display ipsec global config

Function

The display ipsec global config command displays IPSec global configurations.

Format

display ipsec global config

Parameters

None

Views

All views

Default Level

1: Monitoring level

Usage Guidelines

To view IPSec global configurations, run the display ipsec global config command. The global configurations include the global SA lifetime and whether the anti-replay function is enabled.

Example

# Display IPSec global configurations.

<sysname> display ipsec global config
IPSec Global Config:                                                            
--------------------------------------------------------------                  
  IPSec sa global-duration time-based(seconds)        : 3600
  IPSec sa global-duration traffic-based(kbytes)      : 1843200
  IPSec sa global-soft-duration time-based(seconds)   : -
  IPSec sa global-soft-duration traffic-based(kbytes) : -
  IPSec anti-replay                                   : enable
  IPSec df-bit                                        : copy 
  IPSec fragmentation                                 : disable
  IPSec decrypt check                                 : enable
  IPSec nat-traversal source-port                     : 8000
  IPSec invalid-spi-recovery                          : disable
  IPSec netmask source                                : 24
  IPSec netmask destination                           : 24
  IPSec tunnel-index based remote-ip                  : disable
  IPSec sa hrp-consistency-check                      : disable
  IPSec pre-check                                     : enable
  IPSec policy-statistics                             : disable
  IPSec remote traffic-identical accept               : disable
--------------------------------------------------------------

**Table 1** Description of the **display ipsec global config** command output
Item	Description
IPSec Global Config	IPSec global configurations.
IPSec sa global-duration time-based(seconds)	Time-based global SA hard lifetime, in seconds. To set the time-based global SA hard lifetime, run the ipsec sa global-duration time-based command.
IPSec sa global-duration traffic-based(kbytes)	Traffic-based global SA hard lifetime, in kilobytes. To set the traffic-based global SA hard lifetime, run the ipsec sa global-duration traffic-based command.
IPSec sa global-soft-duration time-based(seconds)	Global time-based soft timeout buffer for an IPSec SA, in seconds. To set the global time-based soft timeout buffer, run the ipsec sa global-soft-duration time-based command.
IPSec sa global-soft-duration traffic-based(kbytes)	Global traffic-based soft timeout buffer for an IPSec SA, in kilobytes. To set the global traffic-based soft timeout buffer, run the ipsec sa global-soft-duration traffic-based command.
IPSec anti-replay	Whether the anti-replay function is enabled. To configure the anti-replay function, run the ipsec anti-replay enable command.
IPSec df-bit	IPSec tunnel don't fragment (DF) bit: clear: The DF bit is set to 0, allowing packets to be fragmented. set: The DF bit is set to 1, prohibiting packets from being fragmented. copy: The DF bit is that of original packets. To set the DF bit, run the ipsec df-bit command. NOTE: This field is unavailable in the virtual system.
IPSec fragmentation	IPSec tunnel packet fragmentation mode: enable: Fragmentation before IPSec encryption. disable: Fragmentation after IPSec encryption To set the fragmentation mode, run the ipsec fragmentation before-encryption command. NOTE: This field is unavailable in the virtual system.
IPSec decrypt check	Whether post-IPSec check is enabled: enable disable To configure this function, run the ipsec decrypt check command. NOTE: This field is unavailable in the virtual system.
IPSec nat-traversal source-port	Port number used for IPSec NAT traversal. To configure the port number used for IPSec NAT traversal, run the ipsec nat-traversal source-port command. NOTE: This field is unavailable in the virtual system.
IPSec invalid-spi-recovery	Whether the invalid SPI recovery function is enabled: enable disable To configure the invalid SPI recovery function, run the ipsec invalid-spi-recovery enable command.
IPSec netmask source	Source address mask of data flows. To configure the source address mask of data flows, run the ipsec netmask command. When the source address mask is not configured, the mask length is 0.
IPSec netmask destination	Destination address mask of data flows. To configure the destination address mask of data flows, run the ipsec netmask command. When the destination address mask is not configured, the mask length is 0.
IPSec tunnel-index based remote-ip	Whether the device keeps IPSec tunnel indexes unchanged based on the peer IP address during IPSec tunnel re-establishment: enable: The device keeps IPSec tunnel indexes unchanged based on the peer IP address during IPSec tunnel re-establishment. disable: The device does not keep IPSec tunnel indexes unchanged based on the peer IP address during IPSec tunnel re-establishment. To configure the device to keep IPSec tunnel indexes unchanged based on the peer IP address during IPSec tunnel re-establishment, run the ipsec tunnel-index based remote-ip command. NOTE: This field is unavailable in the virtual system.
IPSec sa hrp-consistency-check	Whether consistency check and backup of IPSec SA in hot standby are enabled: enable disable To configure this function, run the ipsec sa hrp-consistency-check enable command. NOTE: This field is unavailable in the virtual system.
IPSec pre-check	Whether pre-IPSec check is enabled: enable disable To configure this function, run the ipsec pre-check enable command. NOTE: This field is unavailable in the virtual system.
IPSec policy-statistics	Whether traffic statistics collection based on an IPSec policy is enabled: enable disable To configure this function, run the ipsec policy-statistics enable command. NOTE: This field is unavailable in the virtual system.
IPSec remote traffic-identical accept	Whether the branch or the access user is enabled to quickly access the headquarters network: enable disable To configure this function, run the ipsec remote traffic-identical accept command.