normal operation, while system debugging requires the statistics of a specific time period for fault analysis. Then you may need to reset the existing statistics and get the statistics of a required time period.

Related command: ipsec card-proposal.

Example

# Clear the statistics on the encryption card at slot 5/0/0.

<SecBlade_VPN> reset counters interface encrypt-card 5/0/0

3.2.9 reset encrypt-card fast-switch

Syntax

reset encrypt-card fast-switch

View

User view

Parameter

None

Description

Use the reset encrypt-card fast-switch command to clear the fast forwarding information on the encryption card.

Example

# Clear the fast forwarding information on the encryption card.

<SecBlade_VPN> reset encrypt-card fast-switch

3.2.10 reset encrypt-card sa

Syntax

reset encrypt-card sa [ slot-id ]

View

User view

Parameter

Description

Use the reset encrypt-card sa command to clear the SAs on an encryption card.

You may need to clear the SA database information stored on the encryption card, to output only the required information during debugging.

Related command: ipsec card-proposal.

& Note:

This command is not available on the current encryption cards.

Example

# Clear the SAs on the encryption card at slot 5/0/0.

<SecBlade_VPN> reset encrypt-card sa 5/0/0

3.2.11 reset encrypt-card statistics

Syntax

reset encrypt-card statistics [ slot-id ]

View

User view

Parameter

Description

Use the reset encrypt-card statistics command to clear the processing statistics of an encryption card.

The statistics information records all the protocol processing information from the last rebooting, including the numbers of incoming/outgoing ESP/AH packets, dropped packets, failed authentications, erroneous SAs, invalid SA proposals, and invalid protocols.

& Note:

This command is not available on the current encryption cards.

Example

# Clear the processing statistics on the encryption card at slot 5/0/0.

<SecBlade_VPN> reset encrypt-card statistic 5/0/0

3.2.12 reset encrypt-card syslog

Syntax

reset encrypt-card syslog [ slot-id ]

View

User view

Parameter

Description

Use the reset encrypt-card syslog command to clear all the logging information on an encryption card.

The encryption card records all log history information. All the log information (including those obsolete items) shall be reported for every query, which complicates log monitoring and fault locating. In this scenario, you may need to clear the log buffer of the encryption card.

& Note:

This command is not available on the current encryption cards.

Example

# Clear all the logging information on the encryption card at slot 5/0/0.

<SecBlade_VPN> reset encrypt-card syslog 5/0/0

3.2.13 snmp-agent trap enable encrypt-card

Syntax

snmp-agent trap enable encrypt-card

undo snmp-agent trap enable encrypt-card

View

System view

Parameter

None

Description

Use the snmp-agent trap enable encrypt-card command to enable the SNMP agent trap function on encryption cards.

Use the undo snmp-agent trap enable encrypt-card command to disable the SNMP agent trap function on encryption cards.

When combined with appropriate simple network management configuration, the trap function allows you to view the information about card rebooting, status transition and packet loss processing on the NMS and the Console of the SecBlade.

By default, the SNMP agent trap function is enabled on encryption cards.

Example

# Enable the trap function on the encryption cards.

[SecBlade_VPN] snmp-agent trap enable encrypt-card

3.2.14 use encrypt-card

Syntax

use encrypt-card slot-id

undo use encrypt-card

View

Card SA proposal view

Parameter

Description

Use the use encrypt-card command to specify the slot holding the encryption card that an SA proposal uses.

Use the undo use encrypt-card command to remove the configuration.

One SA proposal can only be processed by a single encryption card, but one single encryption card can process different SA proposals.

Related command: ipsec card-proposal.

Example

# Configure the slot holding the encryption card used by the encryption card SA proposal named “card”.

[SecBlade_VPN] ipsec card-proposal card

[SecBlade_VPN-ipsec-card-proposal] use encrypt-card 5/0/0

Chapter 4 IKE Configuration Commands

4.1 IKE Configuration Commands

4.1.1 authentication-algorithm

Syntax

authentication-algorithm { md5 | sha }

undo authentication-algorithm

View

IKE proposal view

Parameter

md5: Specifies to use the authentication algorithm: HMAC-MD5.

sha: Specifies to use the authentication algorithm: HMAC-SHA1.

Description

Use the authentication-algorithm command to specify an authentication algorithm for an IKE proposal.

Use the undo authentication-algorithm command to restore to the default authentication algorithm for an IKE proposal.

By default, HMAC-SHA1 authentication algorithm is used.

Related command: ike proposal, display ike proposal.

Example

# Set HMAC-MD5 as the authentication algorithm for IKE proposal 10.

[SecBlade_VPN] ike proposal 10

[SecBlade_VPN-ike-proposal-10] authentication-algorithm md5

4.1.2 authentication-method

Syntax

authentication-method { pre-share | rsa-signature }

undo authentication-method

View

IKE proposal view

Parameter

pre-share: Specifies the pre-shared key authentication as the IKE proposal authentication method.

rsa-signature: Specifies to authenticate through PKI digital signature.

Description

Use the authentication-method command to specify the authentication method used by an IKE proposal.

Use the undo authentication-method command to restore the authentication method used by an IKE proposal to the default.

By default, the authentication method used by an IKE proposal is pre-shared key authentication.

You can specify an authentication method for an IKE policy. So far, two methods are available: pre-shared key and PKI digital signature.

Authentication key must be configured for the pre-shared key authentication method. For more information about authentication key configuration, refer to the pre-shared-key command

In IKE negotiation, id-type and remote-name configured in the IKE Peer do not take effect if the initiator uses the RSA digital signature for authentication. Instead, the responder only selects an IKE Peer according to remote-address contained in the IKE Peer. Therefore, both the initiator and the responder must specify remote-address if the RSA digital signature is used for authentication. Otherwise, all addresses will be matched by default.

Related command: ike pre-shared-key, ike proposal, display ike proposal, pki domain, and pki entity.

& Note:

For more information on configuring PKI, refer to “PKI Configuration” in this manual.

Example

# Specify pre-shared key authentication as the authentication method for IKE proposal 10.

[SecBlade_VPN] ike proposal 10

[SecBlade_VPN-ike-proposal-10] authentication-method pre-share

4.1.3 debugging ike

Syntax

debugging ike { all | error | exchange | message | misc | transport}

undo debugging ike { all | error | exchange | message | misc | transport}

View

User view

Parameter

all: Specifies to enable all IKE debugging functions.

error: Specifies to enable IKE error debugging.

exchange: Specifies to enable IKE exchange mode debugging.

message: Specifies to enable IKE message debugging.

misc: Specifies to enable all the other IKE information debugging.

transport: Specifies to enable IKE transport debugging.

Description

Use the debugging ike command to enable IKE debugging.

Use the undo debugging ike command to disable IKE debugging.

By default, IKE debugging is disabled.

Example

# Enable IKE error debugging.

<SecBlade_VPN> debugging ike error

4.1.4 dh

Syntax

dh { group1 | group2 | group5 | group14 }

undo dh

View

IKE proposal view

Parameter

group1: Specifies to use group1, the 768-bit Diffie-Hellman group for phase-1 key negotiation.

group2: Specifies to use group2, the 1024-bit Diffie-Hellman group for phase-1 key negotiation.

group5: Specifies to use group2, the 1536-bit Diffie-Hellman group for phase-1 key negotiation.

group14: Specifies to use group2, the 2048-bit Diffie-Hellman group for phase-1 key negotiation.

Description

Use the dh command to specify the Diffie-Hellman group for IKE phase-1 key negotiation.

Use the undo dh command to restore the Diffie-Hellman group to the default.

By default, group1, the 768-bit Diffie-Hellman group, is used.

Related command: ike proposal, display ike proposal.

Example

# Specify 768-bit Diffie-Hellman for IKE proposal 10.

[SecBlade_VPN] ike proposal 10

[SecBlade_VPN-ike-proposal-10] dh group1

4.1.5 display ike peer

Syntax

display ike peer [ peer-name ]

View

Any view

Parameter

peer-name: Name of the IKE peer, a string containing 1 to 15 characters.

Description

Use the display ike peer command to view the configuration about the specified or all IKE peers.

Example

# Display the configuration about all IKE peers.

[SecBlade_VPN-ike-peer-good] display ike peer

---------------------------

IKE Peer: good

exchange mode: main on phase 1

pre-shared-key:

peer id type: ip

peer ip address: 0.0.0.0 ~ 255.255.255.255

peer name:

nat traversal: disable

---------------------------

4.1.6 display ike proposal

Syntax

display ike proposal

View

Any view

Parameter

None

Description

Use the display ike proposal command to view the parameters configured for each IKE proposal.

This command shows IKE proposals in the sequence of the priority.

Related command: authentication-method, ike proposal, encryption-algorithm, authentication-algorithm, dh, sa duration.

Example

# View the IKE proposal information after two IKE proposals are configured.

[SecBlade_VPN] display ike proposal

priority authentication authentication encryption Diffie-Hellman duration

method algorithm algorithm group (seconds)

--------------------------------------------------------------------------

10 PRE_SHARED SHA DES_CBC MODP_1024 5000

11 PRE_SHARED MD5 DES_CBC MODP_768 50000

default PRE_SHARED SHA DES_CBC MODP_768 86400

4.1.7 display ike sa

Syntax

display ike sa [ verbose [ connection-id id | remote-address ip-address ] ]

View

Any view

Parameter

verbose: Specifies to display details about IKE SAs.

connection-id id: Specifies to display the information of the specified connection by the connection ID.

remote-address ip-address: Specifies to display the information of the specified connection by the peer IP addresses of IKE SAs.

Description

Use the display ike sa command to view the current security tunnels established by IKE.

Related command: ike proposal.

Example

# View the security tunnels established by IKE.

[SecBlade_VPN] display ike sa

Total IKE phase-1 SAs: 1

conn-id peer flag phase doi

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning:

RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO-TIMEOUT

The descriptions of the items displayed are listed in the following table.

Table 4-1 Description on the fields of the display ike sa command

Field	Description
conn-id	Security channel ID
peer	Remote IP address of this SA
flag	Display the status of this SA RD (READY) means this SA has been established successfully ST (STAYALIVE) means that this end is the initiator of the tunnel setup negotiation. RL (REPLACED) means that this SA has been replaced by a new one, and will be automatically deleted after a period of time. FD (FADING) means this SA has been softly timed out once, but is still in use, and will be deleted at the time of hard timeout. TO (TIMEOUT) means this SA have not received any keepalive packet after previous keepalive timeout occurred. If this SA receives no keepalive packet till next keepalive timeout occurs, this SA will be deleted.
phase	Phase of the SA: Phase 1: a phase of establishing security channel to communicate, ISAKMP SA will be established in the phase; Phase 2: a phase of negotiating security service, IPSec SA will be established in the phase.
doi	Domain to which the SA belongs

4.1.8 encryption-algorithm

Syntax

encryption-algorithm { des-cbc | 3des-cbc | aes-cbc }

undo encryption-algorithm

View

IKE proposal view

Parameter

des-cbc: Specifies to use the 56-bit DES encryption algorithm in CBC mode for an IKE proposal.

