| Parameter | Description | Value |
|---|---|---|
brief |
Displays brief information about IKE peers. |
- |
name peer-name |
Displays detailed information about the IKE peer with a specified name. |
The value must be an existing IKE peer name. |
The display ike peer command output contains the following information:
# Display brief configuration of the IKE peer.
<sysname> display ike peer brief Current ike peer number: 3 --------------------------------------------------------------------------- Peer name Version Exchange-mode Proposal Id-type RemoteAddr --------------------------------------------------------------------------- 1 v1v2 main 11 IP peer1 v1v2 main 12 IP huawei v1v2 main 13 IP
Item
|
Description |
|---|---|
Current ike peer number |
Current number of IKE peers that have been configured. |
Peer name |
Number of an IKE peer. To configure an IKE peer, run the ike peer command. |
Version |
IKE version of the IKE peer:
|
Exchange-mode |
IKEv1 negotiation mode:
|
Proposal |
Name of the referenced IKE proposal. To configure an IKE proposal, run the ike-proposal command. |
Id-type |
Local ID type in IKE negotiation. To set the local ID type, run the local-id-type command. |
RemoteAddr |
IP address of the remote IKE peer. To configure an IP address of the remote IKE peer, run the remote-address command. |
# Display configuration of the IKE peer.
<sysname> display ike peer Number of IKE peers: 1 ------------------------------------------ Peer name : 1 IKE version : v1v2 VPN instance : vpn1 Remote IP : 1.1.1.1 Remote IP : 2.2.2.2 Authentic IP address : - Proposal : 1 Pre-shared-key : %^%#G7(t:%yFw/PVF>Jsva;"zx]oL!sw-8z\C;I}%%RY%^%# Local ID type : IP Local ID : - Remote ID type : any Remote ID : - certificate local-filename : - certificate peer-filename : - certificate peer-name : - PKI realm : NULL Inband OCSP : Disable Inband CRL : Disable IP pool number : 1 cert-request empty-payload : Disable VPN instance bound to the SA : - NAT-traversal : Enable Service-scheme name : a Ikev2 Redirect Group : group1 Ikev2 Redirect Period : Ike_Init Re-authentication interval(s) : 333 Xauth : Disable Xauth type : CHAP IKE user-table : 1 DSCP : default Lifetime-notification-message : Enable DPD : Enable DPD type : on-demand DPD retry-limit : 3 DPD retransmit-interval(s) : 30 DPD idle-time(s) : 60 DPD message : seq-hash-notify DPD message learning : Enable DPD packet receive if-related : Enable Soft-expire buffer before hard-expire(s): 100 RSA encryption-padding : PKCS1 RSA signature-padding : PKCS1 ipsec sm4 version : standard Certificate-access-policy : aaa IKE negotiate compatible : Enable Certificate-check : Disable Resource acl : - validate-certificate whitelist : Enable whitelist-fuzzy-match : Enable Local ID Certificate Preference : Enable IKEv2 Local ID Reflect : Enable IKEv1 phase1-phase2 sa dependent : Enable IKEv2 fragmentation : Enable IKEv2 fragmentation MTU : 576(IPv4)/1280(IPv6) IKEv2 authentication signature-hash : SHA1 ------------------------------------------
Item
|
Description |
|---|---|
Number of IKE peers |
Number of IKE peers that have been configured. |
Peer name |
Name of an IKE peer. To configure an IKE peer, run the ike peer command. |
IKE version |
IKE version of the IKE peer:
To configure an IKE version, run the version (IKE peer view) command. |
VPN instance |
VPN instance name. To configure a VPN instance name, run the remote-address command. |
Remote IP |
IP address of the remote IKE peer. To configure an IP address of the remote IKE peer, run the remote-address command. If the remote domain name is configured, it will be displayed next to the IP address, for example, 1.1.1.1(www.huawei.com). |
Authentic IP address |
IP address used for IKE negotiation authentication before NAT translation. To configure the IP address used for IKE negotiation authentication before NAT translation, run the remote-address command. |
Proposal |
Referenced IKE proposal. This parameter is available only when the IKE proposal has been configured using the ike-proposal command. |
Pre-shared-key |
Pre-shared key used for authentication. When an IKE proposal referenced by an IKE peer uses pre-shared key authentication, the pre-shared key is used for identity authentication. To configure a pre-shared key, run the pre-shared-key (IKE peer view) command. |
Local ID type |
Local ID type in IKE negotiation. To set the local ID type, run the local-id-type command. |
Local ID |
Local ID used in IKE negotiation. To set the local ID used in IKE negotiation, run the ike local-name or local-id (IKE peer view) command. |
Remote ID type |
Remote ID type in IKE negotiation. To set the remote ID type, run the remote-id-type command. |
Remote ID |
Remote ID used in IKE negotiation. To configure the remote ID used in IKE negotiation, run the remote-id command. |
certificate local-filename |
Certificate used by the local device. To configure the local certificate, run the certificate local-filename command. |
certificate peer-filename |
Certificate used by the IKE peer. To configure the peer certificate, run the certificate peer-filename command. |
certificate peer-name |
Peer name in the specified certificate. To configure the peer name, run the certificate peer-name command. |
PKI realm |
PKI realm bound to the IKE peer. To bind a PKI realm to an IKE peer, run the pki realm (IKE peer view) command. |
Inband OCSP |
Whether IKEv2 is used to transmit Online Certificate Status Protocol (OCSP) requests and responses:
To this function, run the inband ocsp command. |
Inband CRL |
Whether IKEv2 is used to transmit certificate revocation list (CRL) requests and responses:
To this function, run the inband crl command. |
IP pool number |
Number of IP address pools referenced by an IKE peer. To configure the number of IP address pools, run the remote-address command. |
cert-request empty-payload |
Whether the certificate request payload is empty:
To configure the device to send certificate requests with empty payload, run the certificate-request empty-payload enable command. |
VPN instance bound to the SA |
Name of the VPN instance bound to the IPSec tunnel. To bind a VPN instance to an IPSec tunnel, run the sa binding vpn-instance command. |
NAT-traversal |
Whether NAT traversal is enabled:
|
Service-scheme name |
AAA scheme referenced by an IKE peer. To configure an AAA scheme, run the service-scheme (IKE peer view) command. |
Ikev2 Redirect Group |
Load balancing group referenced by an IKE peer. To configure a load balancing group, run the ikev2-redirect-group command. |
Ikev2 Redirect Period |
IKEv2 redirection phase.