3des-cbc: Specifies to use the 168-bit 3DES encryption algorithm in CBC mode for an IKE proposal.

aes-cbc: Specifies to use the AES encryption algorithm in CBC mode for an IKE proposal.

Description

Use the encryption-algorithm command to specify the encryption algorithm for an IKE proposal.

Use the undo encryption command to restore to the default.

By default, 56-bit DES-CBC encryption algorithm is used.

Related command: ike proposal and display ike proposal.

Example

# Specify the 56-bit DES-CBC encryption algorithm for IKE proposal 10.

[SecBlade_VPN] ike proposal 10

[SecBlade_VPN-ike-proposal-10] encryption-algorithm des-cbc

4.1.9 exchange-mode

Syntax

exchange-mode { aggressive | main }

undo exchange-mode

View

IKE-peer view

Parameter

aggressive: Specifies to use the aggressive mode

main: Specifies to use the main mode.

Description

Use the exchange-mode command to select an IKE negotiation mode.

Use the undo exchange-mode command to restore to the default negotiation mode. By default, main mode is adopted.

In the main mode, you can only use IP address to perform IKE negotiation and to create an SA. It is applicable to the situation in which both ends of a tunnel have fixed IP addresses.

In the IKE aggressive mode, you can use IP addresses or name to perform IKE negotiation and to create an SA. If the user at one end of a security tunnel obtains IP address automatically (for example, a dial-up user), IKE negotiation mode must be set to aggressive. In this case, you can create an SA as long as the username and password are correct.

After accepting a negotiation request from the initiator by using a policy template, the responder will select the negotiation mode according to the negotiation mode of the initiator.

Related command: id-type.

Example

# Specify to use the main mode for IKE negotiation.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new_peer] exchange-mode main

4.1.10 id-type

Syntax

id-type { ip | name }

undo id-type

View

IKE-peer view

Parameter

ip: Specifies to use IP address as the ID used in IKE negotiation.

name: Specifies to use name as the ID used in IKE negotiation.

Description

Use the id-type command to select the type of ID used in IKE negotiation.

Use the undo id-type command to restore to the default setting. By default, IP address is used as the ID for IKE negotiation.

In the main mode, you can only use IP address to perform IKE negotiation and to create an SA.

In the aggressive mode, you can use IP address or name to perform IKE negotiation and to create an SA.

Related command: ike local-name.

Example

# Specify to use name as the ID used in IKE negotiation.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new_peer] id-type name

4.1.11 ike encrypt-card dh-computation disabled

Syntax

ike encrypt-card dh-computation disabled

undo ike encrypt-card dh-computation disabled

View

System view

Parameter

None

Description

Use the ike encrypt-card dh-computation disabled command to enable DH switching through software, but not through hardware.

Use the undo ike encrypt-card dh-computation disabled command to enable DH switching through hardware.

By default, DH switching is implemented through hardware.

Example

# Disable DH switching through hardware.

[H3C] ike encrypt-card dh-computation disabled

4.1.12 ike local-name

Syntax

ike local-name name

undo ike local-name

View

System view

Parameter

name: Name of the local gateway in IKE negotiation, a string containing 1 to 32 characters.

Description

Use the ike local-name command to set the name of the local gateway.

Use the undo ike local-name command to restore to the default name of the local gateway. By default, the name of the SecBlade is used as the name of the local gateway.

Before the initiator uses the gateway name to perform IKE negotiation (id-type name is used), you must configure the ike local-name command on the local device.

Related command: remote-name.

Example

# Identify the local gateway by the configured name “beijing_VPN”

[SecBlade_VPN] ike local-name beijing_VPN

4.1.13 ike next-payload check disabled

Syntax

ike next-payload check disabled

undo ike next-payload check disabled

View

System view

Parameter

None

Description

Use the ike next-payload check disabled command to cancel the check of next-payload field in the last payload of the IKE negotiation packet during IPSec negotiation for compatibility with other vendors.

Use the undo ike next-payload check disabled command to restore to the default setting, that is, to check the next payload field.

An IKE negotiation packet comprises multiple payloads; the next-payload field is in the generic header of the last payload. According to the protocol, this field should be set to 0. It, however, may vary by vendors. For compatibility purposes, you can use the ike next-payload check disabled command to ignore the check on this field during IPSec negotiation.

Example

# Cancel the check of next-payload field in the last payload of the IKE negotiation packet during IPSec negotiation.

[SecBlade_VPN] ike next-payload check disabled

4.1.14 ike peer

Syntax

ike peer peer-name

undo ike peer peer-name

View

System view

Parameter

peer-name: IKE peer name, which can be a string of up to 15 characters.

Description

Use the ike peer command to configure an IKE peer and access IKE-peer view.

Use the undo ike peer command to delete an IKE peer.

Example

# Configure an IKE peer “new_peer” and access its view.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new]

4.1.15 ike-peer

Syntax

ike-peer peer-name

undo ike-peer [ peer-name ]

View

IPSec policy view, IPSec policy template view

Parameter

peer-name: IKE peer name, a string of up to 15 characters.

Description

Use the ike peer command to quote an IKE peer in an IPSec policy or IPSec policy template.

Use the undo ike peer command to remove the quoted IKE peer from the IPSec policy or IPSec policy template.

Related command: ipsec policy.

Example

# Specifies to quote an IKE peer in the IPSec policy.

[SecBlade_VPN-ipsec-policy-isakmp-policy-10] ike-peer new_peer

4.1.16 ike proposal

Syntax

ike proposal proposal-number

undo ike proposal proposal-number

View

System view

Parameter

proposal-number: IKE proposal number, ranging from 1 to 100. This value also stands for the priority. A smaller value stands for a higher priority. When performing an IKE negotiation, the system matches IKE proposals by the proposal numbers, starting from the smallest proposal number.

Description

Use the ike proposal command to define an IKE proposal.

Use the undo ike proposal command to delete an IKE proposal.

The system provides a default IKE proposal with the lowest priority.

Executing this command in system view will enter the IKE proposal view, where you can set parameters such as authentication method, encryption algorithm, authentication algorithm, DH group ID, and sa duration for this IKE proposal using the authentication-method, encryption-algorithm, dh, authentication-algorithm, and sa duration command.

The Default IKE proposal has the following default parameters:

Encryption algorithm: DES-CBC

Authentication algorithm: HMAC-SHA1

Authentication method: Pre-Shared Key

DH group ID: MODP_768

SA duration: 86400 seconds

These parameters will be used to establish a security tunnel once these parameters are confirmed by the both sides of the negotiation.

Each side of the negotiation can be configured with more than one IKE proposal. During the negotiation, the IKE proposals in both sides are selected to match one by one, starting from the one with highest priority. The parameters that must be the same during the match are encryption algorithm, authentication algorithm, authentication method, and DH group. The sa duration is decided by the initiator of the negotiation, which does not need matching.

Related command: authentication-algorithm, encryption-algorithm, dh, authentication-algorithm, sa duration, display ike proposal.

Example

# Define IKE proposal 10.

[SecBlade_VPN] ike proposal 10

[SecBlade_VPN-ike-proposal-10] authentication-algorithm md5

[SecBlade_VPN-ike-proposal-10] authentication-method pre-share

[SecBlade_VPN-ike-proposal-10] sa duration 5000

4.1.17 ike sa keepalive-timer interval

Syntax

ike sa keepalive-timer interval seconds

undo ike sa keepalive-timer interval

View

System view

Parameter

seconds: Interval for sending Keepalive packet to the remote end through ISAKMP SA, a value in the range 20 to 28800.

Description

Use the ike sa keepalive-timer interval command to configure the interval for sending Keepalive packet to the remote end through ISAKMP SA.

Use the undo ike sa keepalive-timer interval command to disable the function.

By default, this function is disabled.

This command is used to configure the interval for sending Keepalive packet to the remote end through ISAKMP SA. IKE maintains the state of the ISAKMP SA by using the Keepalive packet. In general, if a timeout time is configured at the remote end by using the ike sa keepalive-timer timeout command, an interval for sending Keepalive packet must be configured at the local end.

When the configured timeout time expires:

l The ISAKMP SA of the peer will be marked “TIMEOUT” if there is no such a mark in the ISAKMP SA of the peer, and the “TIMEOUT” mark will be removed if the peer receives a keepalive packet from the local end at the expiry of the keepalive-timer time.

l The ISAKMP SA and corresponding IPSec SA will be removed if the ISAKMP SA is marked “TIMEOUT”, indicating that the peer does not receive a keepalive packet within the timeout time.

Thus the configured timeout should be longer than the interval for sending the Keepalive packet during configuration.

Related command: ike sa keepalive-timer timeout.

Example

# Configure the interval as 20 seconds for the local end to send Keepalive packet to the remote end.

[SecBlade_VPN] ike sa keepalive-timer interval 20

4.1.18 ike sa keepalive-timer timeout

Syntax

ike sa keepalive-timer timeout seconds

undo ike sa keepalive-timer timeout

View

System view

Parameter

seconds: Specifies the timeout for ISAKMP SA to wait for the Keepalive packet. It can be set to a value in the range 20 to 28800.

Description

Use the ike sa keepalive-timer timeout command to configure a timeout time for ISAKMP SA to wait for the Keepalive packet.

Use the undo ike sa keepalive-timer timeout command to disable the function.

By default, this function is disabled.

This command is used to configure the timeout time before receiving the Keepalive packet from the peer end.

IKE maintains the state of the ISAKMP SA by using the Keepalive packet.

When the configured timeout time expires:

l The ISAKMP SA and corresponding IPSec SA will be removed if the ISAKMP SA is marked “TIMEOUT”, indicating that the peer does not receive a keepalive packet within the timeout time.

Thus the configured timeout time should be longer than the interval for sending the Keepalive packet during configuration.

Generally, packets will not be lost for more than three consecutive times in the network, so the timeout time can be configured three times of the interval for the remote end to send Keepalive packets.

Related command: ike sa keepalive-timer interval.

Example

# Configure the timeout time as 20 seconds for the local end to wait for the remote end’s Keepalive packet.

[SecBlade_VPN] ike sa keepalive-timer timeout 20

4.1.19 ike sa nat-keepalive-timer interval

Syntax

ike sa nat-keepalive-timer interval seconds

undo ike sa nat-keepalive-timer interval

View

System view

Parameter

seconds: Interval for the IKE peer to send NAT Keepalive packets, in the range 5 to 300 (seconds).

Description

Use the ike sa nat-keepalive-timer interval command to define the interval for the IKE peer to send NAT Keepalive packets.

Use the undo ike sa nat-keepalive-timer interval command to restore to the default interval for the IKE peer to send NAT Keepalive packets.

When configuring this command, make sure that the specified interval is less than the timeout time for NAT traversal.

By default, the interval for the IKE peer to send NAT Keepalive packets is 20 seconds.

Example

# Configure the IKE peer to send NAT Keepalive packets every 30 seconds.

[SecBlade_VPN] ike sa nat-keepalive-timer interval 30

4.1.20 local

Syntax

local { multi-subnet | single-subnet }

undo local

View

IKE-peer view

Parameter

multi-subnet: Specifies to use the multi-subnet type.

single-subnet: Specifies to use the single-subnet type.

Description

Use the local command to configure the subnet type in IKE negotiation.

Use the undo local command to restore to the default subnet type. You can use this command to enable interoperability between the router and a NETSCREEN device.

The default type is single-subnet.

Example

# Set the subnet type in IKE negotiation to multi-subnet.

[SecBlade_VPN-ike-peer-xhy] local multi-subnet

4.1.21 local-address

Syntax

local-address ip-address

undo local-address

View

IKE-peer view

Parameter

ip-address: IP address of the local gateway in IKE negotiation.

Description

Use the local-address command to configure the IP address of the local gateway in IKE negotiation.

Use the undo local-address command to delete the IP address of the local gateway.

Normally, you do not need to configure the local-address command, unless you want to specify a special address for the local gateway.

Example

# Set the IP address of the local gateway to 1.1.1.1.

[SecBlade_VPN-ike-peer-xhy] local-address 1.1.1.1

4.1.22 nat traversal

Syntax

nat traversal

undo nat traversal

View

IKE-peer view

Parameter

None

Description

Use the nat traversal command to configure the NAT traversal function of IKE/IPSec.

Use the undo nat traversal command to disable the NAT traversal function of IKE/IPSec.

This command is applicable for the scenario in which the NAT gateway functionality is included in the VPN tunnel constructed by IKE/IPSec.

To save IP address space, ISPs often add NAT gateways to public networks, so as to allocate private IP addresses to users. This may lead to IPSec/IKE tunnel having a public network address at one end and a private network address at the other. In this scenario, you must enable NAT traversal at the private network end, to ensure normal negotiation and establishment for the tunnel.

Example

# Enable the NAT traversal function.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new_peer] nat traversal

4.1.23 peer

Syntax

peer { multi-subnet | single-subnet }

undo peer

View

IKE-peer view

Parameter

multi-subnet: Specifies to use the multi-subnet type.

single-subnet: Specifies to use the single-subnet type.

Description

Use the peer command to configure the subnet type in IKE negotiation.

Use the undo peer command to restore to the default subnet type. You can use this command to enable interoperability between the router and a NETSCREEN device.

The default is single-subnet.

Example

# Set the subnet type in IKE negotiation to multi-subnet.

[SecBlade_VPN-ike-peer-xhy] peer multi-subnet

4.1.24 pre-shared-key

Syntax

pre-shared-key key

undo pre-shared-key

View

IKE-peer view

Parameter

key: Pre-shared key, a string of 1 to 128 characters.

Description

Use the pre-shared-key command to configure a pre-shared key to be used in IKE negotiation.

Use the undo pre-shared-key command to remove the pre-shared key used in IKE negotiation.

Example

# Set the pre-shared key used in IKE negotiation to “abcde”.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new_peer] pre-shared-key abcde

4.1.25 remote-address

Syntax

remote-address low-ip-address [ high-ip-address ]

undo remote-address

View

IKE-peer view

Parameter

low-ip-address: Start IP address.

high-ip-address: End IP address.

Description

Use the remote-address command to configure an IP address of the remote gateway.

Use the undo remote-address command to remove the IP address of the remote gateway.

If the initiator uses its IP address in IKE negotiation (that is, id-type ip is used), it sends its IP address to the peer as its identity. The responder uses the remote-address low-ip-address [ high-ip-address ] command to authenticate the initiator. If the responder is only configured with low-ip-address, low-ip-address must be consistent with the IP address configured by the local-address command in the initiator. If the responder is configured with both low-ip-address and high-ip-address (that is, an address range is configured), the address range must include the IP address configured by the local-address command in the initiator. The initiator of IKE negotiation cannot configure remote-address as an address range.

Example

# Set the IP address of the remote gateway to 10.0.0.1.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new_peer] remote-address 10.0.0.1

4.1.26 remote-name

Syntax

remote-name name

undo remote-name

View

IKE-peer view

Parameter

name: Name to be specified for the peer in IKE negotiation. It is a string of 1 to 32 characters.

Description

Use the remote-name command to specify a name for the remote gateway.

Use the undo remote-name command to remove the name of the remote gateway.

If the initiator uses its name in IKE negotiation (that is, id-type name is used), it sends the name to the peer as its identity, whereas the peer uses the username configured by the remote-name name command to authenticate the initiator. To pass authentication, this remote name must be the same as the one configured by the ike local-name command on the gateway at the initiator end.

Example

# Set the name of the remote gateway to “beijing”.

[SecBlade_VPN] ike peer new_peer

[SecBlade_VPN-ike-peer-new_peer] remote-name beijing

4.1.27 reset ike sa

Syntax

reset ike sa [ connection-id ]

View

User view

Parameter

connection-id: Connection ID of the SA to be deleted. If this parameter is not specified, all the SAs at phase 1 will be deleted.

Description

Use the reset ike sa command to delete the security tunnel set up by IKE.

If connection-id is not specified, all the SAs at phase 1 will be deleted. If ISAKMP SA at phase 1 exists when the local security tunnel is to be deleted, a Delete Message notification will be sent to the remote under the protection of this security tunnel to notify the remote to delete the corresponding SA.

IKE uses ISAKMP of two phases: phase 1 to establish ISAKMP SA, and phase 2 to negotiate and establish IPSec SA, using the former established SA.

Related command: display ike sa.

Example

# Delete the security tunnel to 202.38.0.2.

<SecBlade_VPN> display ike sa

Total IKE phase-1 SAs: 1

conn-id remote flag phase doi

1 202.38.0.2 RD|ST 1 IPSEC

2 202.38.0.2 RD|ST 2 IPSEC

flag meaning:

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

<SecBlade_VPN> reset ike sa 2

<SecBlade_VPN> display ike sa

Total IKE phase-1 SAs: 1

conn-id remote flag phase doi

1 202.38.0.2 RD|ST 1 IPSEC

flag meaning:

RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT

Caution:

If the SA of phase 1 is deleted first, the remote end cannot be informed of clearing the SA database when the SA of phase 2 is to be deleted.

4.1.28 sa duration

Syntax

sa duration seconds

undo sa duration

View

IKE proposal view

Parameter

seconds: ISAKMP SA lifetime. When the SA duration expires, ISAKMP SA will update automatically. It can be set to a value in the range 60 to 604,800 seconds.

Description

Use the sa duration command to specify the ISAKMP SA duration for an IKE proposal.

Use the undo sa duration command to restore it to the default.

By default, the value of ISAKMP SA duration is 86,400 seconds (one day).

Before the SA duration for an SA expires, a new SA will be negotiated for replacing the existing SA, and the old SA will be automatically cleared when the SA duration expires.

Related command: ike proposal and display ike proposal.

Example

# Specify the ISAKMP SA duration for IKE proposal 10 as 600 seconds (10 minutes).

[SecBlade_VPN] ike proposal 10

[SecBlade_VPN-ike-proposal-10] sa duration 600

Chapter 5 PKI Configuration Commands

5.1 PKI Domain Configuration Commands

5.1.1 ca identifier

Syntax

ca identifier name

undo ca identifier

View

PKI domain view

Parameter

name: CA identifier that the device trusts, containing 1 to 63 characters

Description

Use the ca identifier command to specify the CA that the device trusts and to have the CA named "name" bound with this device.

Use the undo ca identifier command to delete the CA that the device trusts.

By default, no trusted CA is specified.

Before the CA is deleted, the request, retrieval, revocation and polling of this certificate are all carried out through it.

Example

# Specify the name of the CA that the device trusts

[SecBlade_VPN-pki-domain-1] ca identifier new-ca

5.1.2 certificate request entity

Syntax

certificate request entity entity-name

undo certificate request entity

View

PKI domain view

Parameter

entity-name: Entity name used to apply for certificate. It must be consistent with the name defined by the pki entity command. It can contain 1 to 15 characters.

Description

Use the certificate request entity command to specify the entity name used to apply for certificate.

Using the undo certificate request entity command to cancel the entity name used to apply for certificate.

By default, no entity name is specified.

Related command: pki entity.

Example

# Specify that the device uses the entity “en” to apply for certificate.

[SecBlade_VPN-pki-domain-1] certificate request entity en

5.1.3 certificate request from

Syntax

certificate request from { ca | ra }

undo certificate request from

View

PKI domain view

Parameter

ca: Specifies that the entity registers with CA for certificate request;

ra: Specifies that the entity registers with RA for certificate request;

Description

Use the certificate request from command to specify CA or RA to register with for certificate request.

Use the undo certificate request from command to cancel the selected registration agent.

RA offers an extension to the CA certificate issue management. It takes charge of the recording and verification of the applicant information as well as the certificate issuing. But it does not support certificate signature function. Within some minor PKI systems, there is no RA and its functions are implemented through CA.

By default, no registration agent is specified. RA is recommended as the registration agent in PKI IPSec policy.

Example

# Specify that the entity registers with CA for certificate request

[SecBlade_VPN-pki-domain-1] certificate request from ca

5.1.4 certificate request mode

Syntax

certificate request mode { manual | auto [ key-length key-length | password { simple | cipher } password ]* }

undo certificate request mode

View

PKI domain view

Parameter

manual: Specifies to apply for the certificate manually.

auto: Specifies to apply for the certificate automatically.

key-length: Length of the specified RSA key, in the range 512 bits to 2,048 bits.

simple: Specifies to display passwords in plain text.

cipher: Specifies to display password in cipher text.

password: Password for revoking certificates, in range 1 to 31 characters.

Description

Use the certificate request mode command to specify to use manual or automatic certificate request mode.

Use the undo certificate request mode command to restore to the default request mode.

The automatic mode enables the automatic delivery of certificate request when there is no certificate or when the current certificate is about to expire. The manual mode requires manual operation in the request process.

By default, certificate request is carried out manually.

Related command: pki request-certificate.

Example

# Set the request mode to Auto

[SecBlade_VPN-pki-domain-1] certificate request mode auto

5.1.5 certificate request polling

Syntax

certificate request polling { interval minutes | count count }

undo certificate request polling { interval | count }

View

PKI domain view

Parameter

minutes: Interval between two pollings, in the range 5 to 60 minutes. It is 20 minutes by default.

count: Retry times, in the range 1 to 100. It is 50 times by default.

Description

Use the certificate request polling command to specify the interval between two pollings and the retry times.

Use the undo certificate request polling command to restore to the default parameters.

After a certificate request is delivered, it may take a long time before the certificate is issued if CA uses manual authentication. The client therefore needs to periodically poll the request for the timely acquisition of the certificate after being authorized.

Related command: display pki certificate.