|
Re-authentication interval(s) |
IKEv2 re-authentication interval. To configure an IKEv2 re-authentication interval, run the re-authentication interval command. |
Xauth |
Whether IKEv1 extended authentication is enabled:
|
Xauth type |
IKEv1 extended authentication mode:
|
IKE user-table |
IKE user table referenced by an IKE peer. To configure an IKE user table, run the user-table command. |
DSCP |
DSCP value of IKE packets of an IKE peer. To configure a DSCP value, run the dscp (IKE peer view) command. |
Lifetime-notification-message |
Whether the device is enabled to send notification messages of the IKE SA lifetime:
|
DPD |
Whether the DPD function is enabled:
|
DPD type |
DPD mode of an IKE peer.
|
DPD retry-limit |
Number of times that an IKE peer can retransmit DPD packets. To configure the number of retransmission times, run the dpd command. |
DPD retransmit-interval(s) |
Interval at which an IKE peer retransmits DPD packets. To configure an interval, run the dpd command. |
DPD idle-time(s) |
DPD idle time of an IKE peer. To configure a DPD idle time, run the dpd command. |
DPD message |
Sequence of the payload in DPD packets.
|
DPD message learning |
Whether automatic learning of the payload sequence of DPD packets is enabled:
To configure the automatic learning function, run the dpd msg notify-hash-sequence learning command. |
DPD packet receive if-related |
Whether the function of checking whether the interface that receives DPD packets is the interface that establishes an IPSec SA:
To configure this function, run the dpd packet receive if-related enable command. |
Soft-expire buffer before hard-expire(s) |
Soft timeout buffer time before hard timeout of the IPSec SA. To configure the Soft timeout buffer time, run the sa soft-duration time-based buffer command. |
RSA encryption-padding |
Padding mode of RSA encryption. To specify the padding mode, run the rsa encryption-padding command. |
RSA signature-padding |
Padding mode of an RSA signature. To specify the padding mode, run the rsa signature-padding command. |
ipsec sm4 version |
Version of the SM4 algorithm. To configure the version of the SM4 algorithm, run the ipsec sm4 version command. |
Certificate-access-policy |
Name of the certificate access policy referenced to the IKE peer. To reference a certificate access policy to an IKE peer, run the certificate-access-policy command. |
IKE negotiate compatible |
IPSec proposal of the IKE peer accepted by the local end. To configure the local end to accept the IPSec proposal of its IKE peer, run the ike negotiate compatible command. |
Resource acl |
ACL information to be pushed by the headquarters device to the branch. To configure ACL information, run the resource acl command. |
Certificate-check |
Whether validity verification on certificates of an IKE peer is enabled:
|
validate-certificate whitelist |
Whether the PKI certificate whitelist function is enabled:
To enable the PKI certificate whitelist function, run the pki validate-certificate whitelist enable command. |
whitelist-fuzzy-match |
Whether fuzzy match of the PKI certificate whitelist is enabled:
To enable fuzzy match of the PKI certificate whitelist, run the pki whitelist-fuzzy-match enable command. |
Local ID Certificate Preference |
Whether to enable the device to preferentially obtain the local ID from a field in a certificate when IKE uses certificate negotiation:
To enable this function, run the local-id-preference certificate enable command. |
IKEv2 Local ID Reflect |
Whether the local ID of the responder is used as the remote ID carried in the IKE packets sent by the initiator during IKEv2 negotiation:
To enable this function, run the local-id-reflect enable command. |
IKEv1 phase1-phase2 sa dependent |
Whether IPSec SA depends on IKE SA during IKEv1 negotiation:
To configure dependency between IPSec SA and IKE SA, run the ikev1 phase1-phase2 sa dependent command. |
IKEv2 fragmentation |
Whether IKEv2 packet fragmentation is enabled:
To configure IKEv2 packet fragmentation, run the ikev2 fragmentation command. |
IKEv2 fragmentation MTU |
MTU of an IKEv2 fragment. To configure the MTU, run the ikev2 fragmentation command. |
IKEv2 authentication signature-hash |
Certificate signature algorithm used by IKEv2. To configure this algorithm, run the ikev2 authentication sign-hash command. |