Example

# Specify the interval between two pollings and the retry times.

[SecBlade_VPN-pki-domain-1] certificate request polling interval 15

[SecBlade_VPN-pki-domain-1] certificate request polling count 40

5.1.6 certificate request url

Syntax

certificate request url string

undo certificate request url

View

PKI domain view

Parameter

string: URL of the registration server, containing 1 to 255 characters. It composes server location and CA CGI command interface script location in the format of http: //server_location /ca_script_location. Among them, the server_location is generally expressed as IP address. If the server_location is to be replaced by server name, DNS needs to be configured for the name-to-IP conversion.

Description

Use the certificate request url command to specify the server URL for certificate request through SCEP protocol. SCEP is a protocol specialized in the communication with authentication authorities.

Use the undo certificate request url command to delete the location setting.

By default, no server URL is specified.

Example

# Specify the server location for certificate request

[SecBlade_VPN-pki-domain-1] certificate request url http://169.254.0.100/certsrv/mscep/mscep.dll

5.1.7 crl check disable

Syntax

crl check disable

undo crl check disable

View

PKI domain view

Parameter

None

Description

Use the crl check disable command to disable CRL check.

Use the undo crl check disable command to enable CRL check.

By default, the CRL check is enabled.

Example

# Disable CRL check.

[SecBlade_VPN-pki-domain-1] crl check disable

5.1.8 crl update-period

Syntax

crl update-period hours

undo crl update-period

View

PKI domain view

Parameter

hours: Update period, in hours.

Description

Use the crl update-period command to specify the update period of CRL, which is the interval for downloading CRLs from CRL storage server to local end.

Use the undo crl update-period command to restore to the default CRL update period.

By default, CRLs are updated according to CRL validity period.

Example

# Specify CRL update period to 20 hours.

[SecBlade_VPN-pki-domain-1] crl update-period 20

5.1.9 crl url

Syntax

crl url { url-string | scep }

undo crl url

View

PKI domain view

Parameter

url-string: Distribution point location of CRL, containing 1 to 127 characters. It is in the format of http://server_location or ldap: //server_location. Among them, the server_location is generally expressed as IP address. If the server_location is to be replaced by server name, DNS needs to be configured for the name-to-IP conversion.

scep: Specifies to obtain a CRL through SCEP.

Description

Use the crl url command to specify the distribution point URL for CRL.

Use the undo crl url command to remove the URL.

By default, no CRL distribution point URL is specified.

Example

# Specify the URL location of CRL database

[SecBlade_VPN-pki-domain-1] crl url

http://192.168.19.2/certenroll/win2000.crl

5.1.10 ldap-server

Syntax

ldap-server ip ip-address [ port port-num ] [ version version-number ]

undo ldap-server

View

PKI domain view

Parameter

ip-address: IP address of LDAP server.

port-num: Port number of LDAP server, ranging from 1 to 65,535. By default, it is 389.

version-number: LDAP version number, alternatively 2 or 3. By default, it is 2.

Description

Use the ldap-server ip command to configure the IP address and the port for the LDAP server.

Use the undo ldap-server ip command to cancel the related configuration.

By default, no IP address or port is configured for the LDAP server.

Example

# Specify the location of the LDAP server.

[SecBlade_VPN-pki-domain-1] ldap-server ip 169.254.0 30

5.1.11 pki domain

Syntax

pki domain name

undo pki domain name

View

System view

Parameter

name: PKI domain name specified for the quotation of other commands, indicating the PKI domain to which this device belongs. It can contain 1 to 15 characters.

Description

Use the pki domain command to enter PKI domain view, where you can configure the parameters of LDAP servers and for certificate request and authentication.

Use the undo pki domain command to delete the specified PKI domain.

By default, no PKI domain name is specified.

Example

# Enter PKI domain view.

[SecBlade_VPN] pki domain 1

[SecBlade_VPN-pki-domain-1]

5.1.12 root-certificate fingerprint

Syntax

root-certificate fingerprint { md5 | sha1 } string

undo root-certificate fingerprint

View

PKI domain view

Parameter

md5: Specifies to use MD5 fingerprint.

sha1: Specifies to use SHA1 fingerprint.

string: Fingerprint to be used. If the MD5 fingerprint is selected, the string argument must have 32 characters and be entered in hexadecimal format. If the SHA1 fingerprint is selected, the string argument must have 40 characters and be entered in hexadecimal format.

Description

Use the root-certificate fingerprint command to configure the fingerprint used for authenticating the CA root certificate.

Use the undo root-certificate fingerprint command to cancel the configured fingerprint.

By default, no fingerprint is configured.

Example

# Configure the fingerprint used for authenticating the CA root certificate to be MD5 fingerprint.

[SecBlade_VPN-pki-domain-1] root-certificate fingerprint md5 12EF53FA355CD23E12EF53FA355CD23E

# Configure the fingerprint used for authenticating the CA root certificate to be SHA1 fingerprint.

[SecBlade_VPN-pki-domain-1] root-certificate fingerprint sha1 D1526110AAD7527FB093ED7FC037B0B3CDDDAD93

5.2 PKI Entity Configuration Commands

5.2.1 fqdn

Syntax

fqdn name-str

undo fqdn

View

PKI entity view

Parameter

name-str: FQDN of an entity, containing 1 to 255 characters

Description

Use the fqdn command to specify the FQDN of an entity.

Use the undo fqdn command to delete the entity FQDN.

By default, no entity FQDN is specified.

Fully qualify domain name (FQDN) is the unique identifier that an entity has in the network, like email address. It can be resolved into IP address, usually in the form of user.domain.

Example

# Configure the FQDN of an entity

[SecBlade_VPN-pki-entity-1] fqdn pki.h3c.com

5.2.2 common-name

Syntax

common-name name-str

undo common-name

View

PKI entity view

Parameter

name-str: Common name of an entity, containing 1 to 31 characters.

Description

Use the common-name command to specify the common name of an entity, such as user name.

Use the undo common-name command to delete the common name of an entity.

By default, no common name is specified for any entity.

Example

# Configure the common name of an entity

[SecBlade_VPN-pki-entity-1] common-name pki test

5.2.3 country

Syntax

country country-code-str

undo country

View

PKI entity view

Parameter

country-code-str: 2-byte country code

Description

Use the country command to specify the code of the country to which the entity belongs. It is a standard 2-byte code, for example, CN for China.

Use the undo country command to delete the country code of this entity.

By default, no country code is specified for any entity.

Example

# Set the country code of an entity

[SecBlade_VPN-pki-entity-1] country CN

5.2.4 ip

Syntax

ip ip-address

undo ip

View

PKI entity view

Parameter

ip-address: IP address of an entity in the form of dotted decimal notation like A.B.C.D.

Description

Use the ip command to specify the IP address of an entity.

Use the undo ip command to delete the specified IP address.

By default, no entity IP address is specified.

Example

# Configure the IP address of an entity.

[SecBlade_VPN-pki-entity-1] ip 161.12.2.3

5.2.5 locality

Syntax

locality locality-str

undo locality

View

PKI entity view

Parameter

locality-str: Name of the geographical locality of an entity, containing 1 to 31 characters.

Description

Use the locality command to name the geographical locality of an entity, by a city for example.

Use the undo locality command to cancel the mentioned naming operation.

By default, no geographical locality is specified for any entity.

Example

# Configure the name of the city where the entity lies.

[SecBlade_VPN-pki-entity-1] locality bei jing

5.2.6 organization

Syntax

organization org-str

undo organization

View

PKI entity view

Parameter

org-str: Organization name, containing 1 to 31 characters.

Description

Use the organization command to specify the name of the organization to which the entity belongs.

Use the undo organization command to delete the organization name.

By default, no organization name is specified for an entity.

Example

# Configure the name of the organization to which an entity belongs

[SecBlade_VPN-pki-entity-1] organization hua wei – 3com

5.2.7 organization-unit

Syntax

organization-unit org-unit-str

undo organization-unit

View

PKI entity view

Parameter

org-unit-str: Organization unit name, containing 1 to 31 characters.

Description

Use the organization-unit command to specify the name of the organization unit to which this entity belongs.

Use the undo organization-unit command to delete the specified organization unit name.

By default, no organization unit name is specified for any entity.

Example

# Configure the name of the organization unit to which an entity belongs

[SecBlade_VPN-pki-entity-1] organization-unit soft plat

5.2.8 state

Syntax

state state-str

undo state

View

PKI entity view

Parameter

state-str: State name, containing 1 to 31 characters.

Description

Use the state command to specify the name of the state where an entity locates.

Use the undo state command to cancel the state name setting.

By default, the state of an entity is not specified.

Example

# Specify the state where an entity locates.

[SecBlade_VPN-pki-entity-1] state bei jing

5.2.9 pki entity

Syntax

pki entity name-str

undo pki entity name-str

View

Any view

Parameter

name-str: Unique identification string for a device, containing 1 to 15 characters. This argument may be quoted by other commands.

Description

Use the pki entity command to name a PKI entity and enter PKI entity view.

Use the undo pki entity command to delete the name and cancel all configurations under the name.

A variety of attributes can be configured in PKI entity view. The name-str argument is only used for the convenience in being quoted by other commands. No field of certificate is concerned.

By default, the entity name is not specified.

Example

# Enter PKI entity view

[SecBlade_VPN] pki entity en

[SecBlade_VPN-pki-entity-en]

5.3 PKI Certificate Operation Commands

5.3.1 pki delete-certificate

Syntax

pki delete-certificate { local | ca } domain domain-name

View

System view

Parameter

local: Specifies to delete all local certificates that are locally stored;

ca: Specifies to delete all CA certificates that are locally stored.

domain-name: PKI domain for the certificate to be deleted.

Description

Use the pki delete-certificate command to delete the locally stored certificates.

Example

# Delete the local certificates in PKI domain “cer”.

[SecBlade_VPN] pki delete-certificate local domain cer

5.3.2 pki import-certificate

Syntax

pki import-certificate { local | ca } domain domain-name { der | p12 | pem } [ filename filename ]

View

System view

Parameter

local: Specifies to import local certificate.

ca: Specifies to import CA certificate.

domain-name: PKI domain where the certificate is located.

der: Specifies the format of the certificate to be DER code.

p12: Specifies the format of the certificate to be P12 code.

pem: Specifies the format of the certificate to be PEM code.

filename: File name of the certificate, a string of 1 to 127 characters.

Description

Use the pki import-certificate command to import existing CA certificates or local certificates.

Related command: pki domain.

Example

# Import a CA certificate whose format is PEM code.

[SecBlade_VPN] pki import-certificate ca domain cer pem

5.3.3 pki request-certificate

Syntax

pki request-certificate domain domain-name [ password ] [ pkcs10 [ filename filename ] ]

View

System view

Parameter

domain-name: Domain name containing CA or RA related information. It is configured by the pki domain command.

password: Password for revoking certificates, an optional string containing 1 to 31 characters.

pkcs10: Specifies to display on the terminal the request for PKCS#10 certificates in BASE64 codes. This information is used in the certificate requests in outband modes such as phone, disk, and e-mail.

filename: Target file to save the PKCS#10 certificate request.

Description

Use the pki request-certificate command to deliver certificate request through SCEP to CA for the generated RSA key pair. If SCEP fails to go through normal communication, you can print the local certificate request in BASE64 format using the optional parameter "pem", copy it, and send one to CA in an outband mode.

This operation is not saved within the configuration.

Related command: pki domain.

Example

# Manually apply for a certificate and display on the terminal the PKCS#10 certificate request.

[SecBlade_VPN] pki request-certificate domain 1 pkcs10

5.3.4 pki retrieval-certificate

Syntax

pki retrieval-certificate { local | ca } domain domain-name

View

System view

Parameter

local: Specifies to download local certificates.

ca: Specifies to download CA certificates.

domain-name: Domain name containing CA or RA related information. It is configured by using the pki domain command.

Description

Use the pki retrieval-certificate command to download a certificate from the certificate issuing server.

Related command: pki domain.

Example

# Retrieve a certificate

[SecBlade_VPN] pki retrieval-certificate ca domain 1

5.3.5 pki retrieval-crl

Syntax

pki retrieval-crl domain domain-name

View

System view

Parameter

domain-name: Domain name containing CA or RA related information. It is configured by using the pki domain command.

Description

Use the pki retrieval-crl command to obtain the latest CRL from CRL server for the verification of the validity of a current certificate.

Related command: pki domain.

Example

# Retrieve a CRL

[SecBlade_VPN] pki retrieval-crl domain 1

5.3.6 pki validate-certificate

Syntax

pki validate-certificate { local | ca } domain domain-name

View

System view

Parameter

local: Specifies to validate a local certificate;

ca: Specifies to validate a CA certificate;

domain-name: Name of the domain to which the certificate to be validated belongs. It is configured by using the pki domain command.

Description

Use the pki validate-certificate command to verify the validity of a certificate. The focus is to check the CA signature on the certificate, and to make sure that the certificate is still within the validity period and beyond revocation. All certificates with authentic signatures of CA can pass the validation, since it is believed that CA never issues fake certificates.

Related command: pki domain.

Example

# Verify the validity of a CA certificate.

[SecBlade_VPN] pki validate-certificate ca domain 1

5.4 PKI Displaying and Debugging Commands

5.4.1 debugging pki

Syntax

debugging pki { all | request | retrieval | verify | error }

undo debugging pki { all | request | retrieval | verify | error }

View

User view

Parameter

all: Specifies to enable all debugging.

request: Specifies to enable debugging in certificate request.

retrieval: Specifies to enable debugging in certificate retrieval.

verify: Specifies to enable debugging in certification validation.

error: Specifies to enable debugging in case of errors.

Description

Use the debugging pki command to enable the debugging for PKI.

Use the undo debugging pki command to disable the debugging.

Unexpected problems may occur during the device operation. Debugging commands enable the optional output and print of debugging information, facilitating the network monitor and fault diagnosis.

By default, all PKI debugging functions are disabled.

Example

# Enable the debugging in case of errors in PKI certificate operation.

[SecBlade_VPN] debugging pki error

[SecBlade_VPN] pki delete-certificate ca domain 1

[SecBlade_VPN] pki request-certificate domain 1

Certificate enroll failed!

Cannot get the CA/RA certificate when creating the x509 Request

# Enable the debugging function for PKI certificate retrieval.

[SecBlade_VPN] debugging pki retrieval

[SecBlade_VPN] pki retrieval-certificate local domain 1

Retrievaling CA/RA certificates. Please wait a while......

We receive 3 certificates.

The trusted CA's finger print is:

MD5 fingerprint:74C9 B71D 406B DDB3 F74A 96BC E05B 40E9

SHA1 fingerprint:770E 2937 4E32 ACD4 4ACC 7CF1 0FF0 6FB8 6C34 E24A

Is the finger print correct?(Y/N):y

Saving the CA/RA certificate to flash.....................Done!

# Enable the debugging function for PKI certificate request.

[SecBlade_VPN] debugging pki request

[SecBlade_VPN] pki request-certificate 1

Create PKCS#10 request: token seen: CN=pki test

Create PKCS#10 request: CN=pki test added

Create PKCS#10 request: subject dn set to '/CN=pki test'

Certificate Request:

…..

dir_name:certsrv/mscep/mscep.dll

host_name:169.254.0.100

SCEP transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1

PKCS#7 envelope: creating inner PKCS#7

PKCS#7 envelope: data payload size: 297 bytes

data payload:

….

PKCS#7 envelope: successfully encrypted payload

PKCS#7 envelope: size 667 bytes

PKCS#7 envelope: creating outer PKCS#7

PKCS#7 envelope: signature added successfully

PKCS#7 envelope: adding signed attributes

PKCS#7 envelope: adding string attribute transId

PKCS#7 envelope: adding string attribute messageType

PKCS#7 envelope: adding octet attribute senderNonce

PKCS#7 envelope: PKCS#7 data written successfully

PKCS#7 envelope: applying base64 encoding

PKCS#7 envelope: base64 encoded payload size: 2145 bytes

SCEP send message:IP = 0xa9fe0064

SCEP send message: Server returned status code

Valid response from server

PKCS#7 develope: reading outer PKCS#7

PKCS#7 develope: PKCS#7 payload size: 1872 bytes

PKCS#7 develope: PKCS#7 contains 1276 bytes of enveloped data

PKCS#7 develope: verifying signature

PKCS#7 develope: signature ok

PKCS#7 develope: finding signed attributes

PKCS#7 develope: finding attribute transId

PKCS#7 develope: allocating 32 bytes for attribute

PKCS#7 develope: reply transaction id: 58D41D0C5A7B1E21C5F4A008B580B1A1

PKCS#7 develope: finding attribute messageType

PKCS#7 develope: allocating 1 bytes for attribute

PKCS#7 develope: reply message type is good

PKCS#7 develope: finding attribute senderNonce

PKCS#7 develope: allocating 16 bytes for attribute

PKCS#7 develope: senderNonce in reply: :

a6341944 28d9b544 a4755d9a ba320d35

PKCS#7 develope: finding attribute recipientNonce

PKCS#7 develope: allocating 16 bytes for attribute

PKCS#7 develope: recipientNonce in reply: :

b98da9c3 20b638c5 634f4924 65f804d9

PKCS#7 develope: finding attribute pkiStatus

PKCS#7 develope: allocating 1 bytes for attribute

PKCS#7 develope: pkistatus SUCCESS

PKCS#7 develope: reading inner PKCS#7

PKCS#7 develope: decrypting inner PKCS#7

PKCS#7 develope: PKCS#7 payload size: 1003 bytes

PKI Get the Signed Certificates:

subject: / CN=pki test

issuer: /[email protected]/C=CN/ST=Beijing/L=Beijing/O=hw3c/OU=bjs/

CN=myca

Key usage: general purpose

# Enable the debugging function for PKI certificate validation

[SecBlade_VPN] debugging pki verify

[SecBlade_VPN] pki validate-certificate local domain 1

Verify certificate......

Serial Number:

101E266A 00000000 006B

Issuer:

[email protected]

C=CN

ST=Beijing

L=Beijing

O=hw3c

OU=bjs

CN=myca

Subject:

C=CN

ST=bei jing

O=hua wei - 3com

CN=pki test

Verify result: ok

Table 5-1 Description on the fields of the debugging pki command

Field	Description
Create PKCS#10 request	Encapsulation of entity request in PKCS#10 format
PKCS#7 envelope	Data encapsulation in PKCS#7 encryption format
inner PKCS#7	PKCS#7 encryption of datagram
outer PKCS#7	Signing of PKCS#7 datagram
PKCS#7 develope	De-encapsulation of PKCS#7 encrypted packet
host_name	Host name of registration server
dir_name	CGI script directory of the registration server
data payload	Data payload
token seen	DN information of an entity
pkistatus	PKI certificate operation status
SUCCESS	Succeeded
FAILURE	Failed
PENDING	Waiting for processing
fingerprint	Usually the signature of CA
base64 encoded	A data encoding mode
x509 Request	Request for certificates in standard X509 format
Key usage	Encryption, signature, and other common usages
Issuer	Certificate issuer
Subject	The entity that delivers certificate request
SCEP send message	The entity sends a certificate operation packet to CA through SCEP
Signed Certificates	Certificates signed by CA

5.4.2 display pki certificate

Syntax

display pki certificate { local | ca } domain domain-name | request-status }

View

Any view

Parameter

local: Specifies to display all local certificates.

ca: Specifies to display all CA certificates.

request-status: Specifies to display the status of the certificate request after being delivered.

domain-name: Name of the domain to which the certificate to be validated belongs. It is configured by using the pki domain command.

Description

Use the display pki certificate command to display the certificate information.

Related command: pki retrieval-certificate, pki domain, and certificate request polling.

Example

# Display the local certificates.

[SecBlade_VPN] display pki certificate local domain 1

Data:

Version: 3 (0x2)

Serial Number:

10B7D4E3 00010000 0086

Signature Algorithm: md5WithRSAEncryption

Issuer:

[email protected]

C=CN

ST=Beijing

L=Beijing

O=hw3c

OU=bjs

CN=new-ca

Validity

Not Before: Jan 13 08:57:21 2004 GMT

Not After : Jan 20 09:07:21 2005 GMT

Subject:

C=CN

ST=beijing

L=beijing

CN=pki test

Subject Public Key Info:

Public Key Algorithm: rsaEncryption

RSA Public Key: (512 bit)

Modulus (512 bit):

00D41D1F …

Exponent: 65537 (0x10001)

X509v3 extensions:

X509v3 Subject Alternative Name:

DNS:hyf.h3c.com

… …

Signature Algorithm: md5WithRSAEncryption

A3A5A447 4D08387D …

Table 5-2 Description on the fields of the display pki certificate command

Field	Description
Version	Version number of the certificate
Serial Number	Serial number of the certificate
Signature Algorithm	Signature algorithm
Issuer	Certificate issuer
Validity	Validity period of the certificate
Subject	Subject in the certificate request
Subject Public Key Info	Public key information of the subject in the certificate request
X509v3 extensions	Extension attributes of the X509v3 certificate
X509v3 CRL Distribution Points	Distribution point of X509v3 CRL

5.4.3 display pki crl

Syntax

display pki crl domain domain-name

View

Any view

Parameter

domain-name: Name of the domain to which the certificate to be validated belongs. It is configured by using the pki domain command.

Description

Use the display pki crl command to view the locally saved CRL.

Related command: pki retrieval-crl, and pki domain.

Example

# Display a CRL

[SecBlade_VPN] display pki crl domain 1

Certificate Revocation List (CRL):

Version 2 (0x1)

Signature Algorithm: sha1WithRSAEncryption

Issuer:

C=CN

O=h3c

OU=soft

CN=A Test Root

Last Update: Jan 5 08:44:19 2004 GMT

Next Update: Jan 5 21:42:13 2004 GMT

CRL extensions:

X509v3 CRL Number: 2

X509v3 Authority Key Identifier:

keyid:0F71448E E075CAB8 ADDB3A12 0B747387 45D612EC

Revoked Certificates:

Serial Number: 05a234448E…

Revocation Date: Sep 6 12:33:22 2004 GMT

CRL entry extensions:……

Serial Number: 05a278445E…

Revocation Date: Sep 7 12:33:22 2004 GMT

CRL entry extensions:…

Table 5-3 Description on the fields of the display pki crl command

Field	Description
Version	CRL version number
Signature Algorithm	Signature algorithm adopted by CRL
Issuer	CA that issues this CRL
Last Update	Last update time
Next Update	Next update time
CRL extensions	Extended attributes of CRL
CRL Number	Number of revoked certificates in the CRL list
Authority Key Identifier	CA that issues this invalid certificate (that is, CRL)
Revoked Certificates	Revoked certificates
Serial Number	Serial number of the revoked certificate
Revocation Date	Revocation date

Chapter 6 DVPN Configuration Commands

6.1.1 algorithm-suite

Syntax

algorithm-suite suite-number

undo algorithm-suite

View

DVPN class view

Parameter

suite-number: Algorithm suite number ranging from 1 to 12, and defaulting to 1. Their meanings are as follows:

1 DES_MD5_DHGROUP1

2 DES_MD5_DHGROUP2

3 DES_SHA1_DHGROUP1

4 DES_SHA1_DHGROUP2

5 3DES_MD5_DHGROUP1

6 3DES_MD5_DHGROUP2

7 3DES_SHA1_DHGROUP1

8 3DES_SHA1_DHGROUP2

9 AES128_MD5_DHGROUP1

10 AES128_MD5_DHGROUP2

11 AES128_SHA1_DHGROUP1

12 AES128_SHA1_DHGROUP2

Description

Use the algorithm-suite command to specify the algorithm suite used when a client registers.

Use the undo algorithm-suite command to restore to the default algorithm suite.

The default algorithm suite is numbered 1, which stands for DES (for encryption), MD5 (for authentication), and DH-GROUP1 (for key negotiation).

Example

# Specify to use AES for encryption, SHA1 for authentication, and DH-Group1 for key negotiation.

[SecBlade_VPN-dvpn-class-abc] algorithm-suite 11

6.1.2 authentication-client method

Syntax

authentication-client method { none | { chap | pap } [ domain isp-name ] }

View

DVPN policy view

Parameter

pap: Specifies the DVPN server to authenticate clients using password authentication protocol (PAP).

none: Specifies the DVPN server not to authenticate clients.

chap: Specifies the DVPN server to authenticate clients using challenge authentication protocol (CHAP).

domain isp-name: Specifies the DVPN server to authenticate clients using domain.

Description

Use the authentication-client method command to specify how the DVPN policy applied DVPN server authenticates clients. Currently, the system supports none, chap and pap.

By default, the client is not authenticated.

Example

# Configure a DVPN policy for DVPN server to authenticate clients using CHAP.

[SecBlade_VPN-dvpn-policy-abc] authentication-client method chap

6.1.3 authentication-server method

Syntax

authentication-server method { none | pre-share }

View

DVPN class view

Parameter

none: Specifies the client not to authenticate the DVPN server.

pre-share: Specifies the client to authenticate the DVPN server using a pre-shared-key.

Description

Use the authentication-server method command to specify whether or not a client authenticates the DVPN server that it will access.

By default, a client does not authenticate the DVPN server that it will access.

Example

# Specify the client to authenticate the DVPN server using a pre-shared-key.

[SecBlade_VPN-dvpn-class-abc] authentication-server method pre-share

6.1.4 data algorithm-suite

Syntax

data algorithm-suite suite-number

undo data algorithm-suite

View

DVPN policy view

Parameter

suite-number: Algorithm suite number ranging from 0 to 12, whose meanings are as follows:

0 Without protection

1 DES_MD5_DHGROUP1

2 DES_MD5_DHGROUP2

3 DES_SHA1_DHGROUP1

4 DES_SHA1_DHGROUP2

5 3DES_MD5_DHGROUP1

6 3DES_MD5_DHGROUP2

7 3DES_SHA1_DHGROUP1

8 3DES_SHA1_DHGROUP2

9 AES128_MD5_DHGROUP1

10 AES128_MD5_DHGROUP2

11 AES128_SHA1_DHGROUP1

12 AES128_SHA1_DHGROUP2

Description

Use the data algorithm-suite command to specify the algorithm suite used by IPSec SAs to forward data.

Use the undo data algorithm-suite command to restore to the default algorithm suite.

The default algorithm suite used by IPSec SAs is numbered 1, which stands for DES (for encryption), MD5 (for authentication), and DH-GROUP1 (for key negotiation).

Example

# Specify not to encrypt packets.

[SecBlade_VPN-dvpn-policy-abc] data algorithm-suite 0

6.1.5 data ipsec-sa duration

Syntax

data ipsec-sa duration time-based time-interval

undo data ipsec-sa duration time-based

View

DVPN policy view

Parameter

time-interval: Timeout time for renegotiating the IPSec SA used to encrypt DVPN data. Its value ranges from 180 to 604,800 seconds.

Description

Use the data ipsec-sa duration time-based command to set the timeout time for renegotiating the IPSec SA used to encrypt DVPN data.

Use the undo data ipsec-sa duration time-based command to restore to the default timeout time for renegotiating the IPSec SA.

The default timeout time for renegotiating the IPSec SA is 3,600 seconds.

Example

# Set the timeout time to renegotiate the IPSec SA to 86,400 seconds.

[SecBlade_VPN-dvpn-policy-abc] data ipsec-sa duration time-based 86400

6.1.6 debugging dvpn

Syntax

debugging dvpn { all | error | event { all | misc | register | session } | hexadecimal | packet { all | control | data | ipsec } }

undo debugging dvpn { all | error | event { all | register | session | misc } | hexadecimal | packet { all | control | data | ipsec } }

View

User view

Parameter

all: Specifies to enable all types of DVPN debugging.

error: Specifies to enable debugging for DVPN errors.

event: Specifies to enable debugging for DVPN events, such as register events, session events, and misc events.

hexadecimal: Specifies to enable debugging for hexadecimal packets.

packet: Specifies to enable debugging for DVPN packets, such as control packets, data, and IPSec packets.

Description

Use the debugging dvpn command to enable specified DVPN debugging.

Use the undo debugging dvpn command to disable specified DVPN debugging.

Debugging for DVPN is disabled by default.

Example

# Enable debugging for DVPN registration events.

<SecBlade_VPN> debugging dvpn event register

6.1.7 display dvpn ipsec-sa

Syntax

display dvpn ipsec-sa { all | dvpn-id dvpn-id [ private-ip private-ip ] }

View

Any view

Parameter

all: Specifies to display all information about IPSec SAs.

dvpn-id dvpn-id: Specifies the ID of the DVPN domain whose IPSec SAs are to be displayed. The ID ranges from 1 to 65535.

private-ip private-ip: Specifies the private IP address of the DVPN domain whose IPSec SAs are to be displayed.

Description

Use the display dvpn ipsec-sa command to display information about IPSec SAs.

Example

# Display information about IPSec SAs in the DVPN domain 1.

<SecBlade_VPN> display dvpn ipsec-sa dvpn-id 1

---------------------------

Session dvpn-id : 1

Session local : 10.0.0.3

Session remote : 10.0.0.2

sa mode : DVPN

---------------------------

[Inbound ESP SAs]

spi : 1549550209 (0x5c5c4281)

authentication-algorithm : ESP-AUTH-MD5

encryption-algorithm : ESP-ENCRYPT-3DES

life duration(bytes/sec): 0/180

remaining life duration(bytes/sec): 0/102

[Outbound ESP SAs]

spi : 2421434273 (0x905427a1)

authentication-algorithm : ESP-AUTH-MD5

encryption-algorithm : ESP-ENCRYPT-3DES

life duration(bytes/sec): 0/180

remaining life duration(bytes/sec): 0/102

6.1.8 display dvpn map

Syntax

display dvpn map { all | dvpn-id dvpn-id | public-ip public-ip }

View

Any view

Parameter

dvpn-id dvpn-id: Specifies the ID of the DVPN domain whose map information is to be displayed. The dvpn-id argument ranges from 1 to 65535.

public-ip public-ip: Specifies the public IP address of the DVPN domain whose map information is to be displayed.

Description

Use the display dvpn map command to display information about maps in a DVPN domain, such as private IP address, public IP address, port number, DVPN connection state, DVPN connection type, and control ID.

Example

# Display information about all maps.

[SecBlade_VPN] display dvpn map all

vpn-id private-ip public-ip port state type control-id --------------------------------------------------------------------

1 10.0.0.2 211.1.1.2 9876 SUCCESS C->S 70433124

2 11.0.0.2 211.1.1.2 9876 SUCCESS C->S 70432548

6.1.9 display dvpn session

Syntax

display dvpn session { all | dvpn-id dvpn-id [ private-ip private-ip ] }

View

Any view

Parameter

all: Specifies to display information about all established sessions.

dvpn-id dvpn-id: Specifies the ID of the DVPN domain whose sessions are to be displayed. The dvpn-id argument ranges from 1 to 65535.

private-ip private-IP: Specifies the private IP address (the IP address of the tunnel interface) of the DVPN domain whose sessions are to be displayed.

Description

Use the display dvpn session command to display information about sessions the device owns.

Example

# Display information about all sessions in the DVPN domain with an ID of 2.

<SecBlade_VPN> display dvpn session dvpn-id 2

vpn-id private-ip public-ip port state type

-------------------------------------------------------------

2 11.0.0.2 211.1.1.2 9876 SUCCESS C->S

2 11.0.0.4 211.1.1.100 12289 SUCCESS C->C

6.1.10 display dvpn info

Syntax

display dvpn info { dvpn-id dvpn-id | global }

View

Any view

Parameter

dvpn-id: ID of the DVPN domain ranging from 1 to 65535.

global: Specifies to display global configuration information about DVPN.

Description

Use the display dvpn info command to display configuration and running information about a specified DVPN domain. Use the display dvpn info global command to display global configuration and running information about DVPN.

Example

# Display information about the DVPN domain 1.

[SecBlade_VPN] display dvpn info dvpn-id 1

---------------------------------------------------

DVPN Domain 1 Information

---------------------------------------------------

type : client

session number : 1

server : server0

server state : active

server public IP : 211.1.1.2

algorithm suite : DES_MD5_DHGROUP1

session encryption flag : Need encryption

data encryption flag : Need encryption

authentication server method : none

session algorithm suite : AES128_SHA1_DHGROUP1

session setup time : 10

session idle time : 300

session keepalive time : 10

data algorithm suite : 3DES_MD5_DHGROUP2

data ipsecsa duration time : 180

data ipsecsa duration byte : 0

input packets : 17160

input dropped packets : 0

output packets : 87

output direct send packets : 42

output error dropped packets : 3

output send ipsec packets : 42

output send ipsec fail packets : 0

6.1.11 display dvpn online-user

Syntax

display dvpn online-user

View

Any view

Parameter

None

Description

Use the display dvpn online-user command to display information about online DVPN users. You can use this command to check users that pass AAA (authentication, authorization, and accounting) authentication and are accessing the DVPN domains.

Example

# Display information about online DVPN users.

<SecBlade_VPN> dis dvpn online-user

username : dvpnuser@dvpn

authen-type : CHAP

DVPN total online-user count : 1

6.1.12 dvpn class

Syntax

dvpn class dvpn-class-name

undo dvpn class dvpn-class-name

View

System view

Parameter

dvpn-class-name: Name of the DVPN class to be created, a string containing no more than 31 characters.

Description

Use the dvpn class command to create a DVPN class and enter its view.

Use the undo dvpn class command to remove a DVPN class.

Parameters such as the IP address of the DVPN server and the user name and password for registration are configured in DVPN class view. You cannot remove a DVPN class which has been applied to a tunnel interface.

No DVPN class is configured by default.

Example

# Create a DVPN class named “abc”.

[SecBlade_VPN] dvpn class abc

6.1.13 dvpn client register-dumb

Syntax

dvpn client register-dumb time

undo dvpn client register-dumb

View

System view

Parameter

time: Interval after which a client attempts to register with the DVPN server again. This argument ranges from 60 to 3,600 (in seconds).

Description

A client turns to dumb state if it fails to register with a DVPN server for specified retries. Use the dvpn client register-dumb command to set the duration a client remains dumb state.

Use the undo dvpn client register-dumb command to restore to the default dumb interval.

Example

# Set the dumb interval to 600 seconds.

[SecBlade_VPN] dvpn client register-dumb 600

6.1.14 dvpn client register-interval

Syntax

dvpn client register-interval time-interval

undo dvpn client register-interval

View

System view

Parameter

time-interval: Interval for the client to register, in the range 3 to 60 (in seconds).

Description

Use the dvpn client register-interval command to set the interval for the client to register.

Use the undo dvpn client register-interval command to restore to the default interval for the client to register.

The DVPN client initiates a request to register with the server. If the client fails to register after the specified interval, the client initiates a request again. If the client fails to register for the maximum retry times, the DVPN client enters dumb state.

By default, the interval for the client to register is 10 seconds.

Example

# Set the interval for the client to register to 20 seconds.

[SecBlade_VPN] dvpn client register-interval 20

6.1.15 dvpn client register-retry

Syntax

dvpn client register-retry times

undo dvpn client register-retry

View

System view

Parameter

times: Maximum retries for the client to register with a DVPN server continuously. This argument ranges from 1 to 6.

Description

Use the dvpn client register-retry command to set the maximum retries for a client to register with a DVPN server continuously.

Use the undo dvpn client register-retry command to restore to the default retries for a client to register with a DVPN server continuously.

By default, the maximum retries for a client to register with a DVPN server is 3.

Example

# Set the maximum retries for a client to register with a DVPN server continuously to 6.

[SecBlade_VPN] dvpn client register-retry 6

6.1.16 dvpn dvpn-id

Syntax

dvpn dvpn-id dvpn-id

undo dvpn dvpn-id

View

Tunnel interface view

Parameter

dvpn-id: ID of the DVPN domain ranging from 1 to 65535.

Description

Use the dvpn dvpn-id command to specify the DVPN domain to which the tunnel interface belongs. This command is valid when the tunnel interface is encapsulated as DVPN.

Use the undo dvpn dvpn-id command to remove the DVPN domain ID assigned to the tunnel interface.

No DVPN domain ID is assigned to a tunnel interface by default.

Related command: Tunnel-protocol udp dvpn.

Example

# Specify the tunnel interface to belong to the DVPN domain 100.

[SecBlade_VPN] interface Tunnel 0

[SecBlade_VPN-Tunnel0] dvpn-protocol udp dvpn

[SecBlade_VPN-Tunnel0] dvpn dvpn-id 100

6.1.17 dvpn interface-type

Syntax

dvpn interface-type { client | server }

undo dvpn interface-type

View

Tunnel interface view

Parameter

client: Specifies the tunnel interface to be of client type.

server: Specifies the tunnel interface to be of server type.

Description

Use the dvpn interface-type command to specify the type of a tunnel interface.

Use the undo dvpn interface-type command to restore to the default type of the tunnel interface.

A tunnel interface is of client type by default.

Example

# Specify the tunnel interface to be of server type.

[SecBlade_VPN-Tunnel0] dvpn interface-type server

6.1.18 dvpn policy

Syntax

dvpn policy dvpn-policy-name

undo dvpn policy dvpn-policy-name

View

System view

Parameter

dvpn-policy-name: Name of the DVPN policy to be created, a string containing no more than 31 characters.

Description

Use the dvpn policy command to create a DVPN policy and enter its view.

Use the undo dvpn policy command to remove a DVPN policy.

DVPN policies, such as the way to authenticate clients, the encryption algorithm suite used by sessions, the algorithm suite for forwarding packets, and time settings, are configured in DVPN policy view. If you want to remove a DVPN policy that is applied to a tunnel interface, you must disable it first.

No DVPN policy is configured by default.

Example

# Create a DVPN policy named “abc”.

[SecBlade_VPN] dvpn policy abc

6.1.19 dvpn policy

Syntax

dvpn policy dvpn-policy-name

undo dvpn policy dvpn-policy-name

View

Tunnel interface view

Parameter

policy-class-name: Name of the DVPN policy to be applied to a tunnel interface. A DVPN policy is a data structure that contains information such as algorithms used by sessions and time settings. You can use the dvpn policy command in system view to create DVPN policies.

Description

Use the dvpn policy command to apply a specified DVPN policy to a tunnel interface that is of server type.

Use the undo dvpn policy command to disable a DVPN policy applied to a tunnel interface.

A tunnel interface can be applied with only one DVPN policy. Therefore, to apply another DVPN policy, you must disable the existing one first. You can apply a DVPN policy to multiple tunnel interfaces.

You can execute the dvpn-policy command only when the tunnel interface is of server type.

A tunnel interface does not have a DVPN policy applied to it by default.

Related command: dvpn interface-type.

Example

# Apply the DVPN policy named “abc” to the tunnel interface.

[SecBlade_VPN-Tunnel0] dvpn interface-type server

[SecBlade_VPN-Tunnel0] dvpn policy abc

6.1.20 dvpn register-type

Syntax

dvpn register-type { forward | undistributed } *

undo dvpn register-type { forward | undistributed } *

View

Tunnel interface view

Parameter

forward: Specifies the DVPN server to forward all packets sourced from the client.

undistributed: Specifies the DVPN server not to distribute registration information about the client to other clients.

Description

Use the dvpn register-type command to configure the type of the additional information when a client registers with a DVPN server.

Use the undo dvpn register-type command to remove the configuration.

The DVPN server determines whether or not to send redirecting packets according to the type of the additional information.

You can execute the dvpn register-type command only when the tunnel interface is of client type.

Related command: dvpn interface-type.

The two flags are not set by default.

Example

# Specifies to prevent the DVPN server from distributing information about the client to other clients.

[SecBlade_VPN-Tunnel0] dvpn register-type undistributed

6.1.21 dvpn security

Syntax

dvpn security acl acl-number

undo dvpn security acl

View

Tunnel interface view

Parameter

acl-number: ACL number ranging from 3000 to 3999. This argument identifies the ACL that is used to judge whether to IPSec-encrypt data flow.

Description

Use the dvpn security acl command to configure the ACL used to filter packets passing through the tunnel interface.

Use the undo dvpn security acl command to remove the ACL.

You can configure an ACL to filter packets forwarded by a DVPN domain. Those denied by the ACL will not be processed by IPSec, otherwise, they will be IPSec encrypted.

Example

# Specify ACL 3100 for IPSec-encrypted data flow through tunnel interface.

[SecBlade_VPN-Tunnel0] dvpn security acl 3100

6.1.22 dvpn server

Syntax

dvpn server dvpn-class-name

undo dvpn server dvpn-class-name

View

Tunnel interface view

Parameter

dvpn-class-name: Name of the DVPN class to be applied to the tunnel interface. A DVPN class is a data structure that contains information such as the public IP address, private IP address, user name and password of the DVPN server. You can create a DVPN class by executing the dvpn class command in system view.

Description

Use the dvpn server command to configure the DVPN class to be applied to a tunnel interface.

Use the undo dvpn server command to remove the DVPN class applied to a tunnel interface.

At present, a tunnel interface can be one DVPN server in a DVPN domain, and a DVPN class can be applied to only one tunnel interface.

A tunnel interface is not configured with a DVPN class by default.

Example

# Apply the DVPN class named “abc” to the tunnel interface.

[SecBlade_VPN-Tunnel0] dvpn server abc

6.1.23 dvpn server authentication-client method

Syntax

dvpn server authentication-client method { none | { chap | pap } [ domain isp-name ] }

View

System view

Parameter

none: Specifies the DVPN server not to authenticate clients.

pap: Specifies the DVPN server to authenticate clients using PAP.

chap: Specifies the DVPN server to authenticate clients using CHAP.

domain isp-name: Specifies the DVPN server to authenticate clients using domain.

Description

Use the dvpn server authentication-client method command to configure a mode used by the DVPN server to authenticate clients. If the DVPN is not specifies for the clients to register with, the system uses the default mode to authenticate the clients. Currently the supported authentication modes include none, chap and pap.

When the client registers with the server, the server determines how to authenticate the client according to the configured DVPN policy. If there is no corresponding policy, the server authenticates the client using the global authentication mode.

By default, the server does not authenticate the clients.

Example

# Configure the DVPN server to authenticate the clients using PAP.

[SecBlade_VPN] dvpn server authentication-client method chap

6.1.24 dvpn server map age-time

Syntax

dvpn server map age-time time

undo dvpn server map age-time

View

System view

Parameter

time: Map aging time of a DVPN server. This argument ranges from 10 to 180 seconds.

Description

Use the dvpn server map age-time command to set the map aging time of a DVPN server.

Use the undo dvpn server map age-time command to restore to the default map aging time.

If a client does not register with the DVPN server successfully during the map aging time, the map established will be removed.

The default map aging time is 30 seconds.

Example

# Set the map aging time to 60 seconds.

[SecBlade_VPN] dvpn server map age-time 60

6.1.25 dvpn server pre-shared-key

Syntax

dvpn server pre-shared-key key

undo dvpn server pre-shared-key

View

System view

Parameter

key: Pre-shared-key of the DVPN server, a string containing no more than 127 characters.

Description

Use the dvpn server pre-shared-key command to set a pre-shared-key for a DVPN server.

Use the undo dvpn server pre-shared-key command to remove the pre-shared-key of a DVPN server.

A DVPN server is not configured with a pre-shared-key by default.

Example

# Set the pre-shared-key of the DVPN server to “123”.

[SecBlade_VPN] dvpn server pre-shared-key 123

6.1.26 dvpn service enable

Syntax

dvpn service enable

undo dvpn service enable

View

System view

Parameter

None

Description

Use the dvpn service enable command to enable the DVPN feature on the device.

Use the dvpn service disable command to disable DVPN feature on the device.

By default, the DVPN feature is disabled on the device.

Example

# Enable the DVPN feature.

[SecBlade_VPN] dvpn service enable

6.1.27 local-user

Syntax

local-user username password { simple | cipher } password

undo local-user

View

DVPN class view

Parameter

username: User name of the client, a string containing no more than 80 characters.

password: Password of the client.

simple: Specifies to display the password in plain text.

cipher: Specifies to display the password in cipher text.

Description

Use the local-user command to configure the user name and password of a client.

Use the undo local-user command to remove the configured user name and password.

Example

# Configure the user name and password of a client to “user” and “test” respectively and configure to display the password in plain text.

[SecBlade_DVPN-class-abc] local-user user password simple test

6.1.28 public-ip

Syntax

public-ip ip-address

undo public-ip

View

DVPN class view

Parameter

ip-address: Public IP address of a DVPN server.

Description

Use the public-ip command to assign a public IP address to a specified DVPN server.

Use the undo public-ip command to remove the public IP address assigned to a specified DVPN server.

A DVPN server is not assigned to a public IP address by default.

Example

# Assign a public IP address (61.18.3.66) to a DVPN server.

[SecBlade_VPN-dvpn-class-abc] public-ip 61.18.3.66

6.1.29 pre-shared-key

Syntax

pre-shared-key key

undo pre-shared-key

View

DVPN class view

Parameter

key: Key of the server, a string containing no more than 127 characters.

Description

Use the pre-shared-key command to set the pre-shared-key used when a client authenticates a DVPN server.

Use the undo pre-shared-key command to remove the pre-shared-key of the DVPN server configured on the client side.

Example

# Set the pre-shared-key of the DVPN server to “123” on a client side.

[SecBlade_VPN-dvpn-class-abc] pre-shared-key 123

6.1.30 private-ip

Syntax

private-ip ip-address

undo private-ip

View

DVPN class view

Parameter

ip-address: Private IP address of a DVPN server (the IP address of a tunnel interface).

Description

Use the private-ip command to assign a private IP address to a specified DVPN server.

Use the undo private-ip command to remove the private IP address assigned to a specified DVPN server.

A DVPN server is not assigned a private IP address by default.

Example

# Assign a private IP address (192.168.0.1) to a DVPN server. (That is, assign the private IP address to the tunnel interface.)

[SecBlade_VPN-Dvpn-class-abc] private-ip 192.168.0.1

6.1.31 reset dvpn all

Syntax

reset dvpn all dvpn-id

View

User view

Parameter

dvpn-id: ID of the DVPN domain whose running information is to be cleared.

Description

Use the reset dvpn all command to clear all running information about a DVPN domain and to initialize the DVPN domain.

Example

# Reset DVPN domain 2.

<SecBlade_VPN> reset dvpn all 2

6.1.32 reset dvpn map

Syntax

reset dvpn map public-ip port [ client-id ]

View

User view

Parameter

public-ip: Public IP address.

port: Port number ranging from 1 to 65,535.

client-id: ID of the client, ranging from 1 to 4,294,967,295.

Description

Use the reset dvpn map command to clear a specified map. This command also clears the sessions corresponding to the map (if the sessions exist). If the map is used by a client to register, this command clears all sessions established by the DVPN clients who register using the specified map.

Example

# Clear the map with an IP address as 10.0.0.2, a port number as 9876, and a client-id as 123456.

<SecBlade_VPN> reset dvpn map 10.0.0.2 9876 123456

6.1.33 reset dvpn session

Syntax

reset dvpn session dvpn-id private-ip

View

User view

Parameter

dvpn-id: ID of a DVPN domain ranging from 1 to 65,535.

private-ip: Private IP address.

Description

Use the reset dvpn session command to clear a specified session. If the session is the one established when the client registers, then this command clears all sessions established by the DVPN client.

Example

# Clear the session with a private IP address as 10.0.0.2 in DVPN 2.

<SecBlade_VPN> reset dvpn session 2 10.0.0.2

6.1.34 reset dvpn statistics

Syntax

reset dvpn statistics

View

User view

Parameter

None

Description

Use the reset dvpn statistics command to clear all statistics information of a DVPN module.

Example

# Clear DVPN statistics information.

<SecBlade_VPN> reset dvpn statistics

6.1.35 session algorithm-suite

Syntax

session algorithm-suite suite-number

undo session algorithm-suite

View

DVPN policy view

Parameter

suite-number: Algorithm suite number ranging from 0 to 12. This argument stands for the algorithm suite used to encrypt session control packets, whose available values are described as follows:

0 Without protection

1 DES_MD5_DHGROUP1

2 DES_MD5_DHGROUP2

3 DES_SHA1_DHGROUP1

4 DES_SHA1_DHGROUP2

5 3DES_MD5_DHGROUP1

6 3DES_MD5_DHGROUP2

7 3DES_SHA1_DHGROUP1

8 3DES_SHA1_DHGROUP2

9 AES128_MD5_DHGROUP1

10 AES128_MD5_DHGROUP2

11 AES128_SHA1_DHGROUP1

12 AES128_SHA1_DHGROUP2

Description

Use the session algorithm-suite command to specify the algorithm suite that the sessions will use.

Use the undo session algorithm-suite command to restore to the default algorithm suite.

Algorithm suite 1 is used by session control packets by default, which stands for DES (for encryption), MD5 (for authentication), and DH-GROUP1 (for key negotiation).

Example

# Specify not to encrypt control packets.

[SecBlade_VPN-dvpn-policy-abc] session algorithm-suite 0

6.1.36 session idle-time

Syntax

session idle-time time

undo session idle-time

View

DVPN policy view

Parameter

time: Idle timeout time ranging from 60 to 86,400 seconds.

Description

Use the session idle-time command to set the idle timeout time for sessions.

Use the undo session idle-time command to restore to the default idle timeout time.

If there are no packets in a session within the specified idle timeout time, the session will be removed automatically.

By default, the idle timeout time is 300 seconds.

Example

# Set the idle timeout time to 180 seconds.

[SecBlade_VPN-dvpn-policy-abc] session idle-time 180

6.1.37 session keepalive-interval

Syntax

session keepalive-interval time-interval

undo session keepalive-interval

View

DVPN policy view

Parameter

time-interval: Keepalive interval ranging from 5 to 300 seconds.

Description

Use the session keepalive-interval command to set the keepalive interval of sessions.

Use the undo session keepalive-interval command to restore to the default keepalive interval.

Keepalive packets are used to check the connection state of sessions. After a session is established, the active side sends keepalive packets regularly if there are no packet in the session, and the passive side responds with keepalive-ack packets.

By default, the keepalive interval is 10 seconds.

Example

# Set the keepalive interval to 30 seconds.

[SecBlade_VPN-dvpn-policy-abc] session keepalive-interval 30

6.1.38 session setup-interval

Syntax

session setup-interval time-interval

undo session setup-interval

View

DVPN policy view

Parameter

time-interval: Interval for sending requests to establish a session. This argument ranges from 5 to 60 seconds.

Description

Use the session setup-interval command to set the interval for sending requests to establish a session (Setup request). Setup request packets are sent regularly until the session is established.

Use the undo session setup-interval command to restore to the default interval.

If a client does not receive the response of the peer when the interval expires after it sends the last Setup request, it sends another Setup request packet.

By default, the interval for sending setup requests is 10 seconds.

Example

# Set the setup request interval to 30 seconds.

[SecBlade_VPN-dvpn-policy-abc] session setup-interval 30

6.1.39 Tunnel-protocol udp dvpn

Syntax

Tunnel-protocol udp dvpn

View

Tunnel interface view

Parameter

udp dvpn: Specifies to encapsulate the tunnel interface using UDP DVPN.

Description

Use the Tunnel-protocol udp dvpn command to configure the encapsulation format for a tunnel interface as UDP DVPN. When encapsulated using UDP DVPN, a tunnel interface is of multipoint attribute and non-broadcast multiple access (NBMA) type.

A tunnel interface is encapsulated by GRE by default.

Example

# Encapsulate a tunnel interface using UDP DVPN.

[SecBlade_VPN-Tunnel0] Tunnel-protocol udp dvpn

H3C S9500 Series Routing Switches SecBlade FW VPN Cards Command Manual(V1.03)

Chapter 1 L2TP Configuration Commands

1.1 L2TP Configuration Commands

1.1.1 allow l2tp

1.1.2 debugging l2tp

1.1.3 display l2tp session

1.1.4 display l2tp Tunnel

1.1.5 display l2tp user

1.1.6 interface virtual-template

1.1.7 l2tp enable

1.1.8 l2tp-auto-client enable

1.1.9 l2tp-group

1.1.10 l2tpmoreexam enable

1.1.11 mandatory-chap

1.1.12 mandatory-lcp

1.1.13 reset l2tp session

1.1.14 reset l2tp Tunnel

1.1.15 reset l2tp user

1.1.16 session idle-time

1.1.17 start l2tp

1.1.18 start l2tp Tunnel

1.1.19 Tunnel authentication

1.1.20 Tunnel avp-hidden

1.1.21 Tunnel flow-control

1.1.22 Tunnel keepstanding

1.1.23 Tunnel name

1.1.24 Tunnel password

1.1.25 Tunnel timer hello

Chapter 2 GRE Configuration Commands

2.1 GRE Configuration Commands

2.1.1 debugging Tunnel

2.1.2 destination

2.1.3 display interface Tunnel

2.1.4 gre checksum

2.1.5 gre key

2.1.6 interface Tunnel

2.1.7 keepalive

2.1.8 source

2.1.9 Tunnel-protocol gre

Chapter 3 IPSec Configuration Commands

3.1 IPSec Configuration Commands

3.1.1 ah authentication-algorithm

3.1.2 debugging ike dpd

3.1.3 debugging ipsec

3.1.4 display ike dpd

3.1.5 display ipsec policy

3.1.6 display ipsec policy-template

3.1.7 display ipsec proposal

3.1.8 display ipsec sa

3.1.9 display ipsec statistics

3.1.10 display ipsec Tunnel

3.1.11 dpd

3.1.12 encapsulation-mode

3.1.13 esp authentication-algorithm

3.1.14 esp encryption-algorithm

3.1.15 ike dpd

3.1.16 interval-time

3.1.17 ipsec policy

3.1.18 ipsec policy

3.1.19 ipsec policy-template

3.1.20 ipsec proposal

3.1.21 ipsec sa global-duration

3.1.22 pfs

3.1.23 proposal

3.1.24 reset ipsec sa

3.1.25 reset ipsec statistics

3.1.26 sa authentication-hex

3.1.27 sa duration

3.1.28 sa encryption-hex

3.1.29 sa spi

3.1.30 sa string-key

3.1.31 security acl

3.1.32 time-out

3.1.33 transform

3.1.34 Tunnel local

3.1.35 Tunnel remote

3.2 Encryption Card Configuration Commands

3.2.1 debugging encrypt-card host

3.2.2 display encrypt-card fast-switch

3.2.3 display interface encrypt